From ed3531bc2ab90774fa23022ac5cc051135b3fc54 Mon Sep 17 00:00:00 2001 From: nlepagnez Date: Tue, 11 Jun 2024 16:56:48 +0200 Subject: [PATCH 01/19] Update New connectors --- .../ESI-ExchangeAdminAuditLogEvents.json | 12 +- ...Opt1ExchangeAdminAuditLogsByEventLogs.json | 220 +++++++++++++++++ .../ESI-Opt2ExchangeServersEventLogs.json | 216 +++++++++++++++++ ...t34DomainControllersSecurityEventLogs.json | 173 ++++++++++++++ .../ESI-Opt5ExchangeIISLogs.json | 218 +++++++++++++++++ .../ESI-Opt6ExchangeMessageTrackingLogs.json | 226 ++++++++++++++++++ .../ESI-Opt7ExchangeHTTPProxyLogs.json | 226 ++++++++++++++++++ .../Solution_MicrosoftExchangeSecurity.json | 10 +- .../ReleaseNotes.md | 1 + ...crosoftExchangeSecurityExchangeOnline.json | 1 - .../Parsers/MESCheckVIP.yaml | 29 --- .../Watchlists/ExchOnlineVIP.json | 2 +- 12 files changed, 1295 insertions(+), 39 deletions(-) create mode 100644 Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json create mode 100644 Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt2ExchangeServersEventLogs.json create mode 100644 Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt34DomainControllersSecurityEventLogs.json create mode 100644 Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt5ExchangeIISLogs.json create mode 100644 Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt6ExchangeMessageTrackingLogs.json create mode 100644 Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json delete mode 100644 Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckVIP.yaml diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json index a6dc0caac79..a1cbc52e73f 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json @@ -1,6 +1,6 @@ { "id": "ESI-ExchangeAdminAuditLogEvents", - "title": "Microsoft Exchange Logs and Events", + "title": "[Deprecated] Microsoft Exchange Logs and Events", "publisher": "Microsoft", "descriptionMarkdown": "You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", "graphQueries": [ @@ -63,10 +63,10 @@ { "type": "IsConnectedQuery", "value": [ - "Event | where EventLog == 'MSExchange Management' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7d)", - "W3CIISLog | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7d)", - "MessageTrackingLog_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7d)", - "ExchangeHttpProxy_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7d)" + "Event | where EventLog == 'MSExchange Management' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(1h)", + "W3CIISLog | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(1h)", + "MessageTrackingLog_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(1h)", + "ExchangeHttpProxy_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(1h)" ] } ], @@ -697,7 +697,7 @@ "kind": "dataConnector", "source": { "kind": "solution", - "name": "ESI - Exchange Security Configuration Analyzer" + "name": "Microsoft Exchange Security - Exchange On-Premises" }, "support": { "name": "Community", diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json new file mode 100644 index 00000000000..76971e742bf --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json @@ -0,0 +1,220 @@ +{ + "id": "ESI-Opt1ExchangeAdminAuditLogsByEventLogs", + "title": "Microsoft Exchange Admin Audit Logs by Event Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "You can stream all Exchange Audit events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "ExchangeAuditLogs", + "baseQuery": "Event | where EventLog == 'MSExchange Management'" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "Event | where EventLog == 'MSExchange Management' | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "Event", + "lastDataReceivedQuery": "Event | where EventLog == 'MSExchange Management' | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Event | where EventLog == 'MSExchange Management' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(1h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "instructions": [ + { + "parameters": { + "title": "Parser deployment (When using Microsoft Exchange Security Solution, Parsers are automatically deployed)", + "instructionSteps": [ + { + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" + }, + { + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" + }, + { + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the option 1 of the wiki." + }, + { + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers", + "instructions": [ + { + "parameters": { + "title": "Select which agent you want to install in your servers to collect logs:", + "instructionSteps": [ + { + "title": "[Prefered] Azure Monitor Agent via Azure Arc", + "description": "**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "title": "Install Azure Log Analytics Agent (Deprecated on 31/08/2024)", + "description": "1. Download the Azure Log Analytics Agent and choose the deployment method in the below link.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "[Option 1] MS Exchange Management Log collection", + "description": "Select how to stream MS Exchange Admin Audit event logs", + "instructions": [ + { + "parameters": { + "title": "MS Exchange Admin Audit event logs", + "instructionSteps": [ + { + "title": "Data Collection Rules - When Azure Monitor Agent is used", + "description": "**Enable data collection rule**\n> Microsoft Exchange Admin Audit Events logs are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption1-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCR, Type Event log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MS Exchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used", + "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MS Exchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.", + "instructions": [ + { + "parameters": { + "linkType": "OpenSyslogSettings" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "metadata": { + "id": "dfa2e270-b24f-4d76-b9a5-cd4a878596bf", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } +} \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt2ExchangeServersEventLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt2ExchangeServersEventLogs.json new file mode 100644 index 00000000000..5226451600e --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt2ExchangeServersEventLogs.json @@ -0,0 +1,216 @@ +{ + "id": "ESI-Opt2ExchangeServersEventLogs", + "title": "Microsoft Exchange Logs and Events", + "publisher": "Microsoft", + "descriptionMarkdown": "You can stream all Exchange Security & Application Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange Eventlogs", + "baseQuery": "Event | where EventLog == 'Application'" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "Event | where EventLog == 'Application' | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "Event", + "lastDataReceivedQuery": "Event | where EventLog == 'Application' | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Event | where EventLog == 'Application' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(1h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the option 2 of the wiki." + }, + { + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers", + "instructions": [ + { + "parameters": { + "title": "Select which agent you want to install in your servers to collect logs:", + "instructionSteps": [ + { + "title": "[Prefered] Azure Monitor Agent via Azure Arc", + "description": "**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "title": "Install Azure Log Analytics Agent (Deprecated on 31/08/2024)", + "description": "1. Download the Azure Log Analytics Agent and choose the deployment method in the below link.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "[Option 2] Security/Application/System logs of Exchange Servers", + "description": "Select how to stream Security/Application/System logs of Exchange Servers", + "instructions": [ + { + "parameters": { + "title": "Security Event log collection", + "instructionSteps": [ + { + "title": "Data Collection Rules - Security Event logs", + "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add Exchange Servers on *Resources* tab.\n2. Select Security log level\n\n> **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.", + "instructions": [ + { + "parameters": { + "linkType": "OpenCreateDataCollectionRule", + "dataCollectionRuleType": 0 + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "title": "Application and System Event log collection", + "instructionSteps": [ + { + "title": "Data Collection Rules - When Azure Monitor Agent is used", + "description": "**Enable data collection rule**\n> Application and System Events logs are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption2-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCR, Type Event log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Basic' option.\n6. For Application, select 'Critical', 'Error' and 'Warning'. For System, select Critical/Error/Warning/Information. \n7. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used", + "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Windows Event logs**.\n2. Click **Add Windows event log** and search **Application** as log name.\n3. Click **Add Windows event log** and search **System** as log name.\n4. Collect Error (for all), Warning (for all) and Information (for System) types\n5. Click **Save**.", + "instructions": [ + { + "parameters": { + "linkType": "OpenSyslogSettings" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "metadata": { + "id": "22e0234b-278d-40f4-8be8-c2968faeaf91", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } +} \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt34DomainControllersSecurityEventLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt34DomainControllersSecurityEventLogs.json new file mode 100644 index 00000000000..3981ed1acf6 --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt34DomainControllersSecurityEventLogs.json @@ -0,0 +1,173 @@ +{ + "id": "ESI-Opt34DomainControllersSecurityEventLogs", + "title": "Microsoft Active-Directory Domain Controllers Security Event Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "You can stream a part or all Domain Controllers Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Domain Controllers Security Logs", + "baseQuery": "SecurityEvent" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "SecurityEvent | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "SecurityEvent", + "lastDataReceivedQuery": "SecurityEvent | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "SecurityEvent | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(1h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the option 3 and 4 of the wiki." + }, + { + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers", + "instructions": [ + { + "parameters": { + "title": "Select which agent you want to install in your servers to collect logs:", + "instructionSteps": [ + { + "title": "[Prefered] Azure Monitor Agent via Azure Arc", + "description": "**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "title": "Install Azure Log Analytics Agent (Deprecated on 31/08/2024)", + "description": "1. Download the Azure Log Analytics Agent and choose the deployment method in the below link.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Security logs of Domain Controllers", + "description": "Select how to stream Security logs of Domain Controllers. If you want to implement Option 3, you just need to select DC on same site as Exchange Servers. If you want to implement Option 4, you can select all DCs of your forest.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "[Option 3] List only Domain Controllers on the same site as Exchange Servers for next step", + "description": "**This limits the quantity of data injested but some incident can't be detected.**" + }, + { + "title": "[Option 4] List all Domain Controllers of your Active-Directory Forest for next step", + "description": "**This allows collecting all security events**" + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "title": "Security Event log collection", + "instructionSteps": [ + { + "title": "Data Collection Rules - Security Event logs", + "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add chosen DCs on *Resources* tab.\n2. Select Security log level\n\n> **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.", + "instructions": [ + { + "parameters": { + "linkType": "OpenCreateDataCollectionRule", + "dataCollectionRuleType": 0 + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "metadata": { + "id": "036e16af-5a27-465a-8662-b7ac385a8d45", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } +} \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt5ExchangeIISLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt5ExchangeIISLogs.json new file mode 100644 index 00000000000..a782328e3dc --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt5ExchangeIISLogs.json @@ -0,0 +1,218 @@ +{ + "id": "ESI-Opt5ExchangeIISLogs", + "title": "IIS Logs of Microsoft Exchange Servers", + "publisher": "Microsoft", + "descriptionMarkdown": "You can stream all IIS Logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange IIS logs", + "baseQuery": "W3CIISLog" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "W3CIISLog | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "W3CIISLog", + "lastDataReceivedQuery": "W3CIISLog | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "W3CIISLog | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(1h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the option 5 of the wiki." + }, + { + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers", + "instructions": [ + { + "parameters": { + "title": "Select which agent you want to install in your servers to collect logs:", + "instructionSteps": [ + { + "title": "[Prefered] Azure Monitor Agent via Azure Arc", + "description": "**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "title": "Install Azure Log Analytics Agent (Deprecated on 31/08/2024)", + "description": "1. Download the Azure Log Analytics Agent and choose the deployment method in the below link.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "IIS logs of Exchange Servers", + "description": "Select how to stream IIS logs of Exchange Servers", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Data Collection Rules - When Azure Monitor Agent is used", + "description": "**Enable data collection rule**\n> IIS logs are collected only from **Windows** agents.", + "instructions": [ + { + "type": "AdminAuditEvents" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the DCE and DCR.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy." + }, + { + "title": "B. Deploy Data Connection Rule", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption5-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create DCR, Type IIS log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. Select the created DCE. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'IIS logs' (Do not enter a path if IIS Logs path is configured by default). Click on 'Add data source'\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used", + "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **IIS Logs**.\n2. Check **Collect W3C format IIS log files**\n5. Click **Save**.", + "instructions": [ + { + "parameters": { + "linkType": "OpenSyslogSettings" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "metadata": { + "id": "4b1075ed-80f5-4930-bfe1-877e86b48dc1", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } +} \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt6ExchangeMessageTrackingLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt6ExchangeMessageTrackingLogs.json new file mode 100644 index 00000000000..40403c05971 --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt6ExchangeMessageTrackingLogs.json @@ -0,0 +1,226 @@ +{ + "id": "ESI-Opt6ExchangeMessageTrackingLogs", + "title": "Microsoft Exchange Logs and Events", + "publisher": "Microsoft", + "descriptionMarkdown": "You can stream all Exchange Message Tracking from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. Those logs can be used to track the flow of messages in your Exchange environment. This data connector is based on the option 6 of the [Microsoft Exchange Security wiki](https://aka.ms/ESI_DataConnectorOptions).", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange Message Tracking logs", + "baseQuery": "MessageTrackingLog_CL" + } + ], + "sampleQueries": [ + { + "description": "Exchange Message Tracking logs", + "query": "MessageTrackingLog_CL | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "MessageTrackingLog_CL", + "lastDataReceivedQuery": "MessageTrackingLog_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "MessageTrackingLog_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(1h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the option 6 of the wiki." + }, + { + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers", + "instructions": [ + { + "parameters": { + "title": "Select which agent you want to install in your servers to collect logs:", + "instructionSteps": [ + { + "title": "[Prefered] Azure Monitor Agent via Azure Arc", + "description": "**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "title": "Install Azure Log Analytics Agent (Deprecated on 31/08/2024)", + "description": "1. Download the Azure Log Analytics Agent and choose the deployment method in the below link.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Message Tracking of Exchange Servers", + "description": "Select how to stream Message Tracking of Exchange Servers", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Data Collection Rules - When Azure Monitor Agent is used", + "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "text": "**Attention**, Custom logs in Monitor Agent is in Preview. The deployment doesn't work as expected for the moment (March 2023).", + "inline": false + }, + "type": "InfoMessage" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the DCE and DCR.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy." + }, + { + "title": "B. Deploy Data Connection Rule and Custom Table", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption6-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE, like ESI-ExchangeServers. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create Custom DCR Table", + "description": "1. Download the Example file from [Microsoft Sentinel GitHub](https://aka.ms/Sentinel-Sample-ESI-MessageTrackingExampleFile).\n2. From the Azure Portal, navigate to [Workspace Analytics](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.OperationalInsights%2Fworkspaces) and select your target Workspace.\n3. Click in 'Tables', click **+ Create** at the top and select **New Custom log (DCR-Based)**.\n4. In the **Basics** tab, enter **MessageTrackingLog** on the Table name, create a Data Collection rule with the name **DCR-Option6-MessageTrackingLogs** (for example) and select the previously created Data collection Endpoint.\n5. In the **Schema and Transformation** tab, choose the downloaded sample file and click on **Transformation Editor**.\n6. In the transformation field, enter the following KQL request :\n*source\n| extend TimeGenerated = todatetime(['date-time'])\n| extend\n clientHostname = ['client-hostname'],\n clientIP = ['client-ip'],\n connectorId = ['connector-id'],\n customData = ['custom-data'],\n eventId = ['event-id'],\n internalMessageId = ['internal-message-id'],\n logId = ['log-id'],\n messageId = ['message-id'],\n messageInfo = ['message-info'],\n messageSubject = ['message-subject'],\n networkMessageId = ['network-message-id'],\n originalClientIp = ['original-client-ip'],\n originalServerIp = ['original-server-ip'],\n recipientAddress= ['recipient-address'],\n recipientCount= ['recipient-count'],\n recipientStatus= ['recipient-status'],\n relatedRecipientAddress= ['related-recipient-address'],\n returnPath= ['return-path'],\n senderAddress= ['sender-address'],\n senderHostname= ['server-hostname'],\n serverIp= ['server-ip'],\n sourceContext= ['source-context'],\n schemaVersion=['schema-version'],\n messageTrackingTenantId = ['tenant-id'],\n totalBytes = ['total-bytes'],\n transportTrafficType = ['transport-traffic-type']\n| project-away\n ['client-ip'],\n ['client-hostname'],\n ['connector-id'],\n ['custom-data'],\n ['date-time'],\n ['event-id'],\n ['internal-message-id'],\n ['log-id'],\n ['message-id'],\n ['message-info'],\n ['message-subject'],\n ['network-message-id'],\n ['original-client-ip'],\n ['original-server-ip'],\n ['recipient-address'],\n ['recipient-count'],\n ['recipient-status'],\n ['related-recipient-address'],\n ['return-path'],\n ['sender-address'],\n ['server-hostname'],\n ['server-ip'],\n ['source-context'],\n ['schema-version'],\n ['tenant-id'],\n ['total-bytes'],\n ['transport-traffic-type']*\n\n8. Click 'Run' and after 'Apply'.\n9. Click **Next**, then click **Create**." + }, + { + "title": "C. Modify the created DCR, Type Custom log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Select the previously created DCR, like **DCR-Option6-MessageTrackingLogs**.\n3. In the **Resources** tab, enter you Exchange Servers.\n4. In **Data Sources**, add a Data Source type 'Custom Text logs' and enter 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\*.log' in file pattern, 'MessageTrackingLog_CL' in Table Name.\n6.in Transform field, enter the following KQL request :\n*source\n| extend TimeGenerated = todatetime(['date-time'])\n| extend\n clientHostname = ['client-hostname'],\n clientIP = ['client-ip'],\n connectorId = ['connector-id'],\n customData = ['custom-data'],\n eventId = ['event-id'],\n internalMessageId = ['internal-message-id'],\n logId = ['log-id'],\n messageId = ['message-id'],\n messageInfo = ['message-info'],\n messageSubject = ['message-subject'],\n networkMessageId = ['network-message-id'],\n originalClientIp = ['original-client-ip'],\n originalServerIp = ['original-server-ip'],\n recipientAddress= ['recipient-address'],\n recipientCount= ['recipient-count'],\n recipientStatus= ['recipient-status'],\n relatedRecipientAddress= ['related-recipient-address'],\n returnPath= ['return-path'],\n senderAddress= ['sender-address'],\n senderHostname= ['server-hostname'],\n serverIp= ['server-ip'],\n sourceContext= ['source-context'],\n schemaVersion=['schema-version'],\n messageTrackingTenantId = ['tenant-id'],\n totalBytes = ['total-bytes'],\n transportTrafficType = ['transport-traffic-type']\n| project-away\n ['client-ip'],\n ['client-hostname'],\n ['connector-id'],\n ['custom-data'],\n ['date-time'],\n ['event-id'],\n ['internal-message-id'],\n ['log-id'],\n ['message-id'],\n ['message-info'],\n ['message-subject'],\n ['network-message-id'],\n ['original-client-ip'],\n ['original-server-ip'],\n ['recipient-address'],\n ['recipient-count'],\n ['recipient-status'],\n ['related-recipient-address'],\n ['return-path'],\n ['sender-address'],\n ['server-hostname'],\n ['server-ip'],\n ['source-context'],\n ['schema-version'],\n ['tenant-id'],\n ['total-bytes'],\n ['transport-traffic-type']* \n7. Click on 'Add data source'." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used", + "description": "**Configure the logs to be collected**\n\n1. Under workspace **Settings** part, select **Tables**, click **+ Create** and click on **New custom log (MMA-Based)**.\n2. Select Sample file **[MessageTracking Sample](https://aka.ms/Sentinel-Sample-ESI-MessageTrackingLogsSampleCSV)** and click Next\n3. Select type **Windows** and enter the path **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\*.log**. Click Next.\n4. Enter **MessageTrackingLog** as Table name and click Next.\n5. Click **Save**.", + "instructions": [ + { + "parameters": { + "linkType": "OpenSyslogSettings" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "metadata": { + "id": "ababbb06-b977-4259-ab76-87874d353039", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } +} \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json new file mode 100644 index 00000000000..a7afd35e292 --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json @@ -0,0 +1,226 @@ +{ + "id": "ESI-Opt7ExchangeHTTPProxyLogs", + "title": "Microsoft Exchange Logs and Events", + "publisher": "Microsoft", + "descriptionMarkdown": "You can stream HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you create custom alerts, and improve investigation. [Learn more](https://aka.ms/ESI_DataConnectorOptions)", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange HTTPProxy logs", + "baseQuery": "ExchangeHttpProxy_CL" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "ExchangeHttpProxy_CL | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "ExchangeHttpProxy_CL", + "lastDataReceivedQuery": "ExchangeHttpProxy_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "ExchangeHttpProxy_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(1h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the option 7 of the wiki." + }, + { + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers", + "instructions": [ + { + "parameters": { + "title": "Select which agent you want to install in your servers to collect logs:", + "instructionSteps": [ + { + "title": "[Prefered] Azure Monitor Agent via Azure Arc", + "description": "**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "title": "Install Azure Log Analytics Agent (Deprecated on 31/08/2024)", + "description": "1. Download the Azure Log Analytics Agent and choose the deployment method in the below link.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "[Option 7] HTTP Proxy of Exchange Servers", + "description": "Select how to stream HTTP Proxy of Exchange Servers", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Data Collection Rules - When Azure Monitor Agent is used", + "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "text": "**Attention**, Custom logs in Monitor Agent is in Preview. The deployment doesn't work as expected for the moment (March 2023).", + "inline": false + }, + "type": "InfoMessage" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the DCE and DCR.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy." + }, + { + "title": "B. Deploy Data Connection Rule", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption7-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create Custom DCR Table", + "description": "1. Download the Example file from [Microsoft Sentinel GitHub](https://aka.ms/Sentinel-Sample-ESI-HTTPProxyExampleFile).\n2. From the Azure Portal, navigate to [Workspace Analytics](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.OperationalInsights%2Fworkspaces) and select your target Workspace.\n3. Click in 'Tables', click **+ Create** at the top and select **New Custom log (DCR-Based)**.\n4. In the **Basics** tab, enter **ExchangeHttpProxy** on the Table name, create a Data Collection rule with the name **DCR-Option7-HTTPProxyLogs** (for example) and select the previously created Data collection Endpoint.\n5. In the **Schema and Transformation** tab, choose the downloaded sample file and click on **Transformation Editor**.\n6. In the transformation field, enter the following KQL request :\n*source\n| extend TimeGenerated = todatetime(DateTime)\n| project-away DateTime\n*\n\n8. Click 'Run' and after 'Apply'.\n9. Click **Next**, then click **Create**." + }, + { + "title": "C. Modify the created DCR, Type Custom log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Select the previously created DCR, like **DCR-Option7-HTTPProxyLogs**.\n3. In the **Resources** tab, enter you Exchange Servers.\n4. In **Data Sources**, add a Data Source type 'Custom Text logs' and enter 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Autodiscover\\*.log' in file pattern, 'ExchangeHttpProxy_CL' in Table Name.\n6.in Transform field, enter the following KQL request :\n*source\n| extend TimeGenerated = todatetime(DateTime)\n| project-away DateTime* \n7. Click on 'Add data source'." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used", + "description": "**Configure the logs to be collected**\n\n1. Under workspace **Settings** part, select **Tables**, click **+ Create** and click on **New custom log (MMA-Based)**.\n2. Select Sample file **[MessageTracking Sample](https://aka.ms/Sentinel-Sample-ESI-HttpProxySampleCSV)** and click Next\n3. Select type **Windows** and enter all the following paths **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Autodiscover\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Eas\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ecp\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ews\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Mapi\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Oab\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Owa\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\OwaCalendar\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\PowerShell\\*.log** and **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\RpcHttp\\*.log** . Click Next.\n4. Enter **ExchangeHttpProxy** as Table name and click Next.\n5. Click **Save**.", + "instructions": [ + { + "parameters": { + "linkType": "OpenSyslogSettings" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "metadata": { + "id": "2e63ad0e-84e3-4f01-b210-9db0bc42b8ff", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } +} \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data/Solution_MicrosoftExchangeSecurity.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data/Solution_MicrosoftExchangeSecurity.json index 1dbc9c7c91f..178680a6cc4 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data/Solution_MicrosoftExchangeSecurity.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data/Solution_MicrosoftExchangeSecurity.json @@ -5,7 +5,13 @@ "Description": "The Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Windows Event logs collection, including MS Exchange Management Event logs](https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-windows-events)\n\nb. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)", "Data Connectors": [ "Data Connectors/ESI-ExchangeAdminAuditLogEvents.json", - "Data Connectors/ESI-ExchangeOnPremisesCollector.json" + "Data Connectors/ESI-ExchangeOnPremisesCollector.json", + "Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json", + "Data Connectors/ESI-Opt2ExchangeServersEventLogs.json", + "Data Connectors/ESI-Opt34DomainControllersSecurityEventLogs.json", + "Data Connectors/ESI-Opt5ExchangeIISLogs.json", + "Data Connectors/ESI-Opt6ExchangeMessageTrackingLogs.json", + "Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json" ], "Parsers": [ "Parsers/ExchangeAdminAuditLogs.yaml", @@ -28,7 +34,7 @@ "Watchlists/ExchangeVIP.json" ], "BasePath": "C:\\Git Repositories\\Azure-Sentinel\\Solutions\\Microsoft Exchange Security - Exchange On-Premises\\", - "Version": "3.1.2", + "Version": "3.2.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md b/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md index 879e209f61b..10465e342bf 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.2.0 | 09-04-2024 | Explode "ExchangeAdminAuditLogEvents" dataconnector to multiple simplier dataconnectors | | 3.1.2 | 20-02-2024 | Correct DataConnector last Log indicator and IsConnected queries | | 3.1.1 | 18-12-2023 | Update Parsers parameters | | 3.1.0 | 01-11-2023 | Added **Watchlist** to track activities on VIPs' Mailboxes. Change ExchangeAuditLog parser to work without watchlist and searching all type of VIP information | diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json b/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json index 554749ed90d..42b79a19aeb 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json @@ -9,7 +9,6 @@ "Parsers": [ "Parsers/ExchangeConfiguration.yaml", "Parsers/ExchangeEnvironmentList.yaml", - "Parsers/MESCheckVIP.yaml", "Parsers/MESCheckOnlineVIP.yaml", "Parsers/MESCompareDataMRA.yaml", "Parsers/MESOfficeActivityLogs.yaml" diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckVIP.yaml b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckVIP.yaml deleted file mode 100644 index 701b9dbffbd..00000000000 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckVIP.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: 9f0e2122-f511-4e51-83a0-51fbd86d3121 -Function: - Title: Parser for VIP Check for Exchange - Version: '1.0.0' - LastUpdated: '2023-11-01' -Category: Microsoft Sentinel Parser -FunctionName: MESCheckVIP -FunctionAlias: MESCheckVIP -FunctionParams: - - Name: UserToCheck - Type: string - Description: The user to verifiy if is a VIP or not. Default value is "all". - DefaultValue: 'All' -FunctionQuery: | - //let UserToCheck = "SampleEntry"; - let _UserToCheck = iif(UserToCheck == "" or UserToCheck == "All","All",tolower(UserToCheck)); - let fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [ - "NONE","NONE","NONE","NONE","00000001-0000-1000-0000-100000000000","NONE","NONE"]; - let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != "00000001-0000-1000-0000-100000000000" | project-away TableName; - let SearchUser = Watchlist | where _UserToCheck =~ canonicalName - or _UserToCheck =~ displayName - or _UserToCheck =~ userPrincipalName - or _UserToCheck =~ sAMAccountName - or _UserToCheck =~ objectSID - or _UserToCheck == tostring(objectGUID) - or _UserToCheck =~ distinguishedName - or _UserToCheck == "All" - | extend ValueChecked = iif(_UserToCheck=="All",strcat("#",displayName,"#",userPrincipalName,"#",sAMAccountName,"#",objectGUID,"#",objectSID,"#",distinguishedName,"#"),_UserToCheck); - SearchUser \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Watchlists/ExchOnlineVIP.json b/Solutions/Microsoft Exchange Security - Exchange Online/Watchlists/ExchOnlineVIP.json index 009bfe4854f..8583ccf670f 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Watchlists/ExchOnlineVIP.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Watchlists/ExchOnlineVIP.json @@ -23,7 +23,7 @@ "defaultDuration": "P1000Y", "contentType": "Text/Csv", "numberOfLinesToSkip": 0, - "itemsSearchKey": "userPrincipalName", + "itemsSearchKey": "sAMAccountName", "rawContent": "displayName,sAMAccountName,userPrincipalName,comment\r\n\"2016DB1 User1\",\"2016DB1-User1\",\"2016DB1-User1@MyCompany.com\",\r\n" }, "apiVersion": "2021-03-01-preview" From 134c2148be4dd923a9c8aa230c1eb82b9f39f79c Mon Sep 17 00:00:00 2001 From: nlepagnez Date: Wed, 21 Aug 2024 11:02:54 +0200 Subject: [PATCH 02/19] Update data connectors correcting a display bug on Last Received data --- .../Data Connectors/ESI-ExchangeOnPremisesCollector.json | 2 +- .../Data Connectors/ESI-ExchangeOnlineCollector.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeOnPremisesCollector.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeOnPremisesCollector.json index e0e77f3667a..8366e661fce 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeOnPremisesCollector.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeOnPremisesCollector.json @@ -19,7 +19,7 @@ "dataTypes": [ { "name": "ESIExchangeConfig_CL", - "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)" + "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time" } ], "connectivityCriterias": [ diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/ESI-ExchangeOnlineCollector.json b/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/ESI-ExchangeOnlineCollector.json index e223a7bcfee..244f91c89db 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/ESI-ExchangeOnlineCollector.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/ESI-ExchangeOnlineCollector.json @@ -19,7 +19,7 @@ "dataTypes": [ { "name": "ESIExchangeOnlineConfig_CL", - "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)" + "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time" } ], "connectivityCriterias": [ From 975d16e9442daa9fe490df67b0f23a304244a9f5 Mon Sep 17 00:00:00 2001 From: nlepagnez Date: Wed, 21 Aug 2024 15:46:00 +0200 Subject: [PATCH 03/19] Correct a bug in Option1 Data connectors and DCR --- .../Data Connectors/ESI-ExchangeAdminAuditLogEvents.json | 4 ++-- .../ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json | 4 ++-- .../azuredeploy_ESI_DCR_Option1MSExchangeAuditLogs.json | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json index 379bf159489..b8d523e1b9f 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json @@ -209,7 +209,7 @@ "instructionSteps": [ { "title": "A. Create DCR, Type Event log", - "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MS Exchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." } ] }, @@ -229,7 +229,7 @@ }, { "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used", - "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MS Exchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.", + "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MSExchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.", "instructions": [ { "parameters": { diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json index 76971e742bf..31fa8e99219 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json @@ -163,7 +163,7 @@ "instructionSteps": [ { "title": "A. Create DCR, Type Event log", - "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MS Exchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." } ] }, @@ -183,7 +183,7 @@ }, { "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used", - "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MS Exchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.", + "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MSExchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.", "instructions": [ { "parameters": { diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option1MSExchangeAuditLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option1MSExchangeAuditLogs.json index 05dfdbb655e..4d403b5d5be 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option1MSExchangeAuditLogs.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option1MSExchangeAuditLogs.json @@ -43,7 +43,7 @@ "Microsoft-Event" ], "xPathQueries": [ - "\\MSExchange Management!*" + "MSExchange Management!*" ], "name": "eventLogsDataSource" } From 0ec0a8f200ef5704b3e5b9d52153922beda91426 Mon Sep 17 00:00:00 2001 From: nlepagnez Date: Thu, 22 Aug 2024 09:28:14 +0200 Subject: [PATCH 04/19] Rename Exchange Admin for Online Workbook to be aligned with naming convention --- .../Package/createUiDefinition.json | 2 +- Workbooks/WorkbooksMetadata.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json b/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json index 0059d5a13e3..bafc23d5537 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json @@ -139,7 +139,7 @@ { "name": "workbook3", "type": "Microsoft.Common.Section", - "label": "Microsoft Exchange Online Admin Activity", + "label": "Microsoft Exchange Admin Activity - Online", "elements": [ { "name": "workbook3-text", diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index 6a8bbea8536..e15144438e5 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -5690,7 +5690,7 @@ "MicrosoftExchangeAdminActivity-OnlineWhite.png" ], "version": "1.0.0", - "title": "Microsoft Exchange Online Admin Activity", + "title": "Microsoft Exchange Admin Activity - Online", "templateRelativePath": "Microsoft Exchange Admin Activity - Online.json", "subtitle": "", "provider": "Microsoft" From 570b43353ff342f7be28d868ab898a9d20ceea32 Mon Sep 17 00:00:00 2001 From: nlepagnez Date: Mon, 26 Aug 2024 19:07:57 +0200 Subject: [PATCH 05/19] Update Data Connectors using DCR --- .../ESI-ExchangeAdminAuditLogEvents.json | 73 +- .../ESI-ExchangeOnPremisesCollector.json | 76 +- ...Opt1ExchangeAdminAuditLogsByEventLogs.json | 109 +- .../ESI-Opt2ExchangeServersEventLogs.json | 62 +- ...t34DomainControllersSecurityEventLogs.json | 42 +- .../ESI-Opt5ExchangeIISLogs.json | 60 +- .../ESI-Opt6ExchangeMessageTrackingLogs.json | 90 +- .../ESI-Opt7ExchangeHTTPProxyLogs.json | 92 +- ...DCR_Option6-MessageTracking-TableOnly.json | 160 +++ ...eploy_ESI_DCR_Option6-MessageTracking.json | 124 +- ...uredeploy_ESI_Option7-HTTPProxy-Table.json | 336 +++++ .../azuredeploy_ESI_Option7-HTTPProxy.json | 302 +---- .../ReleaseNotes.md | 1 + .../Microsoft Exchange Security Review.json | 1163 +++++++++++++---- Workbooks/WorkbooksMetadata.json | 4 +- 15 files changed, 1680 insertions(+), 1014 deletions(-) create mode 100644 Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking-TableOnly.json create mode 100644 Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy-Table.json diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json index b8d523e1b9f..51b86166103 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json @@ -2,7 +2,7 @@ "id": "ESI-ExchangeAdminAuditLogEvents", "title": "[Deprecated] Microsoft Exchange Logs and Events", "publisher": "Microsoft", - "descriptionMarkdown": "You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", + "descriptionMarkdown": "Deprecated, use the 'ESI-Opt' dataconnectors. You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", "graphQueries": [ { "metricName": "Total data received", @@ -100,35 +100,14 @@ "customs": [ { "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - } + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } ] }, "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", - "instructions": [ - { - "parameters": { - "title": "Parser deployment (When using Microsoft Exchange Security Solution, Parsers are automatically deployed)", - "instructionSteps": [ - { - "title": "1. Download the Parser file", - "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" - }, - { - "title": "2. Create Parser **ExchangeAdminAuditLogs** function", - "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" - }, - { - "title": "3. Save Parser **ExchangeAdminAuditLogs** function", - "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, { "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)" }, @@ -689,11 +668,49 @@ "type": "InstructionStepsGroup" } ] + }, + { + "title": "", + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "instructions": [ + { + "parameters": { + "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below", + "instructionSteps": [ + { + "title": "Manual Parser Deployment", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" + }, + { + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" + }, + { + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } ], "metadata": { "id": "5738bef7-b6c0-4fec-ba0b-ac728bef83a9", - "version": "2.2.1", + "version": "2.2.2", "kind": "dataConnector", "source": { "kind": "solution", diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeOnPremisesCollector.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeOnPremisesCollector.json index 8366e661fce..9d418e1991c 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeOnPremisesCollector.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeOnPremisesCollector.json @@ -61,40 +61,14 @@ { "name": "Service Account with Organization Management role", "description": "The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information." - } + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } ] }, "instructionSteps": [ - { - "title": "Parser deployment **(When using Microsoft Exchange Security Solution, Parsers are automatically deployed)**", - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : [**ExchangeConfiguration**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)", - "instructions": [ - { - "parameters": { - "title": "Parsers deployment", - "instructionSteps": [ - { - "title": "1. Download the Parser files", - "description": "The latest version of the 2 files [**ExchangeConfiguration.yaml**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList.yaml**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)" - }, - { - "title": "2. Create Parser **ExchangeConfiguration** function", - "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" - }, - { - "title": "3. Save Parser **ExchangeConfiguration** function", - "description": "Click on save button.\n Define the parameters as asked on the header of the parser file.\nClick save again." - }, - { - "title": "4. Reproduce the same steps for Parser **ExchangeEnvironmentList**", - "description": "Reproduce the step 2 and 3 with the content of 'ExchangeEnvironmentList.yaml' file" - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, { "title": "1. Install the ESI Collector Script on a server with Exchange Admin PowerShell console", "description": "This is the script that will collect Exchange Information to push content in Microsoft Sentinel.\n ", @@ -152,11 +126,49 @@ { "title": "3. Schedule the ESI Collector Script (If not done by the Install Script due to lack of permission or ignored during installation)", "description": "The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel.\n We recommend to schedule the script once a day.\n The account used to launch the Script needs to be member of the group Organization Management" + }, + { + "title": "", + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "instructions": [ + { + "parameters": { + "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below", + "instructionSteps": [ + { + "title": "Manual Parser Deployment", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" + }, + { + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" + }, + { + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } ], "metadata": { "id": "ed950fd7-e457-4a59-88f0-b9c949aa280d", - "version": "1.2.1", + "version": "1.2.2", "kind": "dataConnector", "source": { "kind": "solution", diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json index 31fa8e99219..39d36fee99a 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json @@ -2,7 +2,7 @@ "id": "ESI-Opt1ExchangeAdminAuditLogsByEventLogs", "title": "Microsoft Exchange Admin Audit Logs by Event Logs", "publisher": "Microsoft", - "descriptionMarkdown": "You can stream all Exchange Audit events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", + "descriptionMarkdown": "[Option 1] - Using Azure Monitor Agent - You can stream all Exchange Audit events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", "graphQueries": [ { "metricName": "Total data received", @@ -26,7 +26,7 @@ { "type": "IsConnectedQuery", "value": [ - "Event | where EventLog == 'MSExchange Management' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(1h)" + "Event | where EventLog == 'MSExchange Management' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" ] } ], @@ -60,28 +60,27 @@ "customs": [ { "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - } + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } ] }, "instructionSteps": [ { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 1** of the wiki." + }, + { + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", "instructions": [ { "parameters": { - "title": "Parser deployment (When using Microsoft Exchange Security Solution, Parsers are automatically deployed)", "instructionSteps": [ { - "title": "1. Download the Parser file", - "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" - }, - { - "title": "2. Create Parser **ExchangeAdminAuditLogs** function", - "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" - }, - { - "title": "3. Save Parser **ExchangeAdminAuditLogs** function", - "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" } ] }, @@ -90,38 +89,44 @@ ] }, { - "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the option 1 of the wiki." - }, - { - "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", - "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "title": "2. [Option 1] MS Exchange Management Log collection - MS Exchange Admin Audit event logs by Data Collection Rules", + "description": "The MS Exchange Admin Audit event logs are collected using Data Collection Rules (DCR) and allow to store all Administrative Cmdlets executed in an Exchange environment.", "instructions": [ { "parameters": { + "title": "", "instructionSteps": [ { - "title": "Deploy Monitor Agents", - "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers", + "title": "Data Collection Rules Deployment", + "description": "**Enable data collection rule**\n> Microsoft Exchange Admin Audit Events logs are collected only from **Windows** agents.", "instructions": [ { "parameters": { - "title": "Select which agent you want to install in your servers to collect logs:", "instructionSteps": [ { - "title": "[Prefered] Azure Monitor Agent via Azure Arc", - "description": "**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered)", + "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption1-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." }, { - "title": "Install Azure Log Analytics Agent (Deprecated on 31/08/2024)", - "description": "1. Download the Azure Log Analytics Agent and choose the deployment method in the below link.", + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", "instructions": [ { "parameters": { - "linkType": "InstallAgentOnNonAzure" + "instructionSteps": [ + { + "title": "A. Create DCR, Type Event log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] }, - "type": "InstallAgent" + "type": "InstructionStepsGroup" } ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" } ] }, @@ -136,62 +141,36 @@ ] }, { - "title": "[Option 1] MS Exchange Management Log collection", - "description": "Select how to stream MS Exchange Admin Audit event logs", + "title": "", + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", "instructions": [ { "parameters": { - "title": "MS Exchange Admin Audit event logs", + "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below", "instructionSteps": [ { - "title": "Data Collection Rules - When Azure Monitor Agent is used", - "description": "**Enable data collection rule**\n> Microsoft Exchange Admin Audit Events logs are collected only from **Windows** agents.", + "title": "Manual Parser Deployment", "instructions": [ { "parameters": { "instructionSteps": [ { - "title": "Option 1 - Azure Resource Manager (ARM) Template", - "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption1-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" }, { - "title": "Option 2 - Manual Deployment of Azure Automation", - "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", - "instructions": [ - { - "parameters": { - "instructionSteps": [ - { - "title": "A. Create DCR, Type Event log", - "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." - } - ] - }, - "type": "InstructionStepsGroup" - } - ] + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" }, { - "title": "Assign the DCR to all Exchange Servers", - "description": "Add all your Exchange Servers to the DCR" + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." } ] }, "type": "InstructionStepsGroup" } ] - }, - { - "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used", - "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MSExchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.", - "instructions": [ - { - "parameters": { - "linkType": "OpenSyslogSettings" - }, - "type": "InstallAgent" - } - ] } ] }, diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt2ExchangeServersEventLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt2ExchangeServersEventLogs.json index 5226451600e..e66fa19f4bb 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt2ExchangeServersEventLogs.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt2ExchangeServersEventLogs.json @@ -2,7 +2,7 @@ "id": "ESI-Opt2ExchangeServersEventLogs", "title": "Microsoft Exchange Logs and Events", "publisher": "Microsoft", - "descriptionMarkdown": "You can stream all Exchange Security & Application Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "descriptionMarkdown": "[Option 2] - Using Azure Monitor Agent - You can stream all Exchange Security & Application Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", "graphQueries": [ { "metricName": "Total data received", @@ -26,7 +26,7 @@ { "type": "IsConnectedQuery", "value": [ - "Event | where EventLog == 'Application' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(1h)" + "Event | where EventLog == 'Application' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" ] } ], @@ -60,12 +60,16 @@ "customs": [ { "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - } + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } ] }, "instructionSteps": [ { - "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the option 2 of the wiki." + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 2** of the wiki." }, { "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", @@ -76,33 +80,7 @@ "instructionSteps": [ { "title": "Deploy Monitor Agents", - "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers", - "instructions": [ - { - "parameters": { - "title": "Select which agent you want to install in your servers to collect logs:", - "instructionSteps": [ - { - "title": "[Prefered] Azure Monitor Agent via Azure Arc", - "description": "**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "title": "Install Azure Log Analytics Agent (Deprecated on 31/08/2024)", - "description": "1. Download the Azure Log Analytics Agent and choose the deployment method in the below link.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" } ] }, @@ -111,8 +89,8 @@ ] }, { - "title": "[Option 2] Security/Application/System logs of Exchange Servers", - "description": "Select how to stream Security/Application/System logs of Exchange Servers", + "title": "2. [Option 2] Security/Application/System logs of Exchange Servers", + "description": "The Security/Application/System logs of Exchange Servers are collected using Data Collection Rules (DCR).", "instructions": [ { "parameters": { @@ -140,14 +118,14 @@ "title": "Application and System Event log collection", "instructionSteps": [ { - "title": "Data Collection Rules - When Azure Monitor Agent is used", - "description": "**Enable data collection rule**\n> Application and System Events logs are collected only from **Windows** agents.", + "title": "Enable data collection rule", + "description": "> Application and System Events logs are collected only from **Windows** agents.", "instructions": [ { "parameters": { "instructionSteps": [ { - "title": "Option 1 - Azure Resource Manager (ARM) Template", + "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered method)", "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption2-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." }, { @@ -176,18 +154,6 @@ "type": "InstructionStepsGroup" } ] - }, - { - "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used", - "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Windows Event logs**.\n2. Click **Add Windows event log** and search **Application** as log name.\n3. Click **Add Windows event log** and search **System** as log name.\n4. Collect Error (for all), Warning (for all) and Information (for System) types\n5. Click **Save**.", - "instructions": [ - { - "parameters": { - "linkType": "OpenSyslogSettings" - }, - "type": "InstallAgent" - } - ] } ] }, diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt34DomainControllersSecurityEventLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt34DomainControllersSecurityEventLogs.json index 3981ed1acf6..8084de0ae36 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt34DomainControllersSecurityEventLogs.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt34DomainControllersSecurityEventLogs.json @@ -1,8 +1,8 @@ { "id": "ESI-Opt34DomainControllersSecurityEventLogs", - "title": "Microsoft Active-Directory Domain Controllers Security Event Logs", + "title": " Microsoft Active-Directory Domain Controllers Security Event Logs", "publisher": "Microsoft", - "descriptionMarkdown": "You can stream a part or all Domain Controllers Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "descriptionMarkdown": "[Option 3 & 4] - Using Azure Monitor Agent -You can stream a part or all Domain Controllers Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", "graphQueries": [ { "metricName": "Total data received", @@ -26,7 +26,7 @@ { "type": "IsConnectedQuery", "value": [ - "SecurityEvent | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(1h)" + "SecurityEvent | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" ] } ], @@ -60,12 +60,16 @@ "customs": [ { "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - } + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } ] }, "instructionSteps": [ { - "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the option 3 and 4 of the wiki." + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 3 and 4** of the wiki." }, { "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", @@ -76,33 +80,7 @@ "instructionSteps": [ { "title": "Deploy Monitor Agents", - "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers", - "instructions": [ - { - "parameters": { - "title": "Select which agent you want to install in your servers to collect logs:", - "instructionSteps": [ - { - "title": "[Prefered] Azure Monitor Agent via Azure Arc", - "description": "**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "title": "Install Azure Log Analytics Agent (Deprecated on 31/08/2024)", - "description": "1. Download the Azure Log Analytics Agent and choose the deployment method in the below link.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" } ] }, diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt5ExchangeIISLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt5ExchangeIISLogs.json index a782328e3dc..5e0f308c123 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt5ExchangeIISLogs.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt5ExchangeIISLogs.json @@ -2,7 +2,7 @@ "id": "ESI-Opt5ExchangeIISLogs", "title": "IIS Logs of Microsoft Exchange Servers", "publisher": "Microsoft", - "descriptionMarkdown": "You can stream all IIS Logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "descriptionMarkdown": "[Option 5] - Using Azure Monitor Agent - You can stream all IIS Logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", "graphQueries": [ { "metricName": "Total data received", @@ -26,7 +26,7 @@ { "type": "IsConnectedQuery", "value": [ - "W3CIISLog | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(1h)" + "W3CIISLog | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" ] } ], @@ -60,12 +60,16 @@ "customs": [ { "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - } + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } ] }, "instructionSteps": [ { - "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the option 5 of the wiki." + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 5** of the wiki." }, { "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", @@ -76,33 +80,7 @@ "instructionSteps": [ { "title": "Deploy Monitor Agents", - "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers", - "instructions": [ - { - "parameters": { - "title": "Select which agent you want to install in your servers to collect logs:", - "instructionSteps": [ - { - "title": "[Prefered] Azure Monitor Agent via Azure Arc", - "description": "**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "title": "Install Azure Log Analytics Agent (Deprecated on 31/08/2024)", - "description": "1. Download the Azure Log Analytics Agent and choose the deployment method in the below link.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" } ] }, @@ -111,15 +89,15 @@ ] }, { - "title": "IIS logs of Exchange Servers", + "title": "[Option 5] IIS logs of Exchange Servers", "description": "Select how to stream IIS logs of Exchange Servers", "instructions": [ { "parameters": { "instructionSteps": [ { - "title": "Data Collection Rules - When Azure Monitor Agent is used", - "description": "**Enable data collection rule**\n> IIS logs are collected only from **Windows** agents.", + "title": "Enable data collection rule", + "description": "> IIS logs are collected only from **Windows** agents.", "instructions": [ { "type": "AdminAuditEvents" @@ -128,7 +106,7 @@ "parameters": { "instructionSteps": [ { - "title": "Option 1 - Azure Resource Manager (ARM) Template", + "title": "Option 1 - Azure Resource Manager (ARM) Template (Preferred Method)", "description": "Use this method for automated deployment of the DCE and DCR.", "instructions": [ { @@ -178,18 +156,6 @@ "type": "InstructionStepsGroup" } ] - }, - { - "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used", - "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **IIS Logs**.\n2. Check **Collect W3C format IIS log files**\n5. Click **Save**.", - "instructions": [ - { - "parameters": { - "linkType": "OpenSyslogSettings" - }, - "type": "InstallAgent" - } - ] } ] }, diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt6ExchangeMessageTrackingLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt6ExchangeMessageTrackingLogs.json index 40403c05971..331d81969b8 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt6ExchangeMessageTrackingLogs.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt6ExchangeMessageTrackingLogs.json @@ -1,8 +1,8 @@ { "id": "ESI-Opt6ExchangeMessageTrackingLogs", - "title": "Microsoft Exchange Logs and Events", + "title": "Microsoft Exchange Message Tracking Logs", "publisher": "Microsoft", - "descriptionMarkdown": "You can stream all Exchange Message Tracking from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. Those logs can be used to track the flow of messages in your Exchange environment. This data connector is based on the option 6 of the [Microsoft Exchange Security wiki](https://aka.ms/ESI_DataConnectorOptions).", + "descriptionMarkdown": "[Option 6] - Using Azure Monitor Agent - You can stream all Exchange Message Tracking from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. Those logs can be used to track the flow of messages in your Exchange environment. This data connector is based on the option 6 of the [Microsoft Exchange Security wiki](https://aka.ms/ESI_DataConnectorOptions).", "graphQueries": [ { "metricName": "Total data received", @@ -26,7 +26,7 @@ { "type": "IsConnectedQuery", "value": [ - "MessageTrackingLog_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(1h)" + "MessageTrackingLog_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" ] } ], @@ -60,12 +60,16 @@ "customs": [ { "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - } + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } ] }, "instructionSteps": [ { - "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the option 6 of the wiki." + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 6** of the wiki." }, { "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", @@ -76,33 +80,7 @@ "instructionSteps": [ { "title": "Deploy Monitor Agents", - "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers", - "instructions": [ - { - "parameters": { - "title": "Select which agent you want to install in your servers to collect logs:", - "instructionSteps": [ - { - "title": "[Prefered] Azure Monitor Agent via Azure Arc", - "description": "**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "title": "Install Azure Log Analytics Agent (Deprecated on 31/08/2024)", - "description": "1. Download the Azure Log Analytics Agent and choose the deployment method in the below link.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" } ] }, @@ -111,7 +89,7 @@ ] }, { - "title": "Message Tracking of Exchange Servers", + "title": "2. Message Tracking of Exchange Servers", "description": "Select how to stream Message Tracking of Exchange Servers", "instructions": [ { @@ -121,13 +99,6 @@ "title": "Data Collection Rules - When Azure Monitor Agent is used", "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.", "instructions": [ - { - "parameters": { - "text": "**Attention**, Custom logs in Monitor Agent is in Preview. The deployment doesn't work as expected for the moment (March 2023).", - "inline": false - }, - "type": "InfoMessage" - }, { "parameters": { "instructionSteps": [ @@ -160,16 +131,31 @@ "parameters": { "instructionSteps": [ { - "title": "A. Create DCE (If not already created for Exchange Servers)", - "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE, like ESI-ExchangeServers. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + "title": "Create Custom Table - Explanation", + "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)." }, { - "title": "B. Create Custom DCR Table", - "description": "1. Download the Example file from [Microsoft Sentinel GitHub](https://aka.ms/Sentinel-Sample-ESI-MessageTrackingExampleFile).\n2. From the Azure Portal, navigate to [Workspace Analytics](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.OperationalInsights%2Fworkspaces) and select your target Workspace.\n3. Click in 'Tables', click **+ Create** at the top and select **New Custom log (DCR-Based)**.\n4. In the **Basics** tab, enter **MessageTrackingLog** on the Table name, create a Data Collection rule with the name **DCR-Option6-MessageTrackingLogs** (for example) and select the previously created Data collection Endpoint.\n5. In the **Schema and Transformation** tab, choose the downloaded sample file and click on **Transformation Editor**.\n6. In the transformation field, enter the following KQL request :\n*source\n| extend TimeGenerated = todatetime(['date-time'])\n| extend\n clientHostname = ['client-hostname'],\n clientIP = ['client-ip'],\n connectorId = ['connector-id'],\n customData = ['custom-data'],\n eventId = ['event-id'],\n internalMessageId = ['internal-message-id'],\n logId = ['log-id'],\n messageId = ['message-id'],\n messageInfo = ['message-info'],\n messageSubject = ['message-subject'],\n networkMessageId = ['network-message-id'],\n originalClientIp = ['original-client-ip'],\n originalServerIp = ['original-server-ip'],\n recipientAddress= ['recipient-address'],\n recipientCount= ['recipient-count'],\n recipientStatus= ['recipient-status'],\n relatedRecipientAddress= ['related-recipient-address'],\n returnPath= ['return-path'],\n senderAddress= ['sender-address'],\n senderHostname= ['server-hostname'],\n serverIp= ['server-ip'],\n sourceContext= ['source-context'],\n schemaVersion=['schema-version'],\n messageTrackingTenantId = ['tenant-id'],\n totalBytes = ['total-bytes'],\n transportTrafficType = ['transport-traffic-type']\n| project-away\n ['client-ip'],\n ['client-hostname'],\n ['connector-id'],\n ['custom-data'],\n ['date-time'],\n ['event-id'],\n ['internal-message-id'],\n ['log-id'],\n ['message-id'],\n ['message-info'],\n ['message-subject'],\n ['network-message-id'],\n ['original-client-ip'],\n ['original-server-ip'],\n ['recipient-address'],\n ['recipient-count'],\n ['recipient-status'],\n ['related-recipient-address'],\n ['return-path'],\n ['sender-address'],\n ['server-hostname'],\n ['server-ip'],\n ['source-context'],\n ['schema-version'],\n ['tenant-id'],\n ['total-bytes'],\n ['transport-traffic-type']*\n\n8. Click 'Run' and after 'Apply'.\n9. Click **Next**, then click **Create**." + "title": "Create Custom Table using an ARM Template", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-MessageTrackingCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3. Click **Create** to deploy." }, { - "title": "C. Modify the created DCR, Type Custom log", - "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Select the previously created DCR, like **DCR-Option6-MessageTrackingLogs**.\n3. In the **Resources** tab, enter you Exchange Servers.\n4. In **Data Sources**, add a Data Source type 'Custom Text logs' and enter 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\*.log' in file pattern, 'MessageTrackingLog_CL' in Table Name.\n6.in Transform field, enter the following KQL request :\n*source\n| extend TimeGenerated = todatetime(['date-time'])\n| extend\n clientHostname = ['client-hostname'],\n clientIP = ['client-ip'],\n connectorId = ['connector-id'],\n customData = ['custom-data'],\n eventId = ['event-id'],\n internalMessageId = ['internal-message-id'],\n logId = ['log-id'],\n messageId = ['message-id'],\n messageInfo = ['message-info'],\n messageSubject = ['message-subject'],\n networkMessageId = ['network-message-id'],\n originalClientIp = ['original-client-ip'],\n originalServerIp = ['original-server-ip'],\n recipientAddress= ['recipient-address'],\n recipientCount= ['recipient-count'],\n recipientStatus= ['recipient-status'],\n relatedRecipientAddress= ['related-recipient-address'],\n returnPath= ['return-path'],\n senderAddress= ['sender-address'],\n senderHostname= ['server-hostname'],\n serverIp= ['server-ip'],\n sourceContext= ['source-context'],\n schemaVersion=['schema-version'],\n messageTrackingTenantId = ['tenant-id'],\n totalBytes = ['total-bytes'],\n transportTrafficType = ['transport-traffic-type']\n| project-away\n ['client-ip'],\n ['client-hostname'],\n ['connector-id'],\n ['custom-data'],\n ['date-time'],\n ['event-id'],\n ['internal-message-id'],\n ['log-id'],\n ['message-id'],\n ['message-info'],\n ['message-subject'],\n ['network-message-id'],\n ['original-client-ip'],\n ['original-server-ip'],\n ['recipient-address'],\n ['recipient-count'],\n ['recipient-status'],\n ['related-recipient-address'],\n ['return-path'],\n ['sender-address'],\n ['server-hostname'],\n ['server-ip'],\n ['source-context'],\n ['schema-version'],\n ['tenant-id'],\n ['total-bytes'],\n ['transport-traffic-type']* \n7. Click on 'Add data source'." + "title": "Create Custom Table using PowerShell in Cloud Shell", + "description": "1. From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t\"schema\": {\n\t\t\t\t\t \"name\": \"MessageTrackingLog_CL\",\n\t\t\t\t\t \"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"directionality\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"reference\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"source\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientIP\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"connectorId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"customData\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"eventId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"internalMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"logId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageSubject\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"networkMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalClientIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalServerIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientCount\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"relatedRecipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"returnPath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"serverIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"sourceContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"schemaVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageTrackingTenantId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"totalBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"transportTrafficType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t'@\n3. Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4. Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/MessageTrackingLog_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams" + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE, like ESI-ExchangeServers. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create a DCR, Type Custom log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option6-MessageTrackingLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\*.log' in file pattern, 'MessageTrackingLog_CL' in Table Name.\n6.in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend TimeGenerated =todatetime(d[0]) ,clientIP =tostring(d[1]) ,clientHostname =tostring(d[2]) ,serverIp=tostring(d[3]) ,senderHostname=tostring(d[4]) ,sourceContext=tostring(d[5]) ,connectorId =tostring(d[6]) ,source=tostring(d[7]) ,eventId =tostring(d[8]) ,internalMessageId =tostring(d[9]) ,messageId =tostring(d[10]) ,networkMessageId =tostring(d[11]) ,recipientAddress=tostring(d[12]) ,recipientStatus=tostring(d[13]) ,totalBytes=tostring(d[14]) ,recipientCount=tostring(d[15]) ,relatedRecipientAddress=tostring(d[16]) ,reference=tostring(d[17]) ,messageSubject =tostring(d[18]) ,senderAddress=tostring(d[19]) ,returnPath=tostring(d[20]) ,messageInfo =tostring(d[21]) ,directionality=tostring(d[22]) ,messageTrackingTenantId =tostring(d[23]) ,originalClientIp =tostring(d[24]) ,originalServerIp =tostring(d[25]) ,customData=tostring(d[26]) ,transportTrafficType =tostring(d[27]) ,logId =tostring(d[28]) ,schemaVersion=tostring(d[29]) | project-away d,RawData\n and click on 'Destination'.\n6. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n7. Click on 'Add data source'.\n8. Fill other required parameters and tags and create the DCR" } ] }, @@ -186,18 +172,6 @@ "type": "InstructionStepsGroup" } ] - }, - { - "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used", - "description": "**Configure the logs to be collected**\n\n1. Under workspace **Settings** part, select **Tables**, click **+ Create** and click on **New custom log (MMA-Based)**.\n2. Select Sample file **[MessageTracking Sample](https://aka.ms/Sentinel-Sample-ESI-MessageTrackingLogsSampleCSV)** and click Next\n3. Select type **Windows** and enter the path **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\*.log**. Click Next.\n4. Enter **MessageTrackingLog** as Table name and click Next.\n5. Click **Save**.", - "instructions": [ - { - "parameters": { - "linkType": "OpenSyslogSettings" - }, - "type": "InstallAgent" - } - ] } ] }, diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json index a7afd35e292..21e93c66161 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json @@ -1,8 +1,8 @@ { "id": "ESI-Opt7ExchangeHTTPProxyLogs", - "title": "Microsoft Exchange Logs and Events", + "title": "Microsoft Exchange HTTP Proxy Logs", "publisher": "Microsoft", - "descriptionMarkdown": "You can stream HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you create custom alerts, and improve investigation. [Learn more](https://aka.ms/ESI_DataConnectorOptions)", + "descriptionMarkdown": "[Option 7] - Using Azure Monitor Agent - You can stream HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you create custom alerts, and improve investigation. [Learn more](https://aka.ms/ESI_DataConnectorOptions)", "graphQueries": [ { "metricName": "Total data received", @@ -26,7 +26,7 @@ { "type": "IsConnectedQuery", "value": [ - "ExchangeHttpProxy_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(1h)" + "ExchangeHttpProxy_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" ] } ], @@ -60,12 +60,16 @@ "customs": [ { "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - } + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } ] }, "instructionSteps": [ { - "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the option 7 of the wiki." + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 7** of the wiki." }, { "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", @@ -76,33 +80,7 @@ "instructionSteps": [ { "title": "Deploy Monitor Agents", - "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers", - "instructions": [ - { - "parameters": { - "title": "Select which agent you want to install in your servers to collect logs:", - "instructionSteps": [ - { - "title": "[Prefered] Azure Monitor Agent via Azure Arc", - "description": "**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "title": "Install Azure Log Analytics Agent (Deprecated on 31/08/2024)", - "description": "1. Download the Azure Log Analytics Agent and choose the deployment method in the below link.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" } ] }, @@ -111,7 +89,7 @@ ] }, { - "title": "[Option 7] HTTP Proxy of Exchange Servers", + "title": "2. [Option 7] HTTP Proxy of Exchange Servers", "description": "Select how to stream HTTP Proxy of Exchange Servers", "instructions": [ { @@ -121,18 +99,11 @@ "title": "Data Collection Rules - When Azure Monitor Agent is used", "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.", "instructions": [ - { - "parameters": { - "text": "**Attention**, Custom logs in Monitor Agent is in Preview. The deployment doesn't work as expected for the moment (March 2023).", - "inline": false - }, - "type": "InfoMessage" - }, { "parameters": { "instructionSteps": [ { - "title": "Option 1 - Azure Resource Manager (ARM) Template", + "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered Method)", "description": "Use this method for automated deployment of the DCE and DCR.", "instructions": [ { @@ -160,16 +131,31 @@ "parameters": { "instructionSteps": [ { - "title": "A. Create DCE (If not already created for Exchange Servers)", - "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + "title": "Create Custom Table - Explanation", + "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)." }, { - "title": "B. Create Custom DCR Table", - "description": "1. Download the Example file from [Microsoft Sentinel GitHub](https://aka.ms/Sentinel-Sample-ESI-HTTPProxyExampleFile).\n2. From the Azure Portal, navigate to [Workspace Analytics](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.OperationalInsights%2Fworkspaces) and select your target Workspace.\n3. Click in 'Tables', click **+ Create** at the top and select **New Custom log (DCR-Based)**.\n4. In the **Basics** tab, enter **ExchangeHttpProxy** on the Table name, create a Data Collection rule with the name **DCR-Option7-HTTPProxyLogs** (for example) and select the previously created Data collection Endpoint.\n5. In the **Schema and Transformation** tab, choose the downloaded sample file and click on **Transformation Editor**.\n6. In the transformation field, enter the following KQL request :\n*source\n| extend TimeGenerated = todatetime(DateTime)\n| project-away DateTime\n*\n\n8. Click 'Run' and after 'Apply'.\n9. Click **Next**, then click **Create**." + "title": "Create Custom Table using an ARM Template", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-HTTPProxyCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3. Click **Create** to deploy." }, { - "title": "C. Modify the created DCR, Type Custom log", - "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Select the previously created DCR, like **DCR-Option7-HTTPProxyLogs**.\n3. In the **Resources** tab, enter you Exchange Servers.\n4. In **Data Sources**, add a Data Source type 'Custom Text logs' and enter 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Autodiscover\\*.log' in file pattern, 'ExchangeHttpProxy_CL' in Table Name.\n6.in Transform field, enter the following KQL request :\n*source\n| extend TimeGenerated = todatetime(DateTime)\n| project-away DateTime* \n7. Click on 'Add data source'." + "title": "Create Custom Table using PowerShell in Cloud Shell", + "description": "1. From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @''@\n3. Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4. Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/ExchangeHttpProxy_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams" + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create a DCR, Type Custom log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option7-HTTPProxyLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter the following file pattern : \n\t\t'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Autodiscover\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Eas\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ecp\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ews\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Mapi\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Oab\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Owa\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\OwaCalendar\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\PowerShell\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\RpcHttp\\*.log'\n6. Put 'ExchangeHttpProxy_CL' in Table Name.\n7. in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend DateTime=todatetime(d[0]),RequestId=tostring(d[1]) ,MajorVersion=tostring(d[2]) ,MinorVersion=tostring(d[3]) ,BuildVersion=tostring(d[4]) ,RevisionVersion=tostring(d[5]) ,ClientRequestId=tostring(d[6]) ,Protocol=tostring(d[7]) ,UrlHost=tostring(d[8]) ,UrlStem=tostring(d[9]) ,ProtocolAction=tostring(d[10]) ,AuthenticationType=tostring(d[11]) ,IsAuthenticated=tostring(d[12]) ,AuthenticatedUser=tostring(d[13]) ,Organization=tostring(d[14]) ,AnchorMailbox=tostring(d[15]) ,UserAgent=tostring(d[16]) ,ClientIpAddress=tostring(d[17]) ,ServerHostName=tostring(d[18]) ,HttpStatus=tostring(d[19]) ,BackEndStatus=tostring(d[20]) ,ErrorCode=tostring(d[21]) ,Method=tostring(d[22]) ,ProxyAction=tostring(d[23]) ,TargetServer=tostring(d[24]) ,TargetServerVersion=tostring(d[25]) ,RoutingType=tostring(d[26]) ,RoutingHint=tostring(d[27]) ,BackEndCookie=tostring(d[28]) ,ServerLocatorHost=tostring(d[29]) ,ServerLocatorLatency=tostring(d[30]) ,RequestBytes=tostring(d[31]) ,ResponseBytes=tostring(d[32]) ,TargetOutstandingRequests=tostring(d[33]) ,AuthModulePerfContext=tostring(d[34]) ,HttpPipelineLatency=tostring(d[35]) ,CalculateTargetBackEndLatency=tostring(d[36]) ,GlsLatencyBreakup=tostring(d[37]) ,TotalGlsLatency=tostring(d[38]) ,AccountForestLatencyBreakup=tostring(d[39]) ,TotalAccountForestLatency=tostring(d[40]) ,ResourceForestLatencyBreakup=tostring(d[41]) ,TotalResourceForestLatency=tostring(d[42]) ,ADLatency=tostring(d[43]) ,SharedCacheLatencyBreakup=tostring(d[44]) ,TotalSharedCacheLatency=tostring(d[45]) ,ActivityContextLifeTime=tostring(d[46]) ,ModuleToHandlerSwitchingLatency=tostring(d[47]) ,ClientReqStreamLatency=tostring(d[48]) ,BackendReqInitLatency=tostring(d[49]) ,BackendReqStreamLatency=tostring(d[50]) ,BackendProcessingLatency=tostring(d[51]) ,BackendRespInitLatency=tostring(d[52]) ,BackendRespStreamLatency=tostring(d[53]) ,ClientRespStreamLatency=tostring(d[54]) ,KerberosAuthHeaderLatency=tostring(d[55]) ,HandlerCompletionLatency=tostring(d[56]) ,RequestHandlerLatency=tostring(d[57]) ,HandlerToModuleSwitchingLatency=tostring(d[58]) ,ProxyTime=tostring(d[59]) ,CoreLatency=tostring(d[60]) ,RoutingLatency=tostring(d[61]) ,HttpProxyOverhead=tostring(d[62]) ,TotalRequestTime=tostring(d[63]) ,RouteRefresherLatency=tostring(d[64]) ,UrlQuery=tostring(d[65]) ,BackEndGenericInfo=tostring(d[66]) ,GenericInfo=tostring(d[67]) ,GenericErrors=tostring(d[68]) ,EdgeTraceId=tostring(d[69]) ,DatabaseGuid=tostring(d[70]) ,UserADObjectGuid=tostring(d[71]) ,PartitionEndpointLookupLatency=tostring(d[72]) ,RoutingStatus=tostring(d[73]) | extend TimeGenerated = DateTime | project-away d,RawData,DateTime | project-away d,RawData,DateTime\n and click on 'Destination'.\n8. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n9. Click on 'Add data source'.\n10. Fill other required parameters and tags and create the DCR" } ] }, @@ -186,18 +172,6 @@ "type": "InstructionStepsGroup" } ] - }, - { - "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used", - "description": "**Configure the logs to be collected**\n\n1. Under workspace **Settings** part, select **Tables**, click **+ Create** and click on **New custom log (MMA-Based)**.\n2. Select Sample file **[MessageTracking Sample](https://aka.ms/Sentinel-Sample-ESI-HttpProxySampleCSV)** and click Next\n3. Select type **Windows** and enter all the following paths **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Autodiscover\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Eas\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ecp\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ews\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Mapi\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Oab\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Owa\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\OwaCalendar\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\PowerShell\\*.log** and **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\RpcHttp\\*.log** . Click Next.\n4. Enter **ExchangeHttpProxy** as Table name and click Next.\n5. Click **Save**.", - "instructions": [ - { - "parameters": { - "linkType": "OpenSyslogSettings" - }, - "type": "InstallAgent" - } - ] } ] }, diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking-TableOnly.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking-TableOnly.json new file mode 100644 index 00000000000..da00c86f02b --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking-TableOnly.json @@ -0,0 +1,160 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspacename": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "The log analitycs workspace name" + } + }, + "customtablename": { + "type": "string", + "defaultValue": "MessageTrackingLog_CL", + "minLength": 1, + "metadata": { + "description": "The name of the Custom Table to create. By default uses 'MessageTrackingLog_CL', but you can change it to any other name but do it carefully and with full knowledge of the facts ." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2021-12-01-preview", + "name": "[concat(parameters('workspacename'), '/', parameters('customtablename'))]", + "properties": { + "plan": "Analytics", + "schema": { + "name": "[parameters('customtablename')]", + "columns": [ + { + "name": "directionality", + "type": "string" + }, + { + "name": "reference", + "type": "string" + }, + { + "name": "source", + "type": "string" + }, + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "clientHostname", + "type": "string" + }, + { + "name": "clientIP", + "type": "string" + }, + { + "name": "connectorId", + "type": "string" + }, + { + "name": "customData", + "type": "string" + }, + { + "name": "eventId", + "type": "string" + }, + { + "name": "internalMessageId", + "type": "string" + }, + { + "name": "logId", + "type": "string" + }, + { + "name": "messageId", + "type": "string" + }, + { + "name": "messageInfo", + "type": "string" + }, + { + "name": "messageSubject", + "type": "string" + }, + { + "name": "networkMessageId", + "type": "string" + }, + { + "name": "originalClientIp", + "type": "string" + }, + { + "name": "originalServerIp", + "type": "string" + }, + { + "name": "recipientAddress", + "type": "string" + }, + { + "name": "recipientCount", + "type": "string" + }, + { + "name": "recipientStatus", + "type": "string" + }, + { + "name": "relatedRecipientAddress", + "type": "string" + }, + { + "name": "returnPath", + "type": "string" + }, + { + "name": "senderAddress", + "type": "string" + }, + { + "name": "senderHostname", + "type": "string" + }, + { + "name": "serverIp", + "type": "string" + }, + { + "name": "sourceContext", + "type": "string" + }, + { + "name": "schemaVersion", + "type": "string" + }, + { + "name": "messageTrackingTenantId", + "type": "string" + }, + { + "name": "totalBytes", + "type": "string" + }, + { + "name": "transportTrafficType", + "type": "string" + }, + { + "name": "FilePath", + "type": "string" + } + ] + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking.json index 9404db100a3..f61e15bb767 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking.json @@ -49,7 +49,6 @@ "apiVersion": "2021-12-01-preview", "name": "[concat(parameters('workspacename'), '/MessageTrackingLog_CL')]", "properties": { - "totalRetentionInDays": 90, "plan": "Analytics", "schema": { "name": "MessageTrackingLog_CL", @@ -173,10 +172,13 @@ { "name": "transportTrafficType", "type": "string" + }, + { + "name": "FilePath", + "type": "string" } ] - }, - "retentionInDays": 90 + } } }, { @@ -194,123 +196,15 @@ "Custom-MessageTrackingLog_CL": { "columns": [ { - "name": "date-time", + "name": "TimeGenerated", "type": "datetime" }, { - "name": "client-ip", - "type": "string" - }, - { - "name": "client-hostname", - "type": "string" - }, - { - "name": "server-ip", - "type": "string" - }, - { - "name": "server-hostname", - "type": "string" - }, - { - "name": "source-context", - "type": "string" - }, - { - "name": "connector-id", - "type": "string" - }, - { - "name": "source", - "type": "string" - }, - { - "name": "event-id", - "type": "string" - }, - { - "name": "internal-message-id", - "type": "string" - }, - { - "name": "message-id", - "type": "string" - }, - { - "name": "network-message-id", - "type": "string" - }, - { - "name": "recipient-address", - "type": "string" - }, - { - "name": "recipient-status", - "type": "string" - }, - { - "name": "total-bytes", - "type": "string" - }, - { - "name": "recipient-count", - "type": "string" - }, - { - "name": "related-recipient-address", - "type": "string" - }, - { - "name": "reference", - "type": "string" - }, - { - "name": "message-subject", - "type": "string" - }, - { - "name": "sender-address", - "type": "string" - }, - { - "name": "return-path", - "type": "string" - }, - { - "name": "message-info", - "type": "string" - }, - { - "name": "directionality", - "type": "string" - }, - { - "name": "tenant-id", - "type": "string" - }, - { - "name": "original-client-ip", - "type": "string" - }, - { - "name": "original-server-ip", - "type": "string" - }, - { - "name": "custom-data", - "type": "string" - }, - { - "name": "transport-traffic-type", - "type": "string" - }, - { - "name": "log-id", + "name": "RawData", "type": "string" }, { - "name": "schema-version", + "name": "FilePath", "type": "string" } ] @@ -351,7 +245,7 @@ "destinations": [ "la-data-destination" ], - "transformKql": "source\n| extend TimeGenerated = todatetime(['date-time'])\n| extend\n clientHostname = ['client-hostname'],\n clientIP = ['client-ip'],\n connectorId = ['connector-id'],\n customData = ['custom-data'],\n eventId = ['event-id'],\n internalMessageId = ['internal-message-id'],\n logId = ['log-id'],\n messageId = ['message-id'],\n messageInfo = ['message-info'],\n messageSubject = ['message-subject'],\n networkMessageId = ['network-message-id'],\n originalClientIp = ['original-client-ip'],\n originalServerIp = ['original-server-ip'],\n recipientAddress= ['recipient-address'],\n recipientCount= ['recipient-count'],\n recipientStatus= ['recipient-status'],\n relatedRecipientAddress= ['related-recipient-address'],\n returnPath= ['return-path'],\n senderAddress= ['sender-address'],\n senderHostname= ['server-hostname'],\n serverIp= ['server-ip'],\n sourceContext= ['source-context'],\n schemaVersion=['schema-version'],\n messageTrackingTenantId = ['tenant-id'],\n totalBytes = ['total-bytes'],\n transportTrafficType = ['transport-traffic-type']\n| project-away\n ['client-ip'],\n ['client-hostname'],\n ['connector-id'],\n ['custom-data'],\n ['date-time'],\n ['event-id'],\n ['internal-message-id'],\n ['log-id'],\n ['message-id'],\n ['message-info'],\n ['message-subject'],\n ['network-message-id'],\n ['original-client-ip'],\n ['original-server-ip'],\n ['recipient-address'],\n ['recipient-count'],\n ['recipient-status'],\n ['related-recipient-address'],\n ['return-path'],\n ['sender-address'],\n ['server-hostname'],\n ['server-ip'],\n ['source-context'],\n ['schema-version'],\n ['tenant-id'],\n ['total-bytes'],\n ['transport-traffic-type']\n\n", + "transformKql": "source\n| extend d = split(RawData,',') | extend TimeGenerated =todatetime(d[0]) ,clientIP =tostring(d[1]) ,clientHostname =tostring(d[2]) ,serverIp=tostring(d[3]) ,senderHostname=tostring(d[4]) ,sourceContext=tostring(d[5]) ,connectorId =tostring(d[6]) ,source=tostring(d[7]) ,eventId =tostring(d[8]) ,internalMessageId =tostring(d[9]) ,messageId =tostring(d[10]) ,networkMessageId =tostring(d[11]) ,recipientAddress=tostring(d[12]) ,recipientStatus=tostring(d[13]) ,totalBytes=tostring(d[14]) ,recipientCount=tostring(d[15]) ,relatedRecipientAddress=tostring(d[16]) ,reference=tostring(d[17]) ,messageSubject =tostring(d[18]) ,senderAddress=tostring(d[19]) ,returnPath=tostring(d[20]) ,messageInfo =tostring(d[21]) ,directionality=tostring(d[22]) ,messageTrackingTenantId =tostring(d[23]) ,originalClientIp =tostring(d[24]) ,originalServerIp =tostring(d[25]) ,customData=tostring(d[26]) ,transportTrafficType =tostring(d[27]) ,logId =tostring(d[28]) ,schemaVersion=tostring(d[29]) | project-away d,RawData", "outputStream": "Custom-MessageTrackingLog_CL" } ] diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy-Table.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy-Table.json new file mode 100644 index 00000000000..87a869d2ed2 --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy-Table.json @@ -0,0 +1,336 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspacename": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "The log analitycs workspace name" + } + }, + "customtablename": { + "type": "string", + "defaultValue": "ExchangeHttpProxy_CL", + "minLength": 1, + "metadata": { + "description": "The name of the Custom Table to create. By default uses 'ExchangeHttpProxy_CL', but you can change it to any other name but do it carefully and with full knowledge of the facts ." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2021-12-01-preview", + "name": "[concat(parameters('workspacename'), '/', parameters('customtablename'))]", + "properties": { + "plan": "Analytics", + "schema": { + "name": "[parameters('customtablename')]", + "columns": [ + { + "name": "AccountForestLatencyBreakup", + "type": "string" + }, + { + "name": "ActivityContextLifeTime", + "type": "string" + }, + { + "name": "ADLatency", + "type": "string" + }, + { + "name": "AnchorMailbox", + "type": "string" + }, + { + "name": "AuthenticatedUser", + "type": "string" + }, + { + "name": "AuthenticationType", + "type": "string" + }, + { + "name": "AuthModulePerfContext", + "type": "string" + }, + { + "name": "BackEndCookie", + "type": "string" + }, + { + "name": "BackEndGenericInfo", + "type": "string" + }, + { + "name": "BackendProcessingLatency", + "type": "string" + }, + { + "name": "BackendReqInitLatency", + "type": "string" + }, + { + "name": "BackendReqStreamLatency", + "type": "string" + }, + { + "name": "BackendRespInitLatency", + "type": "string" + }, + { + "name": "BackendRespStreamLatency", + "type": "string" + }, + { + "name": "BackEndStatus", + "type": "string" + }, + { + "name": "BuildVersion", + "type": "string" + }, + { + "name": "CalculateTargetBackEndLatency", + "type": "string" + }, + { + "name": "ClientIpAddress", + "type": "string" + }, + { + "name": "ClientReqStreamLatency", + "type": "string" + }, + { + "name": "ClientRequestId", + "type": "string" + }, + { + "name": "ClientRespStreamLatency", + "type": "string" + }, + { + "name": "CoreLatency", + "type": "string" + }, + { + "name": "DatabaseGuid", + "type": "string" + }, + { + "name": "EdgeTraceId", + "type": "string" + }, + { + "name": "ErrorCode", + "type": "string" + }, + { + "name": "GenericErrors", + "type": "string" + }, + { + "name": "GenericInfo", + "type": "string" + }, + { + "name": "GlsLatencyBreakup", + "type": "string" + }, + { + "name": "HandlerCompletionLatency", + "type": "string" + }, + { + "name": "HandlerToModuleSwitchingLatency", + "type": "string" + }, + { + "name": "HttpPipelineLatency", + "type": "string" + }, + { + "name": "HttpProxyOverhead", + "type": "string" + }, + { + "name": "HttpStatus", + "type": "string" + }, + { + "name": "IsAuthenticated", + "type": "string" + }, + { + "name": "KerberosAuthHeaderLatency", + "type": "string" + }, + { + "name": "MajorVersion", + "type": "string" + }, + { + "name": "Method", + "type": "string" + }, + { + "name": "MinorVersion", + "type": "string" + }, + { + "name": "ModuleToHandlerSwitchingLatency", + "type": "string" + }, + { + "name": "Organization", + "type": "string" + }, + { + "name": "PartitionEndpointLookupLatency", + "type": "string" + }, + { + "name": "Protocol", + "type": "string" + }, + { + "name": "ProtocolAction", + "type": "string" + }, + { + "name": "ProxyAction", + "type": "string" + }, + { + "name": "ProxyTime", + "type": "string" + }, + { + "name": "RequestBytes", + "type": "string" + }, + { + "name": "RequestHandlerLatency", + "type": "string" + }, + { + "name": "RequestId", + "type": "string" + }, + { + "name": "ResourceForestLatencyBreakup", + "type": "string" + }, + { + "name": "ResponseBytes", + "type": "string" + }, + { + "name": "RevisionVersion", + "type": "string" + }, + { + "name": "RouteRefresherLatency", + "type": "string" + }, + { + "name": "RoutingHint", + "type": "string" + }, + { + "name": "RoutingLatency", + "type": "string" + }, + { + "name": "RoutingStatus", + "type": "string" + }, + { + "name": "RoutingType", + "type": "string" + }, + { + "name": "ServerHostName", + "type": "string" + }, + { + "name": "ServerLocatorHost", + "type": "string" + }, + { + "name": "ServerLocatorLatency", + "type": "string" + }, + { + "name": "SharedCacheLatencyBreakup", + "type": "string" + }, + { + "name": "TargetOutstandingRequests", + "type": "string" + }, + { + "name": "TargetServer", + "type": "string" + }, + { + "name": "TargetServerVersion", + "type": "string" + }, + { + "name": "TotalAccountForestLatency", + "type": "string" + }, + { + "name": "TotalGlsLatency", + "type": "string" + }, + { + "name": "TotalRequestTime", + "type": "string" + }, + { + "name": "TotalResourceForestLatency", + "type": "string" + }, + { + "name": "TotalSharedCacheLatency", + "type": "string" + }, + { + "name": "UrlHost", + "type": "string" + }, + { + "name": "UrlQuery", + "type": "string" + }, + { + "name": "UrlStem", + "type": "string" + }, + { + "name": "UserADObjectGuid", + "type": "string" + }, + { + "name": "UserAgent", + "type": "string" + }, + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "FilePath", + "type": "string" + } + ] + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy.json index 737dee3b406..72c0dfbc830 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy.json @@ -49,7 +49,6 @@ "apiVersion": "2021-12-01-preview", "name": "[concat(parameters('workspacename'), '/ExchangeHttpProxy_CL')]", "properties": { - "totalRetentionInDays": 90, "plan": "Analytics", "schema": { "name": "ExchangeHttpProxy_CL", @@ -349,10 +348,13 @@ { "name": "TimeGenerated", "type": "datetime" + }, + { + "name": "FilePath", + "type": "string" } ] - }, - "retentionInDays": 90 + } } }, { @@ -374,299 +376,11 @@ "type": "datetime" }, { - "name": "DateTime", - "type": "string" - }, - { - "name": "RequestId", - "type": "string" - }, - { - "name": "MajorVersion", - "type": "string" - }, - { - "name": "MinorVersion", - "type": "string" - }, - { - "name": "BuildVersion", - "type": "string" - }, - { - "name": "RevisionVersion", - "type": "string" - }, - { - "name": "ClientRequestId", - "type": "string" - }, - { - "name": "Protocol", - "type": "string" - }, - { - "name": "UrlHost", - "type": "string" - }, - { - "name": "UrlStem", - "type": "string" - }, - { - "name": "ProtocolAction", - "type": "string" - }, - { - "name": "AuthenticationType", - "type": "string" - }, - { - "name": "IsAuthenticated", - "type": "string" - }, - { - "name": "AuthenticatedUser", - "type": "string" - }, - { - "name": "Organization", - "type": "string" - }, - { - "name": "AnchorMailbox", - "type": "string" - }, - { - "name": "UserAgent", - "type": "string" - }, - { - "name": "ClientIpAddress", - "type": "string" - }, - { - "name": "ServerHostName", - "type": "string" - }, - { - "name": "HttpStatus", - "type": "string" - }, - { - "name": "BackEndStatus", - "type": "string" - }, - { - "name": "ErrorCode", - "type": "string" - }, - { - "name": "Method", - "type": "string" - }, - { - "name": "ProxyAction", - "type": "string" - }, - { - "name": "TargetServer", - "type": "string" - }, - { - "name": "TargetServerVersion", - "type": "string" - }, - { - "name": "RoutingType", - "type": "string" - }, - { - "name": "RoutingHint", - "type": "string" - }, - { - "name": "BackEndCookie", - "type": "string" - }, - { - "name": "ServerLocatorHost", - "type": "string" - }, - { - "name": "ServerLocatorLatency", - "type": "string" - }, - { - "name": "RequestBytes", - "type": "string" - }, - { - "name": "ResponseBytes", - "type": "string" - }, - { - "name": "TargetOutstandingRequests", - "type": "string" - }, - { - "name": "AuthModulePerfContext", - "type": "string" - }, - { - "name": "HttpPipelineLatency", - "type": "string" - }, - { - "name": "CalculateTargetBackEndLatency", - "type": "string" - }, - { - "name": "GlsLatencyBreakup", - "type": "string" - }, - { - "name": "TotalGlsLatency", - "type": "string" - }, - { - "name": "AccountForestLatencyBreakup", - "type": "string" - }, - { - "name": "TotalAccountForestLatency", - "type": "string" - }, - { - "name": "ResourceForestLatencyBreakup", - "type": "string" - }, - { - "name": "TotalResourceForestLatency", - "type": "string" - }, - { - "name": "ADLatency", - "type": "string" - }, - { - "name": "SharedCacheLatencyBreakup", - "type": "string" - }, - { - "name": "TotalSharedCacheLatency", - "type": "string" - }, - { - "name": "ActivityContextLifeTime", - "type": "string" - }, - { - "name": "ModuleToHandlerSwitchingLatency", - "type": "string" - }, - { - "name": "ClientReqStreamLatency", - "type": "string" - }, - { - "name": "BackendReqInitLatency", - "type": "string" - }, - { - "name": "BackendReqStreamLatency", - "type": "string" - }, - { - "name": "BackendProcessingLatency", - "type": "string" - }, - { - "name": "BackendRespInitLatency", - "type": "string" - }, - { - "name": "BackendRespStreamLatency", - "type": "string" - }, - { - "name": "ClientRespStreamLatency", - "type": "string" - }, - { - "name": "KerberosAuthHeaderLatency", - "type": "string" - }, - { - "name": "HandlerCompletionLatency", - "type": "string" - }, - { - "name": "RequestHandlerLatency", - "type": "string" - }, - { - "name": "HandlerToModuleSwitchingLatency", - "type": "string" - }, - { - "name": "ProxyTime", - "type": "string" - }, - { - "name": "CoreLatency", - "type": "string" - }, - { - "name": "RoutingLatency", - "type": "string" - }, - { - "name": "HttpProxyOverhead", - "type": "string" - }, - { - "name": "TotalRequestTime", - "type": "string" - }, - { - "name": "RouteRefresherLatency", - "type": "string" - }, - { - "name": "UrlQuery", - "type": "string" - }, - { - "name": "BackEndGenericInfo", - "type": "string" - }, - { - "name": "GenericInfo", - "type": "string" - }, - { - "name": "GenericErrors", - "type": "string" - }, - { - "name": "EdgeTraceId", - "type": "string" - }, - { - "name": "DatabaseGuid", - "type": "string" - }, - { - "name": "UserADObjectGuid", - "type": "string" - }, - { - "name": "PartitionEndpointLookupLatency", + "name": "RawData", "type": "string" }, { - "name": "RoutingStatus", + "name": "FilePath", "type": "string" } ] @@ -716,7 +430,7 @@ "destinations": [ "la-data-destination" ], - "transformKql": "source\n| extend TimeGenerated = todatetime(DateTime)\n| project-away DateTime\n\n", + "transformKql": "source | extend d = split(RawData,',') | extend DateTime=todatetime(d[0]),RequestId=tostring(d[1]) ,MajorVersion=tostring(d[2]) ,MinorVersion=tostring(d[3]) ,BuildVersion=tostring(d[4]) ,RevisionVersion=tostring(d[5]) ,ClientRequestId=tostring(d[6]) ,Protocol=tostring(d[7]) ,UrlHost=tostring(d[8]) ,UrlStem=tostring(d[9]) ,ProtocolAction=tostring(d[10]) ,AuthenticationType=tostring(d[11]) ,IsAuthenticated=tostring(d[12]) ,AuthenticatedUser=tostring(d[13]) ,Organization=tostring(d[14]) ,AnchorMailbox=tostring(d[15]) ,UserAgent=tostring(d[16]) ,ClientIpAddress=tostring(d[17]) ,ServerHostName=tostring(d[18]) ,HttpStatus=tostring(d[19]) ,BackEndStatus=tostring(d[20]) ,ErrorCode=tostring(d[21]) ,Method=tostring(d[22]) ,ProxyAction=tostring(d[23]) ,TargetServer=tostring(d[24]) ,TargetServerVersion=tostring(d[25]) ,RoutingType=tostring(d[26]) ,RoutingHint=tostring(d[27]) ,BackEndCookie=tostring(d[28]) ,ServerLocatorHost=tostring(d[29]) ,ServerLocatorLatency=tostring(d[30]) ,RequestBytes=tostring(d[31]) ,ResponseBytes=tostring(d[32]) ,TargetOutstandingRequests=tostring(d[33]) ,AuthModulePerfContext=tostring(d[34]) ,HttpPipelineLatency=tostring(d[35]) ,CalculateTargetBackEndLatency=tostring(d[36]) ,GlsLatencyBreakup=tostring(d[37]) ,TotalGlsLatency=tostring(d[38]) ,AccountForestLatencyBreakup=tostring(d[39]) ,TotalAccountForestLatency=tostring(d[40]) ,ResourceForestLatencyBreakup=tostring(d[41]) ,TotalResourceForestLatency=tostring(d[42]) ,ADLatency=tostring(d[43]) ,SharedCacheLatencyBreakup=tostring(d[44]) ,TotalSharedCacheLatency=tostring(d[45]) ,ActivityContextLifeTime=tostring(d[46]) ,ModuleToHandlerSwitchingLatency=tostring(d[47]) ,ClientReqStreamLatency=tostring(d[48]) ,BackendReqInitLatency=tostring(d[49]) ,BackendReqStreamLatency=tostring(d[50]) ,BackendProcessingLatency=tostring(d[51]) ,BackendRespInitLatency=tostring(d[52]) ,BackendRespStreamLatency=tostring(d[53]) ,ClientRespStreamLatency=tostring(d[54]) ,KerberosAuthHeaderLatency=tostring(d[55]) ,HandlerCompletionLatency=tostring(d[56]) ,RequestHandlerLatency=tostring(d[57]) ,HandlerToModuleSwitchingLatency=tostring(d[58]) ,ProxyTime=tostring(d[59]) ,CoreLatency=tostring(d[60]) ,RoutingLatency=tostring(d[61]) ,HttpProxyOverhead=tostring(d[62]) ,TotalRequestTime=tostring(d[63]) ,RouteRefresherLatency=tostring(d[64]) ,UrlQuery=tostring(d[65]) ,BackEndGenericInfo=tostring(d[66]) ,GenericInfo=tostring(d[67]) ,GenericErrors=tostring(d[68]) ,EdgeTraceId=tostring(d[69]) ,DatabaseGuid=tostring(d[70]) ,UserADObjectGuid=tostring(d[71]) ,PartitionEndpointLookupLatency=tostring(d[72]) ,RoutingStatus=tostring(d[73]) | extend TimeGenerated = DateTime | project-away d,RawData,DateTime | project-away d,RawData,DateTime", "outputStream": "Custom-ExchangeHttpProxy_CL" } ] diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md b/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md index 0d119efe276..7485d9e61de 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.3.0 | 26-08-2024 | Add Compare in Exchange Security Review | | 3.2.0 | 09-04-2024 | Explode "ExchangeAdminAuditLogEvents" dataconnector to multiple simplier dataconnectors | | 3.1.5 | 26-04-2024 | Repackaged for fix on parser in maintemplate to have old parsername and parentid | | 3.1.4 | 18-04-2024 | Repackaged for parser issue while redeployment | diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Workbooks/Microsoft Exchange Security Review.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Workbooks/Microsoft Exchange Security Review.json index 50428e48bc4..dcaf64a088d 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Workbooks/Microsoft Exchange Security Review.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Workbooks/Microsoft Exchange Security Review.json @@ -26,6 +26,7 @@ "query": "ExchangeEnvironmentList(Target=\"On-Premises\") | where ESIEnvironment != \"\"", "typeSettings": { "limitSelectTo": 1, + "additionalResourceOptions": [], "showDefault": false }, "queryType": 0, @@ -40,6 +41,36 @@ "isRequired": true, "query": "let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \"all\",\"All\",tostring({EnvironmentList})),',');\r\nESIExchangeConfig_CL\r\n| extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n| where ScopedEnvironment in (_configurationEnv)\r\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n| summarize Collection = max(Collection)\r\n| project Collection = \"lastdate\", Selected = true\r\n| join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n | where ScopedEnvironment in (_configurationEnv)\r\n | where TimeGenerated > ago(90d)\r\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n | summarize by Collection \r\n | join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n | where ScopedEnvironment in (_configurationEnv)\r\n | where TimeGenerated > ago(90d)\r\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\r\n | summarize by PreciseCollection, Collection \r\n | join kind=leftouter (\r\n ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n | where ScopedEnvironment in (_configurationEnv)\r\n | where TimeGenerated > ago(90d)\r\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\r\n | summarize by PreciseCollection, Collection \r\n | summarize count() by Collection\r\n ) on Collection\r\n ) on Collection\r\n) on Collection\r\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\"Last Known date\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\r\n| sort by Selected, Value desc", "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "cfc36178-c5d7-4f69-87f5-b887e722f968", + "version": "KqlParameterItem/1.0", + "name": "Compare_Collect", + "label": "CompareCollect", + "type": 10, + "description": "If this sesstion is checked, two collection will be compared", + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n { \"value\": \"True\", \"label\": \"Yes\" },\r\n { \"value\": \"True,False\", \"label\": \"No\", \"selected\":true }\r\n]" + }, + { + "id": "3ce4bf51-fca3-4aa6-a67c-69be846dd706", + "version": "KqlParameterItem/1.0", + "name": "DateCompare", + "type": 2, + "description": "This date must be older than the date configured in the Date of configuration", + "isRequired": true, + "query": "let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \"all\",\"All\",tostring({EnvironmentList})),',');\r\nESIExchangeConfig_CL\r\n| extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n| where ScopedEnvironment in (_configurationEnv)\r\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n| summarize Collection = max(Collection)\r\n| project Collection = \"lastdate\", Selected = true\r\n| join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n | where ScopedEnvironment in (_configurationEnv)\r\n | where TimeGenerated > ago(90d)\r\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n | summarize by Collection \r\n | join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n | where ScopedEnvironment in (_configurationEnv)\r\n | where TimeGenerated > ago(90d)\r\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\r\n | summarize by PreciseCollection, Collection \r\n | join kind=leftouter (\r\n ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n | where ScopedEnvironment in (_configurationEnv)\r\n | where TimeGenerated > ago(90d)\r\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\r\n | summarize by PreciseCollection, Collection \r\n | summarize count() by Collection\r\n ) on Collection\r\n ) on Collection\r\n) on Collection\r\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\"Last Known date\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\r\n| sort by Selected, Value desc", + "typeSettings": { + "additionalResourceOptions": [], "showDefault": false }, "queryType": 0, @@ -52,7 +83,7 @@ "label": "Show Help", "type": 10, "isRequired": true, - "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\\r\\n\"}", + "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\\r\\n\"}\r\n", "timeContext": { "durationMs": 2592000000 }, @@ -68,7 +99,7 @@ { "type": 1, "content": { - "json": "This workbook helps review your Exchange Security configuration.\r\nSelect your Exchange Organization and adjust the time range.\r\nBy default, the Help won't be displayed. To display the help, choose Yes on the toogle buttom \"Show Help\"", + "json": "This workbook helps review your Exchange Security configuration.\r\nSelect your Exchange Organization and adjust the time range.\r\n**By default, the Help won't be displayed. To display the help, choose Yes on the toogle buttom \"Show Help\"**\r\n\r\nTo compare collects, choose **Yes on the toogle buttom Compare Collect ** and choose the initial date.\r\nDepending on the section, a new table will be displayed with **all** the modifications (Add, Remove, Modifications) beetween the two dates.\r\nFor some sections, you'll see Add+Remove. This means that an account has been added and then removed during the choosen time range.\r\n\r\n**Important notes** : Some information are limited are may be not 100% accurate :\r\n - Date\r\n - When a fied is modified several times in the range, only first and last values will be displayed\r\n - **Remove Time is displayed the date of the last collect and not the exact remove time**\r\n - ... \r\n\r\nThis is due to some restrictions in the collect. The goal of the comparaison is to give you a global overview of the modifications between two collects.\r\nFor more details information, please check the workbook **\"Microsoft Exchange Search AdminAuditLog\"**\r\n.\r\n\r\nThe compare functionnality may not be available for all sections in this workbook.\r\n", "style": "info" }, "name": "text - 9" @@ -161,7 +192,7 @@ "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Security Configuration for the Exchange environment", + "title": "Security Configuration for the Exchange Environment", "items": [ { "type": 1, @@ -173,7 +204,7 @@ { "type": 1, "content": { - "json": "This section display the Exchange version and the CU installed.\r\n\r\nFor the latest build number, check this link : Exchange Build Numbers\r\n\r\nThis section is built from a file located in the public github repository.\r\nThe repository is manually updated by the team project when new CU/SU are released.\r\n", + "json": "This section displays the Exchange version and the CU installed.\r\n\r\nFor the latest build number, check this link : Exchange Build Numbers\r\n\r\nThis section is built from a file located in the public GitHub repository.\r\nThe repository is manually updated by the team project when new CU/SU are released. ((Delay may happen between the release of a new CU/SU and the update of the file))\r\n", "style": "info" }, "conditionalVisibility": { @@ -187,7 +218,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExchBuildNumber.csv\"]with(format=\"csv\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\r\n//ExchangeConfiguration(SpecificSectionList=\"ExchangeServers\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n//| extend VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\".\",CmdletResultValue.AdminDisplayVersion.Minor,\".\",CmdletResultValue.AdminDisplayVersion.Build)\r\nExchangeConfiguration(SpecificSectionList=\"ExchVersion\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend VersionNumber = tostring(CmdletResultValue.ProductVersion)\r\n| extend Server = tostring(ProcessedByServer_s)\r\n| extend CmdletResultType = tostring(CmdletResultType)\r\n| join kind= leftouter (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\r\n| distinct Server,VersionNumber,Productname,CU,SU,CmdletResultType\r\n| extend Server = strcat(\"💻 \",Server)\r\n| extend Productname = case ( VersionNumber startswith \"15.02\", \"Exchange 2019\", VersionNumber startswith \"15.01\", \"Exchange 2016\", VersionNumber startswith \"15.00\",\"Exchange 2013\", \"Exchange 2010\")\r\n| extend CU = iff(CmdletResultType <>\"Success\", \"Unable to retrieve information from server\", iff(CU <> \"\", CU, \"New CU or SU not yet in the List\"))\r\n| extend SU = iff(CmdletResultType <>\"Success\", \"Unable to retrieve information from server\", iff( SU <> \"\", SU, \"New CU or SU not yet in the List\"))\r\n|project-away CmdletResultType\r\n| sort by Server asc\r\n", + "query": "let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\"https://aka.ms/ExchBuildNumber\"]with(format=\"csv\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\r\n//ExchangeConfiguration(SpecificSectionList=\"ExchangeServers\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n//| extend VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\".\",CmdletResultValue.AdminDisplayVersion.Minor,\".\",CmdletResultValue.AdminDisplayVersion.Build)\r\nExchangeConfiguration(SpecificSectionList=\"ExchVersion\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend VersionNumber = tostring(CmdletResultValue.ProductVersion)\r\n| extend Server = tostring(ProcessedByServer_s)\r\n| extend CmdletResultType = tostring(CmdletResultType)\r\n| join kind= leftouter (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\r\n| distinct Server,VersionNumber,Productname,CU,SU,CmdletResultType\r\n| extend Server = strcat(\"💻 \",Server)\r\n| extend Productname = case ( VersionNumber startswith \"15.02\", \"Exchange 2019\", VersionNumber startswith \"15.01\", \"Exchange 2016\", VersionNumber startswith \"15.00\",\"Exchange 2013\", \"Exchange 2010\")\r\n| extend CU = iff(CmdletResultType <>\"Success\", \"Unable to retrieve information from server\", iff(CU <> \"\", CU, \"New CU or SU not yet in the List\"))\r\n| extend SU = iff(CmdletResultType <>\"Success\", \"Unable to retrieve information from server\", iff( SU <> \"\", SU, \"New CU or SU not yet in the List\"))\r\n|project-away CmdletResultType\r\n| sort by Server asc\r\n", "size": 1, "showAnalytics": true, "title": "Exchange servers CU-SU level", @@ -209,7 +240,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExchBuildNumber.csv\"]with(format=\"csv\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\r\nExchangeConfiguration(SpecificSectionList=\"ExchVersion\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n//| extend VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\".\",CmdletResultValue.AdminDisplayVersion.Minor,\".\",CmdletResultValue.AdminDisplayVersion.Build)\r\n| extend VersionNumber = tostring(CmdletResultValue.ProductVersion)\r\n| extend Server = tostring(CmdletResultValue.Server)\r\n| join kind= leftouter (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\r\n| extend CU = iff( CU <> \"\", CU, \"New CU/SU not yet in the CU List\")\r\n| extend Version =strcat (VersionNumber,\"-\",CU,\"-\",SU)\r\n| summarize dcount(Server) by Version", + "query": "let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\"https://aka.ms/ExchBuildNumber\"]with(format=\"csv\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\r\nExchangeConfiguration(SpecificSectionList=\"ExchVersion\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n//| extend VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\".\",CmdletResultValue.AdminDisplayVersion.Minor,\".\",CmdletResultValue.AdminDisplayVersion.Build)\r\n| extend VersionNumber = tostring(CmdletResultValue.ProductVersion)\r\n| extend Server = tostring(CmdletResultValue.Server)\r\n| join kind= leftouter (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\r\n| extend CU = iff( CU <> \"\", CU, \"New CU/SU not yet in the CU List\")\r\n| extend Version =strcat (VersionNumber,\"-\",CU,\"-\",SU)\r\n| summarize dcount(Server) by Version", "size": 0, "showAnalytics": true, "title": "Version break down", @@ -231,7 +262,7 @@ { "type": 1, "content": { - "json": "The Admin Audit log stores all the actions performed on Exchange Servers (except read actions such as Get/Test).\r\n\r\nAdmin Audit Log \r\n\r\nManage Admin Audit Log \r\n\r\n\r\nThis can be used to track \r\n- Unexpected behaviors\r\n- Who did a modification\r\n- Real actions performed by an account (the output could be used with to identify the necessary privileges)\r\n\r\nℹ️ Recommendations\r\n- Ensure that Admin Audit Log is not disabled\r\n- Ensure that critical Cmdlets have not been excluded\r\n- Ensure that AdminAuditLogCmdlets is set to * (list of audited Cmdlets)\r\n- Review the retention configuration for the Admin Audit Log content", + "json": "The Admin Audit log stores all the actions performed on Exchange Servers (except Read actions such as Get/Test).\r\n\r\nAdmin Audit Log \r\n\r\nManage Admin Audit Log \r\n\r\n\r\nThis can be used to track :\r\n- Unexpected behaviors\r\n- Who did a modification\r\n- Real actions performed by an account (the output could be used to identify the necessary privileges) and then reduce the privilege of the account by creating appropriate RBAC delegation\r\n\r\nℹ️ Recommendations\r\n- Ensure that Admin Audit Log is not disabled\r\n- Ensure that critical Cmdlets have not been excluded\r\n- Ensure that AdminAuditLogCmdlets is set to * (list of audited Cmdlets)\r\n- Review the retention configuration for the Admin Audit Log content", "style": "info" }, "conditionalVisibility": { @@ -244,7 +275,7 @@ { "type": 1, "content": { - "json": "Here the main settings for the Admin Audit Log. Remember that AdminAudit log need to be enabled and no cmdlet should be excluded. Also check the retention limit." + "json": "Here the main settings for the Admin Audit Log. \r\nRemember that AdminAudit log needs to be enabled and no cmdlet should be excluded. Also check the retention limit." }, "name": "text - 0" }, @@ -252,7 +283,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/CmdletWatchlist.csv\"]with(format=\"csv\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\r\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\r\n| project AdminAuditLogExcludedCmdlets);\r\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\r\nExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend AdminAuditLogEnabled = iff(CmdletResultValue.AdminAuditLogEnabled == \"FALSE\", \" ❌ Disabled, High Risk\", \"✅ Enabled\")\r\n| extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\r\n| extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit,8)\r\n| extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit,0,indexof(AdminAuditLogAgeLimit, ','))\r\n| extend AdminAuditLogAgeLimit = iff(toint(AdminAuditLogAgeLimit) == 0,strcat(\"❌ No AdminAuditlog recorded \",AdminAuditLogAgeLimit), iff(toint(AdminAuditLogAgeLimit) <=30,strcat(\"⚠️ Value to low except if exported \",AdminAuditLogAgeLimit), strcat(\"✅\",AdminAuditLogAgeLimit)))\r\n| extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\r\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,2)\r\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,0,indexof(AdminAuditLogCmdlets, '\"]') )\r\n| extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets,'\"',\"\")\r\n| extend Comment_AdminAuditLogCmdlets = iff( AdminAuditLogCmdlets == \"*\",\"✅ Default configuration\",\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\")\r\n| extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\r\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,2)\r\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,0,indexof(AdminAuditLogExcludedCmdlets, ']'))\r\n| extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets,'\"',\"\")\r\n//| extend Cmdlet = replace_string(AdminAuditLogExcludedCmdlets,'\"',\"\")\r\n//| extend AALECSplit = tostring(split(AdminAuditLogExcludedCmdlets,\",\"))\r\n| project-away CmdletResultValue\r\n| extend Comment_AdminAuditLogExcludedCmdlet = case( isnotempty( SentsitivecmdletTrack ),\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\",AdminAuditLogExcludedCmdlets <>\"\",\"⚠️ Some Cmdlets are excluded \",\"✅ No Excluded CmdLet\")", + "query": "let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\"https://aka.ms/CmdletWatchlist\"]with(format=\"csv\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\r\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\r\n| project AdminAuditLogExcludedCmdlets);\r\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\r\nExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend AdminAuditLogEnabled = iff(CmdletResultValue.AdminAuditLogEnabled == \"FALSE\", \" ❌ Disabled, High Risk\", \"✅ Enabled\")\r\n| extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\r\n| extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit,8)\r\n| extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit,0,indexof(AdminAuditLogAgeLimit, ','))\r\n| extend AdminAuditLogAgeLimit = iff(toint(AdminAuditLogAgeLimit) == 0,strcat(\"❌ No AdminAuditlog recorded \",AdminAuditLogAgeLimit), iff(toint(AdminAuditLogAgeLimit) <=30,strcat(\"⚠️ Value to low except if exported \",AdminAuditLogAgeLimit), strcat(\"✅\",AdminAuditLogAgeLimit)))\r\n| extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\r\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,2)\r\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,0,indexof(AdminAuditLogCmdlets, '\"]') )\r\n| extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets,'\"',\"\")\r\n| extend Comment_AdminAuditLogCmdlets = iff( AdminAuditLogCmdlets == \"*\",\"✅ Default configuration\",\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\")\r\n| extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\r\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,2)\r\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,0,indexof(AdminAuditLogExcludedCmdlets, ']'))\r\n| extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets,'\"',\"\")\r\n//| extend Cmdlet = replace_string(AdminAuditLogExcludedCmdlets,'\"',\"\")\r\n//| extend AALECSplit = tostring(split(AdminAuditLogExcludedCmdlets,\",\"))\r\n| project-away CmdletResultValue\r\n| extend Comment_AdminAuditLogExcludedCmdlet = case( isnotempty( SentsitivecmdletTrack ),\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\",AdminAuditLogExcludedCmdlets <>\"\",\"⚠️ Some Cmdlets are excluded \",\"✅ No Excluded CmdLet\")", "size": 1, "showAnalytics": true, "showExportToExcel": true, @@ -287,19 +318,31 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\"https://aka.ms/CmdletWatchlist\"]with(format=\"csv\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\r\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\r\n| project AdminAuditLogExcludedCmdlets);\r\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\r\nlet _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n | extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\n//let _CurrentDateB = todatetime(toscalar(_currD));\r\nlet _CurrentDateB = datetime_add('day', 1, todatetime(toscalar(_currD)));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\r\n | extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit, 8)\r\n | extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit, 0, indexof(AdminAuditLogAgeLimit, ','))\r\n | extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\r\n | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 2)\r\n | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 0, indexof(AdminAuditLogCmdlets, '\"]'))\r\n | extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets, '\"', \"\")\r\n | extend Comment_AdminAuditLogCmdlets = iff(AdminAuditLogCmdlets == \"*\", \"✅ Default configuration\", \"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\")\r\n | extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\r\n | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 2)\r\n | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 0, indexof(AdminAuditLogExcludedCmdlets, ']'))\r\n | extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets, '\"', \"\")\r\n | project-away CmdletResultValue\r\n | extend Comment_AdminAuditLogExcludedCmdlet = case(isnotempty(SentsitivecmdletTrack), \"❌ Some excluded CmdLets are part of Sensitive Cmdlets\", AdminAuditLogExcludedCmdlets <> \"\", \"⚠️ Some Cmdlets are excluded \", \"✅ No Excluded CmdLet\")\r\n | extend WhenChanged = todatetime(WhenChanged)\r\n | extend WhenCreated = todatetime(WhenCreated)\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\r\n | extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit, 8)\r\n | extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit, 0, indexof(AdminAuditLogAgeLimit, ','))\r\n | extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\r\n | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 2)\r\n | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 0, indexof(AdminAuditLogCmdlets, '\"]'))\r\n | extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets, '\"', \"\")\r\n | extend Comment_AdminAuditLogCmdlets = iff(AdminAuditLogCmdlets == \"*\", \"✅ Default configuration\", \"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\")\r\n | extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\r\n | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 2)\r\n | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 0, indexof(AdminAuditLogExcludedCmdlets, ']'))\r\n | extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets, '\"', \"\")\r\n | project-away CmdletResultValue\r\n | extend Comment_AdminAuditLogExcludedCmdlet = case(isnotempty(SentsitivecmdletTrack), \"❌ Some excluded CmdLets are part of Sensitive Cmdlets\", AdminAuditLogExcludedCmdlets <> \"\", \"⚠️ Some Cmdlets are excluded \", \"✅ No Excluded CmdLet\")\r\n | extend WhenChanged = todatetime(WhenChanged)\r\n | extend WhenCreated = todatetime(WhenCreated)\r\n;\r\nlet i=0;\r\nlet DiffModifData = union AfterData, BeforeData\r\n | sort by WhenChanged asc \r\n | project\r\n WhenChanged,\r\n AdminAuditLogAgeLimit,\r\n AdminAuditLogCmdlets,\r\n Comment_AdminAuditLogCmdlets,\r\n AdminAuditLogExcludedCmdlets,\r\n Comment_AdminAuditLogExcludedCmdlet,\r\n WhenCreated\r\n | extend AdminAuditLogAgeLimit = iff(AdminAuditLogAgeLimit != prev(AdminAuditLogAgeLimit) and prev(AdminAuditLogAgeLimit) != \"\", strcat(\"📍 \", AdminAuditLogAgeLimit, \" (\", prev(AdminAuditLogAgeLimit), \"->\", AdminAuditLogAgeLimit, \" )\"), AdminAuditLogAgeLimit)\r\n | extend AdminAuditLogCmdlets = iff(AdminAuditLogCmdlets != prev(AdminAuditLogCmdlets) and prev(AdminAuditLogCmdlets) != \"\", strcat(\"📍 \", AdminAuditLogCmdlets, \" (\", prev(AdminAuditLogCmdlets), \"->\", AdminAuditLogCmdlets, \" )\"), AdminAuditLogCmdlets)\r\n | extend Comment_AdminAuditLogCmdlets = iff(Comment_AdminAuditLogCmdlets != prev(Comment_AdminAuditLogCmdlets) and prev(Comment_AdminAuditLogCmdlets) != \"\", strcat(\"📍 \", Comment_AdminAuditLogCmdlets, \" (\", prev(Comment_AdminAuditLogCmdlets), \"->\", Comment_AdminAuditLogCmdlets, \" )\"), Comment_AdminAuditLogCmdlets)\r\n | extend AdminAuditLogExcludedCmdlets = iff(AdminAuditLogExcludedCmdlets != prev(AdminAuditLogExcludedCmdlets) and prev(AdminAuditLogExcludedCmdlets) != \"\", strcat(\"📍 \", AdminAuditLogExcludedCmdlets, \" (\", prev(AdminAuditLogExcludedCmdlets), \"->\", AdminAuditLogExcludedCmdlets, \" )\"), AdminAuditLogExcludedCmdlets)\r\n | extend Comment_AdminAuditLogExcludedCmdlet = iff(Comment_AdminAuditLogExcludedCmdlet != prev(Comment_AdminAuditLogExcludedCmdlet) and prev(Comment_AdminAuditLogExcludedCmdlet) != \"\", strcat(\"📍 \", Comment_AdminAuditLogExcludedCmdlet, \" (\", prev(Comment_AdminAuditLogExcludedCmdlet), \"->\", Comment_AdminAuditLogExcludedCmdlet, \" )\"), Comment_AdminAuditLogExcludedCmdlet)\r\n | extend ActiontypeR =iff(( AdminAuditLogAgeLimit contains \"📍\" or AdminAuditLogCmdlets contains \"📍\" or Comment_AdminAuditLogCmdlets contains \"📍\" or AdminAuditLogExcludedCmdlets contains \"📍\" or Comment_AdminAuditLogExcludedCmdlet contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n WhenChanged,\r\n Actiontype,\r\n AdminAuditLogAgeLimit,\r\n AdminAuditLogCmdlets,\r\n Comment_AdminAuditLogCmdlets,\r\n AdminAuditLogExcludedCmdlets,\r\n Comment_AdminAuditLogExcludedCmdlet,\r\n WhenCreated\r\n;\r\nDiffModifData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n WhenChanged,\r\n AdminAuditLogAgeLimit,\r\n AdminAuditLogCmdlets,\r\n Comment_AdminAuditLogCmdlets,\r\n AdminAuditLogExcludedCmdlets,\r\n Comment_AdminAuditLogExcludedCmdlet", + "size": 1, + "showAnalytics": true, + "title": "AdminAuditLog settings comparaison", + "noDataMessage": "No modification", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 3" } ] }, "name": "group - 0Admin Audit Log configuration" }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable" - }, - "name": "POP authentication configuration" - }, { "type": 1, "content": { @@ -310,7 +353,7 @@ { "type": 1, "content": { - "json": "If the POP Service is started, the LoginType should not set to Plaintext. This means that the password will be sent in clear on the network. As POP is enabled by default on all the mailboxes, this represents a high security risk.\r\n\r\nPOP Authentication\r\n- **PlainText** TLS encryption is not required on port 110. Usernames and passwords are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\r\n- **PlainTextAuthentication** TLS encryption is not required on port 110. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\r\n- **SecureLogin** Connection on port 110 must use TLS encryption before authenticating.\r\n\r\nℹ️ Recommendations\r\nDisable POP on all mailboxes except those who need to actually use this protocol.\r\nSet the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application.\r\n\r\nIf the application is not able to perform this type of authentication:\r\n- Ensure that POP is disabled on all the mailboxes except those who really need it \r\n- Monitor the POP connections\r\n- Change the password of the application on a regular basis\r\n\r\nRecommended Reading : \r\n\r\nConfiguring Authentication for POP3 and IMAP4\r\n \r\n Set-PopSettings\r\n\r\n\r\nIn order to track mailboxes that are currently using POP\r\n- Enable POP logging\r\n- Set-PopSettings -Server SRV1 -ProtocolLogEnabled verbose\r\n- Several weeks later, analyze the log content\r\n- Default location : - Get-PopSettings -server SRV1 | fl server,*log*\r\n- Check for connection and authentication\r\n", + "json": "If the POP Service is started, the LoginType should not set to Plaintext. This means that the password will be sent in clear on the network. As POP is enabled by default on all the mailboxes, this represents a high security risk.\r\n\r\nPOP Authentication\r\n- **PlainText** TLS encryption is not required on port 110. Usernames and passwords are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\r\n- **PlainTextAuthentication** TLS encryption is not required on port 110. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\r\n- **SecureLogin** Connection on port 110 must use TLS encryption before authenticating.\r\n\r\nℹ️ Recommendations\r\nDisable POP on all mailboxes except those which really need to use this protocol.\r\nSet the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application.\r\n\r\nIf the application is not able to perform this type of authentication:\r\n- Ensure that POP is disabled on all the mailboxes except those who really need it \r\n- Monitor the POP connections\r\n- Change the password of the application on a regular basis\r\n\r\nRecommended Reading : \r\n\r\nConfiguring Authentication for POP3 and IMAP4\r\n \r\n Set-PopSettings\r\n\r\n\r\nIn order to track mailboxes that are currently using POP\r\n- Enable POP logging\r\n- Set-PopSettings -Server SRV1 -ProtocolLogEnabled verbose\r\n- Several weeks later, analyze the log content\r\n- Default location : - Get-PopSettings -server SRV1 | fl server,*log*\r\n- Check for connection and authentication\r\n", "style": "info" }, "conditionalVisibility": { @@ -324,7 +367,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"PopSettings\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name contains (\"MSExchangePop3\")\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n| join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name contains (\"MSExchangePop3BE\" )\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n| extend LoginType = iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n| extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\r\n| extend ServiceName = iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n| extend Status = tostring(Status)\r\n| extend BackendEndService= tostring(ServiceName1)\r\n| extend StartupType = tostring(StartupType)\r\n| extend BEStatus = tostring(Status1)\r\n| extend BEStartupType = tostring(StartupType1)\r\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n| sort by ServerName asc", + "query": "ExchangeConfiguration(SpecificSectionList=\"PopSettings\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name == (\"MSExchangePop3\")\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n| join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name contains (\"MSExchangePop3BE\" )\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n| extend LoginType = iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n| extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\r\n| extend ServiceName = iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n| extend Status = tostring(Status)\r\n| extend BackendEndService= tostring(ServiceName1)\r\n| extend StartupType = tostring(StartupType)\r\n| extend BEStatus = tostring(Status1)\r\n| extend BEStartupType = tostring(StartupType1)\r\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n| sort by ServerName asc", "size": 1, "showAnalytics": true, "title": "Pop Authentication : should not be set as Plaintext", @@ -361,6 +404,35 @@ "showBorder": true } }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "POP settings comparaison", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"PopSettings\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n| summarize TimeMax = arg_max(TimeGenerated,*)\r\n//| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\r\n| project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\n//let _CurrentDateB = datetime_add('day',1,todatetime(toscalar(_currD)));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"PopSettings\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | where CmdletResultValue.Name == (\"MSExchangePop3\")\r\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n | join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | where CmdletResultValue.Name contains (\"MSExchangePop3BE\" )\r\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n | extend LoginType = iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n | extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\r\n | extend ServiceName = iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n | extend Status = tostring(Status)\r\n | extend BackendEndService= tostring(ServiceName1)\r\n | extend StartupType = tostring(StartupType)\r\n | extend BEStatus = tostring(Status1)\r\n | extend BEStartupType = tostring(StartupType1)\r\n | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n | sort by ServerName asc\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"PopSettings\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | where CmdletResultValue.Name == (\"MSExchangePop3\")\r\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n | join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | where CmdletResultValue.Name contains (\"MSExchangePop3BE\" )\r\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n | extend LoginType = iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n | extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\r\n | extend ServiceName = iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n | extend Status = tostring(Status)\r\n | extend BackendEndService= tostring(ServiceName1)\r\n | extend StartupType = tostring(StartupType)\r\n | extend BEStatus = tostring(Status1)\r\n | extend BEStartupType = tostring(StartupType1)\r\n | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n | sort by ServerName asc\r\n;\r\nlet i=0;\r\nlet DiffModifData = union BeforeData,AfterData\r\n | sort by ServerName,TimeGenerated asc\r\n | extend LoginType = iff(ServerName == prev(ServerName) and LoginType != prev(LoginType) and prev(LoginType) != \"\", strcat(\"📍 \", LoginType, \" (\", prev(LoginType), \"->\", LoginType, \" )\"), LoginType)\r\n | extend ProtocolLogEnabled = iff(ServerName == prev(ServerName) and ProtocolLogEnabled != prev(ProtocolLogEnabled) and prev(ProtocolLogEnabled) != \"\", strcat(\"📍 \", ProtocolLogEnabled, \" (\", prev(ProtocolLogEnabled), \"->\", ProtocolLogEnabled, \" )\"), ProtocolLogEnabled)\r\n | extend Status = iff( ServerName == prev(ServerName) and Status != prev(Status) and prev(Status) != \"\", strcat(\"📍 \", Status, \" (\", prev(Status), \"->\", Status, \" )\"), Status)\r\n | extend StartupType = iff(ServerName == prev(ServerName) and StartupType != prev(StartupType) and prev(StartupType) != \"\", strcat(\"📍 \", StartupType, \" (\", prev(StartupType), \"->\", StartupType, \" )\"), StartupType)\r\n | extend BEStatus = iff(ServerName == prev(ServerName) and BEStatus != prev(BEStatus) and prev(BEStatus) != \"\", strcat(\"📍 \", BEStatus, \" (\", prev(BEStatus), \"->\", BEStatus, \" )\"), BEStatus)\r\n | extend BEStartupType = iff(ServerName == prev(ServerName) and BEStartupType != prev(BEStartupType) and prev(BEStartupType) != \"\", strcat(\"📍 \", BEStartupType, \" (\", prev(BEStartupType), \"->\", BEStartupType, \" )\"), BEStartupType)\r\n | extend ActiontypeR =iff((LoginType contains \"📍\" or ProtocolLogEnabled contains \"📍\" or Status contains \"📍\" or StartupType contains \"📍\" or BEStatus contains \"📍\" or BEStartupType contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n TimeGenerated,\r\n Actiontype,\r\n ServerName,\r\n LoginType,\r\n ProtocolLogEnabled,\r\n Status,\r\n StartupType,\r\n BEStatus,\r\n BEStartupType\r\n;\r\nDiffModifData\r\n//| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| project\r\n ServerName,\r\n LoginType,\r\n ProtocolLogEnabled,\r\n Status,\r\n StartupType,\r\n BEStatus, \r\n BEStartupType", + "size": 1, + "showAnalytics": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "Compare" + } + ] + }, + "name": "POP authentication configuration" + }, { "type": 1, "content": { @@ -371,7 +443,7 @@ { "type": 1, "content": { - "json": "If the IMAP Service is started, the LoginType should not set to Plaintext. This means that the passwords will be sent in clear over the network. As IMAP is enabled by default on all the mailboxes, this is a high security risk.\r\n\r\nIMAP Authentication\r\n- **PlainText** TLS encryption is not required on port 110. User name and password are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\r\n- **PlainTextAuthentication** TLS encryption is not required on port 143. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\r\n- **SecureLogin** Connection on port 143 must use TLS encryption before authenticating.\r\n\r\nℹ️ Recommendations \r\nDisable IMAP on all mailboxes except those which needs to use this protocol. Set the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application accordingly.\r\n\r\nIf the application is not able to perform this type of authentication:\r\n- Ensure that IMAP is disable on all the mailboxes except those who really need it \r\n- Monitor the connection\r\n- Regularly, change the password of the application\r\n\r\nRecommended Reading : \r\n\r\nConfiguring Authentication for POP3 and IMAP4\r\n\r\n Set-IMAPSettings\r\n\r\n\r\n\r\nIn order to track mailboxes that are currently using IMAP\r\n- Enable IMAP logging\r\n- Set-IMAPSettings -Server SRV1 -ProtocolLogEnabled verbose\r\n- Several weeks later, analyze the log content\r\n- Default location : Get-IMAPSettings -server SRV1 | fl server,*log*\r\n- Check for connection and authentication\r\n", + "json": "If the IMAP Service is started, the LoginType should not set to Plaintext. This means that the passwords will be sent in clear over the network. As IMAP is enabled by default on all the mailboxes, this is a high security risk.\r\n\r\nIMAP Authentication\r\n- **PlainText** TLS encryption is not required on port 110. User name and password are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\r\n- **PlainTextAuthentication** TLS encryption is not required on port 143. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\r\n- **SecureLogin** Connection on port 143 must use TLS encryption before authenticating.\r\n\r\nℹ️ Recommendations \r\nDisable IMAP on all mailboxes except those which really need to use this protocol. Set the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application accordingly.\r\n\r\nIf the application is not able to perform this type of authentication:\r\n- Ensure that IMAP is disable on all the mailboxes except those who really need it \r\n- Monitor the connection\r\n- Regularly, change the password of the application\r\n\r\nRecommended Reading : \r\n\r\nConfiguring Authentication for POP3 and IMAP4\r\n\r\n Set-IMAPSettings\r\n\r\n\r\n\r\nIn order to track mailboxes that are currently using IMAP\r\n- Enable IMAP logging\r\n- Set-IMAPSettings -Server SRV1 -ProtocolLogEnabled verbose\r\n- Several weeks later, analyze the log content\r\n- Default location : Get-IMAPSettings -server SRV1 | fl server,*log*\r\n- Check for connection and authentication\r\n", "style": "info" }, "conditionalVisibility": { @@ -385,7 +457,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"IMAPSettings\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name contains (\"MSExchangeIMAP4\")\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n| join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name contains (\"MSExchangeIMAP4BE\" )\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n| extend LoginType = iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n| extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\r\n| extend ServiceName = iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n| extend Status = tostring(Status)\r\n| extend BackendEndService= tostring(ServiceName1)\r\n| extend StartupType = tostring(StartupType)\r\n| extend BEStatus = tostring(Status1)\r\n| extend BEStartupType = tostring(StartupType1)\r\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n| sort by ServerName asc", + "query": "ExchangeConfiguration(SpecificSectionList=\"IMAPSettings\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name == (\"MSExchangeImap4\")\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n| join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name contains (\"MSExchangeIMAP4BE\" )\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n| extend LoginType = iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n| extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\r\n| extend ServiceName = iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n| extend Status = tostring(Status)\r\n| extend BackendEndService= tostring(ServiceName1)\r\n| extend StartupType = tostring(StartupType)\r\n| extend BEStatus = tostring(Status1)\r\n| extend BEStartupType = tostring(StartupType1)\r\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n| sort by ServerName asc", "size": 1, "showAnalytics": true, "title": "IMAP Authentication : should not be set as Plaintext", @@ -415,6 +487,25 @@ "showBorder": true } }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"IMAPSettings\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n| summarize TimeMax = arg_max(TimeGenerated,*)\r\n//| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\r\n| project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\n//let _CurrentDateB = datetime_add('day',1,todatetime(toscalar(_currD)));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"IMAPSettings\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | where CmdletResultValue.Name == (\"MSExchangeImap4\")\r\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n | join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | where CmdletResultValue.Name contains (\"MSExchangeIMAP4BE\" )\r\n | project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n | extend LoginType = iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n | extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\r\n | extend ServiceName = iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n | extend Status = tostring(Status)\r\n | extend BackendEndService= tostring(ServiceName1)\r\n | extend StartupType = tostring(StartupType)\r\n | extend BEStatus = tostring(Status1)\r\n | extend BEStartupType = tostring(StartupType1)\r\n | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n | sort by ServerName asc\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"IMAPSettings\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | where CmdletResultValue.Name == (\"MSExchangeImap4\")\r\n | project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n | join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | where CmdletResultValue.Name contains (\"MSExchangeIMAP4BE\" )\r\n | project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n | extend LoginType = iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n | extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\r\n | extend ServiceName = iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n | extend Status = tostring(Status)\r\n | extend BackendEndService= tostring(ServiceName1)\r\n | extend StartupType = tostring(StartupType)\r\n | extend BEStatus = tostring(Status1)\r\n | extend BEStartupType = tostring(StartupType1)\r\n | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n | sort by ServerName asc\r\n;\r\nlet i=0;\r\nlet DiffModifData = union BeforeData,AfterData\r\n | sort by ServerName,TimeGenerated asc\r\n | extend LoginType = iff(ServerName == prev(ServerName) and LoginType != prev(LoginType) and prev(LoginType) != \"\", strcat(\"📍 \", LoginType, \" (\", prev(LoginType), \"->\", LoginType, \" )\"), LoginType)\r\n | extend ProtocolLogEnabled = iff(ServerName == prev(ServerName) and ProtocolLogEnabled != prev(ProtocolLogEnabled) and prev(ProtocolLogEnabled) != \"\", strcat(\"📍 \", ProtocolLogEnabled, \" (\", prev(ProtocolLogEnabled), \"->\", ProtocolLogEnabled, \" )\"), ProtocolLogEnabled)\r\n | extend Status = iff( ServerName == prev(ServerName) and Status != prev(Status) and prev(Status) != \"\", strcat(\"📍 \", Status, \" (\", prev(Status), \"->\", Status, \" )\"), Status)\r\n | extend StartupType = iff(ServerName == prev(ServerName) and StartupType != prev(StartupType) and prev(StartupType) != \"\", strcat(\"📍 \", StartupType, \" (\", prev(StartupType), \"->\", StartupType, \" )\"), StartupType)\r\n | extend BEStatus = iff(ServerName == prev(ServerName) and BEStatus != prev(BEStatus) and prev(BEStatus) != \"\", strcat(\"📍 \", BEStatus, \" (\", prev(BEStatus), \"->\", BEStatus, \" )\"), BEStatus)\r\n | extend BEStartupType = iff(ServerName == prev(ServerName) and BEStartupType != prev(BEStartupType) and prev(BEStartupType) != \"\", strcat(\"📍 \", BEStartupType, \" (\", prev(BEStartupType), \"->\", BEStartupType, \" )\"), BEStartupType)\r\n | extend ActiontypeR =iff((LoginType contains \"📍\" or ProtocolLogEnabled contains \"📍\" or Status contains \"📍\" or StartupType contains \"📍\" or BEStatus contains \"📍\" or BEStartupType contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n Actiontype,\r\n ServerName,\r\n LoginType,\r\n ProtocolLogEnabled,\r\n Status,\r\n StartupType,\r\n BEStatus,\r\n BEStartupType\r\n;\r\nDiffModifData\r\n//| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| project\r\n ServerName,\r\n LoginType,\r\n ProtocolLogEnabled,\r\n Status,\r\n StartupType,\r\n BEStatus, \r\n BEStartupType", + "size": 1, + "showAnalytics": true, + "title": "IMAP settings comparaison", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "Compare - Copy" + }, { "type": 12, "content": { @@ -425,14 +516,14 @@ { "type": 1, "content": { - "json": "This section highlights nonstandard permissions on Configuration Partition for Exchange container. By selecting Yes for Generic All buttom only delegation set for Generic All will be display. Standard, Deny and inherited permissions have been removed" + "json": "This section highlights nonstandard permissions on the Exchange container in the Configuration Partition. By selecting Yes for **Generic All** button, only delegations set to Generic All will be displayed. \r\nAlso Standard, Deny and inherited permissions have been removed" }, "name": "text - 0" }, { "type": 1, "content": { - "json": "During the lifetime of an Exchange Organization, many permissions may have been set on Exchange containers in the Configuration Partition.\r\nThis section displayed all the nonstandard permissions found on the most important Exchange containers :\r\n - Groups from legacy Exchange versions (Exchange Enterprise Servers, Exchange Domain Servers,...)\r\n - SID for deleted accounts\r\n - Old service accounts (that may not have been disabled or removed...)\r\n \r\nWhen an administrator run setup /prepareAD, his account will be granted Generic All at the top-level Exchange container\r\n\r\nBy default, this section only displayed the Generic All permissions.\r\n \r\nThis section is built by removing all the standard AD and Exchange groups.\r\n\r\n Exchange 2013 deployment permissions reference\r\n \r\n", + "json": "During the lifetime of an Exchange Organization, many permissions may have been set on Exchange containers in the Configuration Partition.\r\nThis section displayed all the nonstandard permissions found on the most important Exchange containers :\r\n - Groups from legacy Exchange versions (Exchange Enterprise Servers, Exchange Domain Servers,...)\r\n - SID for deleted accounts\r\n - Old service accounts (that may not have been disabled or removed...)\r\n \r\nWhen an administrator runs setup /PrepareAD, his account will be granted Generic All at the top-level Exchange container\r\n\r\nBy default, this section only displayed the **Generic All** permissions.\r\n \r\nThis section is built by removing all the standard AD and Exchange groups.\r\n\r\n Exchange 2013 deployment permissions reference\r\n \r\n", "style": "info" }, "conditionalVisibility": { @@ -488,15 +579,15 @@ "filter": true, "sortBy": [ { - "itemKey": "AccessRights", - "sortOrder": 1 + "itemKey": "DN", + "sortOrder": 2 } ] }, "sortBy": [ { - "itemKey": "AccessRights", - "sortOrder": 1 + "itemKey": "DN", + "sortOrder": 2 } ] }, @@ -504,6 +595,25 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let StandardGroup = dynamic([\"Authenticated Users\", \"Domain Admins\", \"Enterprise Admins\", \"Schema Admins\", \"Exchange Trusted Subsystem\", \"Exchange Servers\", \"Organization Management\", \"Public Folder Management\", \"Delegated Setup\", \"ANONYMOUS LOGON\", \"NETWORK SERVICE\", \"SYSTEM\", \"Everyone\", \"Managed Availability Servers\"]);\r\nlet Exchsrv =ExchangeConfiguration(SpecificSectionList=\"ExchangeServers\", SpecificConfigurationDate=\"lastdate\", SpecificConfigurationEnv='B119E5', Target = \"On-Premises\")\r\n | summarize make_list(CmdletResultValue.Name);\r\nlet _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"PartConfPerm\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n ESIExchangeConfig_CL\r\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n | where ESIEnvironment_s == _EnvList\r\n | where Section_s == \"PartConfPerm\"\r\n | extend CmdletResultValue = parse_json(rawData_s)\r\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n | where CmdletResultValue.Deny !contains \"True\" and CmdletResultValue.IsInherited !contains \"True\"\r\n | where (CmdletResultValue.AccessRights == \"[983551]\") in (True, False)\r\n | where not (CmdletResultValue.UserString has_any (StandardGroup)) in (True)\r\n | where not (CmdletResultValue.UserString has_any (Exchsrv))in (True)\r\n | extend Name = tostring(CmdletResultValue.Identity.Name)\r\n | extend Account = tostring(CmdletResultValue.UserString )\r\n | extend AccessRights = iff (tostring(CmdletResultValue.AccessRightsString) contains \"GenericAll\", strcat (\"❌ \",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\r\n | extend ExtendedRights = iff (tostring(CmdletResultValue.ExtendedRightsString) contains \"-As\", strcat (\"❌ \",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\r\n | extend InheritanceType = tostring(CmdletResultValue.InheritanceType)\r\n | extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\r\n | extend AllInfo = strcat(Name,Account,CmdletResultValue.AccessRightsString,CmdletResultValue.ExtendedRightsString)\r\n | project-away CmdletResultValue\r\n | sort by Name,Account desc\r\n;\r\nlet AlldataUnique = allDataRange\r\n | join kind = innerunique (allDataRange) on AllInfo \r\n | distinct \r\n Name, \r\n Account, \r\n AccessRights, \r\n ExtendedRights, \r\n InheritanceType, \r\n DN,\r\n AllInfo\r\n;\r\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\"PartConfPerm\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | where CmdletResultValue.Deny !contains \"True\" and CmdletResultValue.IsInherited !contains \"True\"\r\n | where (CmdletResultValue.AccessRights == \"[983551]\") in (True, False)\r\n | where not (CmdletResultValue.UserString has_any (StandardGroup)) in (True)\r\n | where not (CmdletResultValue.UserString has_any (Exchsrv))in (True)\r\n | extend Name = tostring(CmdletResultValue.Identity.Name)\r\n | extend Account = tostring(CmdletResultValue.UserString )\r\n | extend AccessRights = iff (tostring(CmdletResultValue.AccessRightsString) contains \"GenericAll\", strcat (\"❌ \",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\r\n | extend ExtendedRights = iff (tostring(CmdletResultValue.ExtendedRightsString) contains \"-As\", strcat (\"❌ \",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\r\n | extend InheritanceType = tostring(CmdletResultValue.InheritanceType)\r\n | extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\r\n | extend AllInfo = strcat(Name,Account,CmdletResultValue.AccessRightsString,CmdletResultValue.ExtendedRightsString)\r\n | project-away CmdletResultValue\r\n | sort by Name,Account desc\r\n ;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"PartConfPerm\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | where CmdletResultValue.Deny !contains \"True\" and CmdletResultValue.IsInherited !contains \"True\"\r\n | where (CmdletResultValue.AccessRights == \"[983551]\") in (True, False)\r\n | where not (CmdletResultValue.UserString has_any (StandardGroup)) in (True)\r\n | where not (CmdletResultValue.UserString has_any (Exchsrv))in (True)\r\n | extend Name = tostring(CmdletResultValue.Identity.Name)\r\n | extend Account = tostring(CmdletResultValue.UserString )\r\n | extend AccessRights = iff (tostring(CmdletResultValue.AccessRightsString) contains \"GenericAll\", strcat (\"❌ \",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\r\n | extend ExtendedRights = iff (tostring(CmdletResultValue.ExtendedRightsString) contains \"-As\", strcat (\"❌ \",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\r\n | extend InheritanceType = tostring(CmdletResultValue.InheritanceType)\r\n | extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\r\n | extend AllInfo = strcat(Name,Account,CmdletResultValue.AccessRightsString,CmdletResultValue.ExtendedRightsString)\r\n | project-away CmdletResultValue\r\n | sort by Name,Account desc\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n | join kind = leftanti (AfterData) on AllInfo\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n | join kind = innerunique (BeforeData) on AllInfo\r\n | extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n | join kind = leftanti (InBeforedatabotAfter) on AllInfo\r\n | extend Actiontype =\"Add/Remove\"\r\n | project \r\n Actiontype,\r\n Name, \r\n Account, \r\n AccessRights, \r\n ExtendedRights, \r\n InheritanceType, \r\n DN \r\n;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on AllInfo\r\n | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype), \"N/A\")\r\n| project\r\n Actiontype,\r\n Name, \r\n Account, \r\n AccessRights, \r\n ExtendedRights, \r\n InheritanceType, \r\n DN ", + "size": 1, + "showAnalytics": true, + "title": "Compare NonStandard Permissions for Exchange Container in the Configuration Partition", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "Compare - Copy - Copy" } ] }, @@ -535,7 +645,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList})\r\n//| where CmdletResultValue.Name !contains \"Deleg\" and CmdletResultValue.RoleAssigneeName != \"Hygiene Management\" and CmdletResultValue.RoleAssigneeName != \"Exchange Online-ApplicationAccount\" and CmdletResultValue.RoleAssigneeName != \"Discovery Management\"\r\n| where CmdletResultValue.Name !contains \"Deleg\" \r\n| where CmdletResultValue.RoleAssigneeName !in (\"Hygiene Management\",\"Exchange Online-ApplicationAccount\",\"Discovery Management\")\r\n| where CmdletResultValue.Role.Name contains \"Export\" or CmdletResultValue.Role.Name contains \"Impersonation\" or (CmdletResultValue.Role.Name contains \"Search\" and CmdletResultValue.Role.Name !contains \"MailboxSearchApplication\")\r\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role.Name)", + "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList})\r\n| where CmdletResultValue.RoleAssignmentDelegationType !=\"6\" \r\n| where CmdletResultValue.RoleAssigneeName !in (\"Hygiene Management\",\"Exchange Online-ApplicationAccount\",\"Discovery Management\")\r\n| where CmdletResultValue.Role.Name == \"Mailbox Import Export\" or CmdletResultValue.Role.Name == \"ApplicationImpersonation\" or (CmdletResultValue.Role.Name == \"Mailbox Search\")\r\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role.Name)", "size": 1, "showAnalytics": true, "title": "Number of delegations for sensitive RBAC roles", @@ -580,14 +690,14 @@ { "type": 1, "content": { - "json": "This delegation allows the delegated account to access and modify the content of every mailboxes using EWS." + "json": "This delegation allows the delegated accounts to access and modify the content of every mailboxes using EWS.\r\nExcluded from the result as default configuration :\r\n- The Delegating delegation for this role assigned to Organization Management\r\n- Hygiene Management group as it is a default delegation" }, "name": "text - 0" }, { "type": 1, "content": { - "json": "**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes using EWS. \r\n\r\n⚡ This role is very powerfull.\r\n\r\nIt should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\r\n\r\nHelp for the role Application Impersonation\r\n\r\nIt is common (but not recommended) to see service accounts from backup solution, antivirus software, MDM... with this delegation.\r\n\r\nNote that the default configuration to the group Hygiene Management is excluded. This group is a sensitive group. Remember to monitor the content of this group.", + "json": "**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes using EWS. \r\n\r\n⚡ This role is very powerfull.\r\n\r\nIt should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\r\n\r\nHelp for the role Application Impersonation\r\n\r\nIt is common (but not recommended) to see service accounts from backup solution, antivirus software, MDM... with this delegation.\r\nThese service accounts should be closely monitored and the security of the server where they are running needs to be at the same level of Exchange servers.\r\nNote that the default configuration to the group Hygiene Management is excluded. This group is a sensitive group. Remember to monitor the content of this group.", "style": "info" }, "conditionalVisibility": { @@ -601,9 +711,42 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList})\r\n| where CmdletResultValue.Role.Name contains \"Impersonation\" and CmdletResultValue.RoleAssigneeName != \"Hygiene Management\" and CmdletResultValue.Name !contains \"Deleg\"\r\n//| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\r\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\r\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\r\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\r\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\r\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\r\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \"0\" , \"None\", \"OrganizationConfig\")\r\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\"2\",\"Organization\",CmdletResultValue.RecipientReadScope==\"3\",\"MyGAL\",CmdletResultValue.RecipientReadScope==\"4\",\"Self\",\"NotApplicable\")\r\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\r\n| extend Status= tostring(CmdletResultValue.Enabled)\r\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\"6\" , \"Delegating\", \"Regular\") \r\n| extend RoleAssigneeName = iff( RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\"👪 \", tostring(CmdletResultValue.RoleAssigneeName)) )\r\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged", + "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList})\r\n| where CmdletResultValue.Role.Name == \"ApplicationImpersonation\" and CmdletResultValue.RoleAssigneeName != \"Hygiene Management\" and CmdletResultValue.RoleAssignmentDelegationType !=\"6\" \r\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\r\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\r\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\r\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\r\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\r\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \"0\" , \"None\", \"OrganizationConfig\")\r\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\"2\",\"Organization\",CmdletResultValue.RecipientReadScope==\"3\",\"MyGAL\",CmdletResultValue.RecipientReadScope==\"4\",\"Self\",\"NotApplicable\")\r\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\r\n| extend Status= tostring(CmdletResultValue.Enabled)\r\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\"6\" , \"Delegating\", \"Regular\") \r\n| extend RoleAssigneeName = iff( RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\"👪 \", tostring(CmdletResultValue.RoleAssigneeName)) )\r\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged", + "size": 1, + "showAnalytics": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true, + "sortBy": [ + { + "itemKey": "RoleAssignmentDelegationType", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "RoleAssignmentDelegationType", + "sortOrder": 1 + } + ] + }, + "name": "query - 1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let ExclusionsAcctValue = dynamic([\"Hygiene Management\", \"RIM-MailboxAdmins\"]);\r\nMESCompareDataOnPMRA(SectionCompare=\"MRA\",DateCompare=\"{DateCompare:value}\",CurrentDate = \"{DateOfConfiguration:value}\",EnvList ={EnvironmentList},TypeEnv = \"On-Premises\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\"Impersonation\")", "size": 1, "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -612,10 +755,22 @@ "filter": true } }, - "name": "query - 1", + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 1 - Copy", "styleSettings": { "showBorder": true } + }, + { + "type": 1, + "content": { + "json": "**Remove Time is displayed the date of the last collect and not the exact remove time**" + }, + "name": "text - 4" } ] }, @@ -638,7 +793,7 @@ { "type": 1, "content": { - "json": "**Mailbox Import Export** is a RBAC role that allows an account to export the content of any maibox in a PST. It also allows search in all mailboxes.\r\n\r\n⚡ This role is very powerfull.\r\n\r\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\r\n\r\nHelp for the role Mailbox Import Export\r\n\r\nℹ️ Recommendations\r\n\r\nIf you temporarily need this delegation, consider the following:\r\n- create an empty group with this delegation\r\n- monitor the group content and alert when the group modified\r\n- add administrators in this group only for a short period of time.\r\n", + "json": "**Mailbox Import Export** is a RBAC role that allows an account to export the content of any maibox in a PST. It also allows the delegated account to perform searches in all mailboxes.\r\n\r\n⚡ This role is very powerfull.\r\n\r\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\r\n\r\nHelp for the role Mailbox Import Export\r\n\r\nℹ️ Recommendations\r\n\r\nIf you temporarily need this delegation, consider the following:\r\n- Create an empty group with this delegation\r\n- Monitor the group content and alert when the group content is modified\r\n- Add administrators in this group only for a short period of time\r\n", "style": "info" }, "conditionalVisibility": { @@ -652,7 +807,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Role.Name contains \"export\" and CmdletResultValue.Name !contains \"Deleg\"\r\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\r\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\r\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\r\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\r\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\r\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \"0\" , \"None\", \"OrganizationConfig\")\r\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\"2\",\"Organization\",CmdletResultValue.RecipientReadScope==\"3\",\"MyGAL\",CmdletResultValue.RecipientReadScope==\"4\",\"Self\",\"NotApplicable\")\r\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\r\n| extend Status= tostring(CmdletResultValue.Enabled)\r\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\"6\" , \"Delegating\", \"Regular\") \r\n| extend RoleAssigneeName = iff( RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\"👪 \", tostring(CmdletResultValue.RoleAssigneeName)) )\r\n| project RoleAssigneeName, RoleAssigneeType,Status, CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged", + "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Role.Name == \"Mailbox Import Export\" and CmdletResultValue.RoleAssignmentDelegationType !=\"6\" \r\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\r\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\r\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\r\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\r\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\r\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \"0\" , \"None\", \"OrganizationConfig\")\r\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\"2\",\"Organization\",CmdletResultValue.RecipientReadScope==\"3\",\"MyGAL\",CmdletResultValue.RecipientReadScope==\"4\",\"Self\",\"NotApplicable\")\r\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\r\n| extend Status= tostring(CmdletResultValue.Enabled)\r\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\"6\" , \"Delegating\", \"Regular\") \r\n| extend RoleAssigneeName = iff( RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\"👪 \", tostring(CmdletResultValue.RoleAssigneeName)) )\r\n| project RoleAssigneeName, RoleAssigneeType,Status, CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged", "size": 1, "showAnalytics": true, "showExportToExcel": true, @@ -679,6 +834,39 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let ExclusionsAcctValue = dynamic([\"Hygiene Management\", \"RIM-MailboxAdmins\"]);\r\nMESCompareDataOnPMRA(SectionCompare=\"MRA\",DateCompare=\"{DateCompare:value}\",CurrentDate = \"{DateOfConfiguration:value}\",EnvList ={EnvironmentList},TypeEnv = \"On-Premises\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\"export\")", + "size": 1, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "**Remove Time is displayed the date of the last collect and not the exact remove time**" + }, + "name": "text - 4" } ] }, @@ -694,14 +882,14 @@ { "type": 1, "content": { - "json": "This delegation allows to search inside all or in a scope of mailboxes and export the result in PST.\r\nExcluded from the result as default configuration :\r\nDelegating delegation to Organization Management\r\nExchange Online-ApplicationAccount\r\nDiscovery Management has been excluded\r\n" + "json": "This delegation allows the delegated account to search inside all or in a scope of mailboxes and export the result in PST.\r\nExcluded from the result as default configuration :\r\n- The Delegating delegation for this role assigned to Organization Management\r\n- Delegation for the account Exchange Online-Application\r\n- Delegation for the group Discovery Management \r\n" }, "name": "text - 0" }, { "type": 1, "content": { - "json": "**Mailbox Search** is an RBAC role that allows an account to search in any mailbox and export the results to a PST.\r\n\r\n⚡ This role is very powerful.\r\n\r\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\r\n\r\nHelp for the role Mailbox Search\r\n\r\nℹ️ Recommendations\r\n\r\nIf you temporarily need this delegation, consider the following:\r\n\r\n- add the administrators in the Discovery Management group\r\n- monitor the group content and alert when the group modified\r\n- add administrators in this group only for a short period of time\r\n", + "json": "**Mailbox Search** is an RBAC role that allows an account to search in any mailbox and export the results to a PST.\r\n\r\n⚡ This role is very powerful.\r\n\r\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\r\n\r\nHelp for the role Mailbox Search\r\n\r\nℹ️ Recommendations\r\n\r\nIf you temporarily need this delegation, consider the following:\r\n\r\n- Temporarily add the administrators in the Discovery Management group\r\n- Monitor the group content and alert when the group is modified\r\n- Add administrators in this group only for a short period of time\r\n", "style": "info" }, "conditionalVisibility": { @@ -715,7 +903,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Role.Name contains \"search\" and CmdletResultValue.Name !contains \"Deleg\"\r\n| where CmdletResultValue.RoleAssigneeName != \"Exchange Online-ApplicationAccount\" and CmdletResultValue.RoleAssigneeName != \"Discovery Management\"\r\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\r\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\r\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\r\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\r\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\r\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \"0\" , \"None\", \"OrganizationConfig\")\r\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\"2\",\"Organization\",CmdletResultValue.RecipientReadScope==\"3\",\"MyGAL\",CmdletResultValue.RecipientReadScope==\"4\",\"Self\",\"NotApplicable\")\r\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\r\n| extend Status= tostring(CmdletResultValue.Enabled)\r\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\"6\" , \"Delegating\", \"Regular\") \r\n| extend RoleAssigneeName = iff( RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\"👪 \", tostring(CmdletResultValue.RoleAssigneeName)) )\r\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged", + "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Role.Name == \"Mailbox Search\" and CmdletResultValue.RoleAssignmentDelegationType !=\"6\" \r\n| where CmdletResultValue.RoleAssigneeName != \"Exchange Online-ApplicationAccount\" and CmdletResultValue.RoleAssigneeName != \"Discovery Management\"\r\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\r\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\r\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\r\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\r\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\r\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \"0\" , \"None\", \"OrganizationConfig\")\r\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\"2\",\"Organization\",CmdletResultValue.RecipientReadScope==\"3\",\"MyGAL\",CmdletResultValue.RecipientReadScope==\"4\",\"Self\",\"NotApplicable\")\r\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\r\n| extend Status= tostring(CmdletResultValue.Enabled)\r\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\"6\" , \"Delegating\", \"Regular\") \r\n| extend RoleAssigneeName = iff( RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\"👪 \", tostring(CmdletResultValue.RoleAssigneeName)) )\r\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged", "size": 1, "showAnalytics": true, "showExportToExcel": true, @@ -742,6 +930,39 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let ExclusionsAcctValue = dynamic([\"Hygiene Management\", \"RIM-MailboxAdmins\"]);\r\nMESCompareDataOnPMRA(SectionCompare=\"MRA\",DateCompare=\"{DateCompare:value}\",CurrentDate = \"{DateOfConfiguration:value}\",EnvList ={EnvironmentList},TypeEnv = \"On-Premises\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\"Search\")", + "size": 1, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "**Remove Time is displayed the date of the last collect and not the exact remove time**" + }, + "name": "text - 4" } ] }, @@ -757,7 +978,7 @@ { "type": 1, "content": { - "json": "These are delegations at the database level.\r\n\r\n**Receive As Extended Right on database's objects in the Configuration**\r\n\r\nWhen an account has **ReceiveAs** permissions on a database's object, it can open and view the content of any mailboxes on that database.\r\n\r\nHelp for Receive As Permission\r\n\r\n\r\nℹ️ Recommendations\r\n\r\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person.Change the password as often as possible.\r\n\r\n**Send As Extended Right on database objects in the Configuration**\r\n\r\n\r\nWhen an account has **SendAs** permissions on a database's object, it can send messages from all the mailboxes contained in this database. The messages that are sent from a mailbox will appear as if the mailbox owner sent them.\r\n\r\nHelp for Send As Permission\r\n\r\n\r\nℹ️ Recommendations\r\n\r\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person.Change the password as often as possible.\r\n", + "json": "These sections display delegations at the database level (the database Object, not the container) ..\r\n\r\n**Receive As Extended Right on database's objects in the Configuration**\r\n\r\nWhen an account has **ReceiveAs** permissions on a database's object, it can open and view the content of any mailboxes on that database.\r\n\r\nHelp for Receive As Permission\r\n\r\n\r\nℹ️ Recommendations\r\n\r\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person. This account should be closely monitored and the security of the server where it is running needs to be at the same level of Exchange servers.\r\nChange the password as often as possible.\r\n\r\n**Send As Extended Right on database objects in the Configuration**\r\n\r\n\r\nWhen an account has **SendAs** permissions on a database's object, it can send messages from all the mailboxes contained in this database. The messages that are sent from a mailbox will appear as if the mailbox owner sent them.\r\n\r\nHelp for Send As Permission\r\n\r\n\r\nℹ️ Recommendations\r\n\r\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person.\r\nThis account should be closely monitored and the security of the server where it is running needs to be at the same level of Exchange servers. \r\nChange the password as often as possible.\r\n", "style": "info" }, "conditionalVisibility": { @@ -767,11 +988,41 @@ }, "name": "SendAsHelp" }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "eb0af112-df51-47f5-8849-b3ee764fa72d", + "version": "KqlParameterItem/1.0", + "name": "IsInherited", + "label": "Included Inherited deleg", + "type": 10, + "description": "Yes Show all the delegations (Databases object and Database Containers), No only databases objects", + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n { \"value\": \"false\", \"label\": \"No\" , \"selected\":true },\r\n { \"value\": \"true, false\", \"label\": \"Yes\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + }, + "value": "true, false" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 7" + }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| union ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| summarize dcount(tostring(CmdletResultValue.UserString)) by iff( tostring(Section) contains \"MailboxDatabaseReceiveAs\",\"ReceiveAs Unique Acct\",\"SendAs Unique Acct\")", + "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| union ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n| summarize dcount(tostring(CmdletResultValue.UserString)) by iff( tostring(Section) contains \"MailboxDatabaseReceiveAs\",\"ReceiveAs Unique Acct\",\"SendAs Unique Acct\")", "size": 1, "showAnalytics": true, "title": "Number of accounts with ReceiveAs/SendAs delegations", @@ -811,10 +1062,10 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| union ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| summarize dcount(tostring(CmdletResultValue.Identity.Name)) by iff( tostring(Section) contains \"MailboxDatabaseReceiveAs\",\"ReceiveAs Unique DB\",\"SendAs Unique DB\")", + "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| union ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n| summarize dcount(tostring(CmdletResultValue.Identity.Name)) by iff( tostring(Section) contains \"MailboxDatabaseReceiveAs\",\"ReceiveAs Unique DB\",\"SendAs Unique DB\")", "size": 1, "showAnalytics": true, - "title": "ReceiveAs/SendAs database delegations", + "title": "Databases with ReceiveAs/SendAs delegations", "color": "purple", "showExportToExcel": true, "queryType": 0, @@ -855,7 +1106,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| extend Account = tostring(CmdletResultValue.UserString)\r\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n| summarize Count =count() by Account,DatabaseName\r\n| project Account,Count,DatabaseName\r\n", + "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n| extend Account = tostring(CmdletResultValue.UserString)\r\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n| extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n| summarize Count =count() by Account,DatabaseName,IsInherited\r\n| project Account,Count,DatabaseName,IsInherited\r\n", "size": 1, "showAnalytics": true, "title": "ReceiveAs Extended Right on databases", @@ -918,12 +1169,10 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| extend Account = tostring(CmdletResultValue.UserString)\r\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n| summarize Count =count() by Account, DatabaseName\r\n| project Account, Count, DatabaseName", + "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n| extend Account = tostring(CmdletResultValue.UserString)\r\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n| extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n| summarize Count =count() by Account,DatabaseName,IsInherited\r\n| project Account,Count,DatabaseName,IsInherited", "size": 1, "showAnalytics": true, "title": "SendAs Extended Right on databases", - "noDataMessage": "No Send-As delegation", - "noDataMessageStyle": 3, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -932,20 +1181,8 @@ { "columnMatch": "Account", "formatter": 5 - }, - { - "columnMatch": "Count", - "formatter": 8, - "formatOptions": { - "palette": "blue", - "aggregation": "Sum", - "compositeBarSettings": { - "labelText": "" - } - } } ], - "rowLimit": 10000, "filter": true, "hierarchySettings": { "treeType": 1, @@ -953,52 +1190,92 @@ "Account" ], "finalBy": "Account" - }, - "labelSettings": [ - { - "columnId": "Account", - "comment": "Account and the number of databases on which it has delegation " - } - ] + } } }, "customWidth": "50", - "name": "MailboxDatabaseSendAsGrid", + "name": "SendAs Extended Right on databases", "styleSettings": { "showBorder": true } - } - ] - }, - "name": "ReceiveSendAs" - } - ] - }, - "conditionalVisibility": { - "parameterName": "selected", - "comparison": "isEqualTo", - "value": "Delegation" - }, - "name": "Importantsecurityconfiguration" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "title": "Local Administrators", - "items": [ - { - "type": 1, - "content": { - "json": "The following section will display the content of the local Administrators group for each server\r\n\r\n** When content refer to groups from other forests, none or partial information will be displayed and the number of Administrators may be inconsistent. **\r\n\r\nMost of the sections display the same information but with differents sorting, displays..." - }, - "name": "text - 12" - }, - { - "type": 1, - "content": { - "json": "Only Exchange administrators should be members of the local Administrators group of Exchange servers.\r\n\r\nYou need to review the content of the local Administrators group on a regular basis.\r\n\r\nIt is considered a high security risk to have a discrepancy of members between the servers. \r\n\r\nIt is not recommended to have more than one local administrator accounts. Furthermore, the password should be unique on each server and regularly changed. A solution like LAPS could be used to manage the local administrator password.\r\n\r\nOnly Exchange administrators should be able to logon on Exchange servers.\r\n\r\nHere the default content of the local Administrators group for an Exchange server \r\n:\r\n- Administrator (this account can be renamed)\r\n- Domain Admins\r\n- Exchange Trusted Subsystem\r\n- Organization Management\r\n\r\n**Service accounts should not be members of the local Administrators group**. If it is necessary, you need to ensure that the account is dedicated to Exchange. If the service account opens sessions on other servers, it can be used for lateral movements. \r\n", + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n ESIExchangeConfig_CL\r\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n | where ESIEnvironment_s == _EnvList\r\n | where Section_s == \"MailboxDatabaseReceiveAs\"\r\n | extend CmdletResultValue = parse_json(rawData_s)\r\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n | where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n | extend Account = tostring(CmdletResultValue.UserString)\r\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n | extend Allinfo = strcat(Account,DatabaseName)\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n | sort by Account\r\n;\r\nlet AlldataUnique = allDataRange\r\n | join kind = innerunique (allDataRange) on Allinfo \r\n | distinct \r\n Account,\r\n DatabaseName,\r\n IsInherited,\r\n Allinfo\r\n;\r\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n | extend Account = tostring(CmdletResultValue.UserString)\r\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n | extend Allinfo = strcat(Account,DatabaseName)\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n | sort by Account\r\n ;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n | extend Account = tostring(CmdletResultValue.UserString)\r\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n | extend Allinfo = strcat(Account,DatabaseName)\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n | sort by Account\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n | join kind = leftanti (AfterData) on Allinfo\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n | join kind = innerunique (BeforeData) on Allinfo\r\n | extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n | join kind = leftanti (InBeforedatabotAfter) on Allinfo\r\n | extend Actiontype =\"Add/Remove\"\r\n | project \r\n Actiontype,\r\n Account,\r\n DatabaseName,\r\n IsInherited,\r\n Allinfo\r\n;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Allinfo\r\n | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype), \"N/A\")\r\n| project\r\n Actiontype,\r\n Account,\r\n DatabaseName,\r\n IsInherited", + "size": 3, + "showAnalytics": true, + "title": "Comparaison ReceiveAs", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n ESIExchangeConfig_CL\r\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n | where ESIEnvironment_s == _EnvList\r\n | where Section_s == \"MailboxDatabaseSendAs\"\r\n | extend CmdletResultValue = parse_json(rawData_s)\r\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n | where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n | extend Account = tostring(CmdletResultValue.UserString)\r\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n | extend Allinfo = strcat(Account,DatabaseName)\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n | sort by Account\r\n;\r\nlet AlldataUnique = allDataRange\r\n | join kind = innerunique (allDataRange) on Allinfo \r\n | distinct \r\n Account,\r\n DatabaseName,\r\n IsInherited,\r\n Allinfo\r\n;\r\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n | extend Account = tostring(CmdletResultValue.UserString)\r\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n | extend Allinfo = strcat(Account,DatabaseName)\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n | sort by Account\r\n ;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n | extend Account = tostring(CmdletResultValue.UserString)\r\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n | extend Allinfo = strcat(Account,DatabaseName)\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n | sort by Account\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n | join kind = leftanti (AfterData) on Allinfo\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n | join kind = innerunique (BeforeData) on Allinfo\r\n | extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n | join kind = leftanti (InBeforedatabotAfter) on Allinfo\r\n | extend Actiontype =\"Add/Remove\"\r\n | project \r\n Actiontype,\r\n Account,\r\n DatabaseName,\r\n IsInherited,\r\n Allinfo\r\n;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Allinfo\r\n | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype), \"N/A\")\r\n| project\r\n Actiontype,\r\n Account,\r\n DatabaseName,\r\n IsInherited", + "size": 3, + "showAnalytics": true, + "title": "Comparaison SendAs", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 5 - Copy" + } + ] + }, + "name": "ReceiveSendAs" + } + ] + }, + "conditionalVisibility": { + "parameterName": "selected", + "comparison": "isEqualTo", + "value": "Delegation" + }, + "name": "Importantsecurityconfiguration" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Local Administrators", + "items": [ + { + "type": 1, + "content": { + "json": "The following section will display the content of the local Administrators group for each server\r\n\r\n** When content refers to groups from other forests, none or partial information will be displayed, and the number of Administrators may be inconsistent. **\r\n\r\nMost of the sections display the same information but with different sorting, views...\r\nIf an SID is part of the local Administrators group, it won't be displayed due to a collect limitation." + }, + "name": "text - 12" + }, + { + "type": 1, + "content": { + "json": "Only Exchange administrators should be members of the local Administrators group of Exchange servers.\r\n\r\nYou need to review the content of the local Administrators group on a regular basis. Ensure that the content is enforced by GPO.\r\n\r\nIt is considered as a high security risk to have a discrepancy of members between the servers. \r\n\r\nIt is not recommended to have more than one local Administrator accounts. Furthermore, the password should be unique on each server and regularly changed. A solution like LAPS could be used to manage the local administrator password.\r\n\r\nOnly Exchange administrators should be able to logon on Exchange servers.\r\n\r\nHere the default content of the local Administrators group for an Exchange server \r\n:\r\n- Administrator (this account can be renamed)\r\n- Domain Admins\r\n- Exchange Trusted Subsystem\r\n- Organization Management\r\n\r\n**Service accounts should not be members of the local Administrators group**. If it is necessary, you need to ensure that the account is dedicated to Exchange. If the service account opens sessions on other servers, it can be used for lateral movements.\r\nThese service accounts should be closely monitored and the security of the server where they are running needs to be at the same level of Exchange servers.\r\n", "style": "info" }, "conditionalVisibility": { @@ -1031,6 +1308,13 @@ }, "name": "parameters - 7" }, + { + "type": 1, + "content": { + "json": "**Yes** : display all content including the default Groups : Default groups after the installation of Exchange\r\n\r\n**No** : display only content of non standard Groups" + }, + "name": "text - 15" + }, { "type": 1, "content": { @@ -1077,8 +1361,9 @@ "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Click to see number of unique members for all servers", + "title": "Click to see number of unique members for every servers in the organization", "expandable": true, + "expanded": true, "items": [ { "type": 1, @@ -1131,7 +1416,7 @@ "version": "KqlItem/1.0", "query": "let allsrv = ExchangeConfiguration(SpecificSectionList=\"ExchangeServers\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\") | where \r\nCmdletResultValue.IsMailboxServer== true | extend Name=tostring(CmdletResultValue.Name);\r\nExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\") \r\n| where CmdletResultValue.Level == 1\r\n| project CmdletResultValue\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Name = tostring(trim_end(@'\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup)))\r\n| distinct Name\r\n| project Name\r\n| join kind=rightanti (allsrv) on Name\r\n| project CmdletResultValue.Name", "size": 4, - "title": "Servers not reachable", + "title": "Servers not reachable during the collect", "noDataMessage": "All server were successfully analyzed", "noDataMessageStyle": 3, "queryType": 0, @@ -1159,7 +1444,7 @@ "version": "KqlItem/1.0", "query": "ExchangeConfiguration(SpecificSectionList=\"ExchangeServers\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n| where CmdletResultValue.ServerRole <> 64\r\n| count\r\n", "size": 4, - "title": "Number of servers", + "title": "Total number of servers in the Organizaton", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "tiles", @@ -1210,7 +1495,7 @@ { "type": 1, "content": { - "json": "This view shows each nonstandard user account that is member (directly or by a group) of the local Administrators group per server.\r\n\r\nConsider reviewing:\r\n- **nonstandard members** the Memberpath help to understand from which group the user comprised\r\n- **inconsistent memebrs** across servers\r\n\r\nNote that content from Trusted forests might not be displayed. ", + "json": "This Tab shows each nonstandard user account that is member (directly or by a group) of the local Administrators group per server.\r\n\r\nConsider reviewing:\r\n- **nonstandard members** : the Memberpath help to understand from which group inclusion the user come from\r\n- **inconsistent members** across servers\r\n\r\nNote that content from Trusted forests might not be displayed. ", "style": "info" }, "conditionalVisibility": { @@ -1220,6 +1505,61 @@ }, "name": "LocalAdminPerServersHelp" }, + { + "type": 1, + "content": { + "json": "This tabled shows a comparaison of the content between two dates.", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "LocalAdminPerServersHelp - Copy" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "590a6eb9-3349-46cd-ace1-cae9aac1f26a", + "version": "KqlParameterItem/1.0", + "name": "Server", + "type": 2, + "query": "ExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n| where CmdletResultValue.Level == 1\r\n| project CmdletResultValue\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\r\n| distinct Parentgroup = Parentgroup", + "typeSettings": { + "additionalResourceOptions": [] + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": null + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 18" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let StandardGroup = dynamic([\"Administrator\", \"Domain Admins\",\"Exchange Trusted Subsystem\",\"Organization Management\", \"Admins du domaine\"]);\r\nlet _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n ESIExchangeConfig_CL\r\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n | where ESIEnvironment_s == _EnvList\r\n | where Section_s == \"LocalAminGroup\"\r\n | extend CmdletResultValue = parse_json(rawData_s)\r\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n | where CmdletResultValue.Level != 0 \r\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\r\n| project CmdletResultValue\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| extend Allinfo = strcat(Parentgroup,MemberPath)\r\n| sort by Parentgroup asc\r\n;\r\nlet AlldataUnique = allDataRange\r\n | join kind = innerunique (allDataRange) on Allinfo \r\n | distinct \r\n Parentgroup,\r\n MemberPath, \r\n Level, \r\n ObjectClass, \r\n LastLogon, \r\n LastPwdSet, \r\n Enabled, \r\n DN,\r\n Allinfo\r\n;\r\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | where CmdletResultValue.Level != 0 \r\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\r\n| project CmdletResultValue\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| extend Allinfo = strcat(Parentgroup,MemberPath)\r\n| sort by Parentgroup asc\r\n ;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | where CmdletResultValue.Level != 0 \r\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\r\n| project CmdletResultValue\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| extend Allinfo = strcat(Parentgroup,MemberPath)\r\n| sort by Parentgroup asc\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n | join kind = leftanti (AfterData) on Allinfo\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n | join kind = innerunique (BeforeData) on Allinfo\r\n | extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n | join kind = leftanti (InBeforedatabotAfter) on Allinfo\r\n | extend Actiontype =\"Add/Remove\"\r\n | project \r\n Actiontype,\r\n Parentgroup,\r\n MemberPath, \r\n Level, \r\n ObjectClass, \r\n LastLogon, \r\n LastPwdSet, \r\n Enabled, \r\n DN\r\n;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Allinfo\r\n | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype), \"N/A\")\r\n| project\r\n Actiontype,\r\n Parentgroup, \r\n MemberPath, \r\n Level, \r\n ObjectClass, \r\n LastLogon, \r\n LastPwdSet, \r\n Enabled, \r\n DN\r\n| where Parentgroup contains \"{Server}\"", + "size": 3, + "showAnalytics": true, + "title": "To view the comparaison for one specific server, select a server in the dropdown list", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true + } + }, + "name": "query - 17" + }, { "type": 3, "content": { @@ -1227,7 +1567,7 @@ "query": "let StandardGroup = dynamic([\"Administrator\", \"Domain Admins\",\"Exchange Trusted Subsystem\",\"Organization Management\", \"Admins du domaine\"]);\r\nExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Level != 0 \r\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\r\n| project CmdletResultValue\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| summarize Count=count() by MemberPath,Parentgroup,Level,ObjectClass,LastLogon,LastPwdSet,Enabled,DN\r\n| project Parentgroup = strcat(\"💻 \",Parentgroup),Count,MemberPath,Level,ObjectClass,LastLogon,LastPwdSet,Enabled,DN\r\n| sort by Parentgroup asc ", "size": 1, "showAnalytics": true, - "title": " Total Non standard Groups and accounts including nested groups", + "title": " Total per server of Non standard Groups and accounts including nested groups", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -1290,7 +1630,7 @@ "query": "let StandardGroup = dynamic([\"Administrator\", \"Domain Admins\",\"Exchange Trusted Subsystem\",\"Organization Management\", \"Admins du domaine\"]);\r\nExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Level == 1\r\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\r\n| project CmdletResultValue\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend MemberPath = case( ObjectClass == \"group\", strcat( \"👪 \", MemberPath), ObjectClass == \"computer\", strcat( \"💻 \", MemberPath), strcat( \"🧑‍🦰 \", MemberPath) )\r\n| project-away CmdletResultValue\r\n//| summarize Count=count(), Servers=make_set(Parentgroup) by MemberPath\r\n| summarize Count=count() by MemberPath,Parentgroup \r\n| sort by Count desc", "size": 1, "showAnalytics": true, - "title": "Non Standard accounts summary", + "title": "Non Standard accounts summary for all servers", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -1349,7 +1689,7 @@ { "type": 1, "content": { - "json": "##### Select a server to display its content\r\n\r\nBy default only the non-standard members are displayed. \r\n\r\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days" + "json": "##### Select a server to display its content\r\n\r\nBy default only the non-standard members are displayed. \r\n\r\n❌ : for last logon displayed when the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days" }, "name": "text - 0" }, @@ -1365,10 +1705,12 @@ "type": 2, "query": "ExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n| where CmdletResultValue.Level == 1\r\n| project CmdletResultValue\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\r\n| distinct Parentgroup = Parentgroup", "typeSettings": { + "additionalResourceOptions": [], "showDefault": false }, "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "value": null }, { "id": "05ef4f1c-4cf4-406f-9fb2-9ee30dc93abd", @@ -1479,7 +1821,7 @@ { "type": 1, "content": { - "json": "The **Exchange Trusted Subsystem** group is one the two most sensistive groups in Exchange. This group has all privileges in Exchange and very high privileges in AD.\r\n\r\nExchange 2013 deployment permissions reference\r\n\r\nThis group should only contains computer accounts for each Exchange servers. When the DAG has an IP and a CNO, it is acceptable to have the DAG's computer account.\r\n\r\nThis section only shows direct nonstandard members.", + "json": "The **Exchange Trusted Subsystem** group is one of the two most sensitive groups in Exchange. This group has all privileges in Exchange and very high privileges in AD.\r\n\r\nExchange 2013 deployment permissions reference\r\n\r\nThis group should only contain computer accounts for each Exchange servers. When the DAG has an IP and a CNO, it is acceptable to have the DAG's computer account.\r\n\r\nThis section only shows direct nonstandard members.", "style": "info" }, "customWidth": "50", @@ -1493,7 +1835,7 @@ { "type": 1, "content": { - "json": "The **Exchange Windows Permissions** group is one the two most sensistive groups in Exchange. This group has very high privileges in AD.\r\n\r\nExchange 2013 deployment permissions reference\r\n\r\nThis group should only contains the group Exchange Trusted SubSystem. This section only shows direct nonstandard members. ", + "json": "The **Exchange Windows Permissions** group is one of the two most sensitive groups in Exchange. This group has very high privileges in AD.\r\n\r\nExchange 2013 deployment permissions reference\r\n\r\nThis group should only contain the group Exchange Trusted SubSystem. This section only shows direct nonstandard members. ", "style": "info" }, "customWidth": "50", @@ -1591,7 +1933,6 @@ "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Exchange Windows Permissions direct nonstandard content (Exchange Trusted subsystem non standard content not included)", "items": [ { "type": 3, @@ -1620,7 +1961,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let ETScontent = ExchangeConfiguration(SpecificSectionList=\"ETS\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\") | project Name = tostring(CmdletResultValue.Name);\r\nExchangeConfiguration(SpecificSectionList=\"EWP\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name !in (ETScontent) and CmdletResultValue.Name != \"Exchange Trusted Subsystem\"\r\n//| extend Name = strcat (\"⛔\",tostring(CmdletResultValue.Name))\r\n| extend Name = iff(CmdletResultType == \"Success\", strcat (\"⛔\",tostring(CmdletResultValue.Name)),\"Script was unable to retrieve data\")\r\n| project Name ", + "query": "let ETScontent = ExchangeConfiguration(SpecificSectionList=\"ETS\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\") | project Name = tostring(CmdletResultValue.Name);\r\nExchangeConfiguration(SpecificSectionList=\"EWP\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name !in (ETScontent) and CmdletResultValue.Name != \"Exchange Trusted Subsystem\"\r\n| extend Name = iff(CmdletResultType == \"Success\", strcat (\"⛔\",tostring(CmdletResultValue.Name)),\"Script was unable to retrieve data\")\r\n| project Name ", "size": 1, "showAnalytics": true, "title": "Exchange Windows Permissions direct nonstandard content (Exchange Trusted subsystem non standard content not included)", @@ -1650,7 +1991,7 @@ { "type": 1, "content": { - "json": "ℹ️ Recommendations\r\n\r\n- Groups from old Exchange version should have been removed\r\n- List of old groups \r\n\t- Exchange Organization Administrators\r\n\t- Exchange Recipient Administrators\r\n\t- Exchange Public Folder Administrators\r\n\t- Exchange Server Administrator\r\n\t- Exchange View-Only Administrator\r\n\t- Exchange Enterprise Servers (located in the root domain)\r\n\t- Exchange Domain Servers : one group per domain\r\n\r\n\r\nHelp for Built-in role groups", + "json": "ℹ️ Recommendations\r\n\r\n- Groups from the old Exchange version should have been removed\r\n- List of old groups \r\n\t- Exchange Organization Administrators\r\n\t- Exchange Recipient Administrators\r\n\t- Exchange Public Folder Administrators\r\n\t- Exchange Server Administrator\r\n\t- Exchange View-Only Administrator\r\n\t- Exchange Enterprise Servers (located in the root domain)\r\n\t- Exchange Domain Servers : one group per domain\r\n\r\n\r\nHelp for Built-in role groups", "style": "info" }, "conditionalVisibility": { @@ -1665,6 +2006,7 @@ "content": { "version": "NotebookGroup/1.0", "groupType": "editable", + "title": "If still exist, this section showed a summary of the content of old groups", "items": [ { "type": 3, @@ -1705,10 +2047,17 @@ "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Expand details on the content of old groups", + "title": "Expand this section to details on the content of the old groups", "expandable": true, - "expanded": false, + "expanded": true, "items": [ + { + "type": 1, + "content": { + "json": "Please select a group" + }, + "name": "text - 5" + }, { "type": 9, "content": { @@ -1724,7 +2073,8 @@ "showDefault": false }, "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "value": null }, { "id": "a695df39-1965-479a-ad0f-b4d3d168aaed", @@ -1754,7 +2104,7 @@ { "type": 1, "content": { - "json": "Old Exchange groups content groups (Extract for the OU \"Microsoft Exchange Security Groups\").\r\nSelect a group to display detailed information of its contents.\r\nLevel attribute helps you understand the level of nested groups.\r\n\r\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days" + "json": "Old Exchange groups content groups (Extract for the OU \"Microsoft Exchange Security Groups\").\r\nSelect a group to display detailed information of its contents.\r\nLevel attribute helps you understand the level of nested groups.\r\n\r\n❌ : for last logon displayed when the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days" }, "name": "text - 2" }, @@ -1762,9 +2112,10 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let OldVGroupEES = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\", SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n | where (CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.MemberPath != @\"Exchange Enterprise Servers\\Exchange Domain Servers\") or CmdletResultValue.Parentgroup == \"Exchange Services\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend Enabled = tostring(CmdletResultValue.Enabled) );\r\nlet OldVGroupEDS = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"lastdate\", SpecificConfigurationEnv='B13', Target = \"On-Premises\")\r\n | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.Level ==0\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n| mv-expand CmdletResultValue.Members\r\n| where CmdletResultValue_Members.objectClass == \"group\"\r\n| project Parentgroup, MemberPath= strcat(Parentgroup,\"\\\\\", CmdletResultValue_Members.name), Level = tostring(1), ObjectClass = tostring(CmdletResultValue_Members.objectClass), DN = tostring(CmdletResultValue_Members.DistinguishedName), ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)| join kind=inner ( ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"lastdate\", SpecificConfigurationEnv='B13', Target = \"On-Premises\")\r\n | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid)) on ObjectGuid) ;\r\nExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=\"lastdate\", SpecificConfigurationEnv='B13', Target = \"On-Premises\") \r\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n| where CmdletResultValue.Parentgroup in (\"Exchange Organization Administrators\", \"Exchange Recipient Administrators\", \"Exchange Public Folder Administrators\", \"Exchange Server Administrator\", \"Exchange View-Only Administrator\")\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| union OldVGroupEES,OldVGroupEDS\r\n| search CmdletResultValue.Parentgroup == \"{Group}\"\r\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago(0d) or tostring (CmdletResultValue.LastPwdSetString) == \"\"\r\n| where todatetime (CmdletResultValue.LastLogonString) < ago(0d) or tostring (CmdletResultValue.LastLogonString) == \"\"\r\n| sort by tostring(CmdletResultValue.MemberPath) asc \r\n| where CmdletResultValue.Level != 0\r\n//| extend DN = tostring(CmdletResultValue.DN)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ Never logged\", strcat(\"❌\", LastLogon))))\r\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n| extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ Password never set\", strcat(\"❌\", LastPwdSet))))\r\n| extend MemberPath = case(ObjectClass == \"group\", strcat(\"👪 \", MemberPath), ObjectClass == \"computer\", strcat(\"💻 \", MemberPath), strcat(\"🧑‍🦰 \", MemberPath))\r\n| project Parentgroup, MemberPath, Level, ObjectClass,LastLogon, LastPwdSet ,Enabled,DN\r\n", + "query": "let OldVGroupEES = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\", SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n | where (CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.MemberPath != @\"Exchange Enterprise Servers\\Exchange Domain Servers\") or CmdletResultValue.Parentgroup == \"Exchange Services\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend Enabled = tostring(CmdletResultValue.Enabled) );\r\nlet OldVGroupEDS = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\", SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.Level ==0\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | mv-expand CmdletResultValue.Members\r\n | where CmdletResultValue_Members.objectClass == \"group\"\r\n | project Parentgroup, MemberPath= strcat(Parentgroup,\"\\\\\", CmdletResultValue_Members.name), Level = tostring(1), ObjectClass = tostring(CmdletResultValue_Members.objectClass), DN = tostring(CmdletResultValue_Members.DistinguishedName), ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)\r\n | join kind=inner ( ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\", SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid)) on ObjectGuid) ;\r\nExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\", SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\") \r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | where CmdletResultValue.Parentgroup in (\"Exchange Organization Administrators\", \"Exchange Recipient Administrators\", \"Exchange Public Folder Administrators\", \"Exchange Server Administrator\", \"Exchange View-Only Administrator\")\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | union OldVGroupEES,OldVGroupEDS\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | where todatetime (CmdletResultValue.LastPwdSetString) < ago(0d) or tostring (CmdletResultValue.LastPwdSetString) == \"\"\r\n | where todatetime (CmdletResultValue.LastLogonString) < ago(0d) or tostring (CmdletResultValue.LastLogonString) == \"\"\r\n | sort by tostring(CmdletResultValue.MemberPath) asc \r\n | where CmdletResultValue.Level != 0\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ Never logged\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ Password never set\", strcat(\"❌\", LastPwdSet))))\r\n | extend MemberPath = case(ObjectClass == \"group\", strcat(\"👪 \", MemberPath), ObjectClass == \"computer\", strcat(\"💻 \", MemberPath), strcat(\"🧑‍🦰 \", MemberPath))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | project Parentgroup, MemberPath, Level, ObjectClass,LastLogon, LastPwdSet ,Enabled,DN\r\n", "size": 1, "showAnalytics": true, + "title": "Selected group content", "noDataMessage": "The query returned no results.", "showExportToExcel": true, "queryType": 0, @@ -1807,6 +2158,44 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeDataEES=\r\n (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | where (CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.MemberPath != @\"Exchange Enterprise Servers\\Exchange Domain Servers\") or CmdletResultValue.Parentgroup == \"Exchange Services\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend Enabled = tostring(CmdletResultValue.Enabled));\r\nlet BeforeDataEDS = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.Level == 0\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | mv-expand CmdletResultValue.Members\r\n | where CmdletResultValue_Members.objectClass == \"group\"\r\n | project\r\n Parentgroup,\r\n MemberPath= strcat(Parentgroup, \"\\\\\", CmdletResultValue_Members.name),\r\n Level = tostring(1),\r\n ObjectClass = tostring(CmdletResultValue_Members.objectClass),\r\n DN = tostring(CmdletResultValue_Members.DistinguishedName),\r\n ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)\r\n | join kind=inner (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"lastdate\", SpecificConfigurationEnv='B13', Target = \"On-Premises\")\r\n | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid))\r\n on ObjectGuid); \r\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | where CmdletResultValue.Parentgroup in (\"Exchange Organization Administrators\", \"Exchange Recipient Administrators\", \"Exchange Public Folder Administrators\", \"Exchange Server Administrator\", \"Exchange View-Only Administrator\")\r\n | union BeforeDataEES, BeforeDataEDS\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | sort by MemberPath asc\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n;\r\nlet AfterDataEES=\r\n (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | where (CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.MemberPath != @\"Exchange Enterprise Servers\\Exchange Domain Servers\") or CmdletResultValue.Parentgroup == \"Exchange Services\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend Enabled = tostring(CmdletResultValue.Enabled));\r\nlet AfterDataEDS = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.Level == 0\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | mv-expand CmdletResultValue.Members\r\n | where CmdletResultValue_Members.objectClass == \"group\"\r\n | project\r\n Parentgroup,\r\n MemberPath= strcat(Parentgroup, \"\\\\\", CmdletResultValue_Members.name),\r\n Level = tostring(1),\r\n ObjectClass = tostring(CmdletResultValue_Members.objectClass),\r\n DN = tostring(CmdletResultValue_Members.DistinguishedName),\r\n ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)\r\n | join kind=inner (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid))\r\n on ObjectGuid); \r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | union AfterDataEES, AfterDataEDS\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | sort by MemberPath asc\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n;\r\nlet allDataRange = \r\n ESIExchangeConfig_CL\r\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n | where ESIEnvironment_s == _EnvList\r\n | where Section_s == \"ExGroup\" or Section_s == \"ADGroup\"\r\n | extend CmdletResultValue = parse_json(rawData_s)\r\n | project TimeGenerated,CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n | where CmdletResultValue.Parentgroup in (\"Exchange Organization Administrators\", \"Exchange Recipient Administrators\", \"Exchange Public Folder Administrators\", \"Exchange Server Administrator\", \"Exchange View-Only Administrator\", \"Exchange Enterprise Servers\" , \"Exchange Services\")\r\n //| where CmdletResultValue.MemberPath != @\"Exchange Enterprise Servers\\Exchange Domain Servers\"\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | sort by MemberPath asc\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n ;\r\nlet AlldataUnique = allDataRange\r\n | join kind = innerunique (allDataRange) on MemberPath \r\n | distinct \r\n TimeGenerated,\r\n Parentgroup,\r\n MemberPath,\r\n Level,\r\n ObjectClass,\r\n LastLogon,\r\n LastPwdSet,\r\n Enabled\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n | join kind = leftanti (AfterData ) on MemberPath\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n| join kind = innerunique (BeforeData ) on MemberPath\r\n| extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n| join kind = leftanti (InBeforedatabotAfter ) on MemberPath\r\n| extend Actiontype =\"Add/Remove\"\r\n;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on MemberPath\r\n | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData,AddRemoveindataset,InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype),\"N/A\")\r\n| where MemberPath <> \"Exchange Enterprise Servers\\\\Exchange Domain Servers\"\r\n| project\r\n Actiontype,Parentgroup, MemberPath, Level, ObjectClass, LastLogon, LastPwdSet, Enabled\r\n", + "size": 3, + "showAnalytics": true, + "title": "Compare of the contents of selected old group", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true, + "sortBy": [ + { + "itemKey": "MemberPath", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "MemberPath", + "sortOrder": 1 + } + ] + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "ExchangeServersGroupsGrid - Compare", + "styleSettings": { + "showBorder": true + } } ] }, @@ -1826,7 +2215,7 @@ { "type": 1, "content": { - "json": "ℹ️ Recommendations\r\n\r\n- Ensure that no service account are a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\r\n- Limit the usage of nested group for administration.\r\n- Ensure that accounts are given only the required pernissions to execute their tasks.\r\n- Use just in time administration principle by adding users in a group only when they need the permissions, then remove them when their operation is over.\r\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\r\n- Monitor the content of the following groups:\r\n - Organization Management\r\n - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\r\n - Discovery Management\r\n - Server Management\r\n - Hygiene Management\r\n - Exchange Servers\r\n - Exchange Trusted Subsystem \r\n - Exchange Windows Permissions\r\n - xxx High privilege group (not an exhaustive list)\r\n - All RBAC groups that have high roles delegation\r\n - All nested groups in high privileges groups\r\n - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\r\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\r\n- Periodically review the members of the groups\r\n\r\nHelp for Built-in role groups", + "json": "ℹ️ Recommendations\r\n\r\n- Ensure that no service account is a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\r\n- Limit the usage of nested group for administration.\r\n- Ensure that accounts are given only the required permissions to execute their tasks.\r\n- Use just in time administration principle by adding users in a group only when they need the required permissions, then remove them when their operation is over.\r\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\r\n- Monitor the content of the following groups:\r\n - Organization Management\r\n - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\r\n - Discovery Management\r\n - Server Management\r\n - Hygiene Management\r\n - Exchange Servers\r\n - Exchange Trusted Subsystem \r\n - Exchange Windows Permissions\r\n - xxx High privilege group (not an exhaustive list)\r\n - All RBAC groups that have high roles delegation\r\n - All nested groups in high privileges groups\r\n - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\r\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\r\n- Periodically review the members of the groups\r\n\r\nHelp for Built-in role groups", "style": "info" }, "conditionalVisibility": { @@ -1917,6 +2306,13 @@ }, "name": "ExchangeGroupsList" }, + { + "type": 1, + "content": { + "json": "Please select a group" + }, + "name": "text - 5 - Copy" + }, { "type": 9, "content": { @@ -1934,7 +2330,8 @@ "showExportToExcel": true, "showAnalytics": true, "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "value": null }, { "id": "f3b935d7-b78f-41d2-94bc-f8c878a13260", @@ -1973,7 +2370,7 @@ { "type": 1, "content": { - "json": "Exchange groups content (Extract for the OU \"Microsoft Exchange Security Groups\").\r\nSelect a group to display detailed information of its contents.\r\nLevel attribute helps you understand the level of nested groups.\r\n\r\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days" + "json": "Exchange groups content (Extract for the OU \"Microsoft Exchange Security Groups\").\r\nSelect a group to display detailed information of its contents.\r\nLevel attribute helps you understand the level of nested groups.\r\n\r\n❌ : for last logon displayed when the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days" }, "name": "text - 2" }, @@ -1981,7 +2378,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"ExGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| search CmdletResultValue.Parentgroup == \"{Group}\"\r\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \"\"\r\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \"\"\r\n| where CmdletResultValue.Level != 0\r\n| sort by tostring(CmdletResultValue.MemberPath) asc \r\n| project CmdletResultValue\r\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastLogon = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\"\", \"❌ No logon\",strcat(\"❌\",LastLogon))))\r\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n| extend LastPwdSet = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\"\", \"❌ No logon\",strcat(\"❌\",LastPwdSet))))\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| sort by MemberPath asc\r\n//| extend MemberPath = case( ObjectClass == \"group\", strcat( \"👪 \", MemberPath), ObjectClass == \"computer\", strcat( \"💻 \", MemberPath), strcat( \"🧑‍🦰 \", MemberPath) )\r\n| project-away CmdletResultValue,Parentgroup", + "query": "ExchangeConfiguration(SpecificSectionList=\"ExGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| search CmdletResultValue.Parentgroup == \"{Group}\"\r\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \"\"\r\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \"\"\r\n| where CmdletResultValue.Level != 0\r\n| sort by tostring(CmdletResultValue.MemberPath) asc \r\n| project CmdletResultValue\r\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastLogon = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\"\", \"❌ No logon\",strcat(\"❌\",LastLogon))))\r\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n| extend LastPwdSet = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\"\", \"❌ No logon\",strcat(\"❌\",LastPwdSet))))\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| sort by MemberPath asc\r\n| project-away CmdletResultValue,Parentgroup", "size": 3, "showAnalytics": true, "showExportToExcel": true, @@ -2008,6 +2405,51 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n ESIExchangeConfig_CL\r\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n | where ESIEnvironment_s == _EnvList\r\n | where Section_s == \"ExGroup\"\r\n | extend CmdletResultValue = parse_json(rawData_s)\r\n | project TimeGenerated,CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | sort by MemberPath asc\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n ;\r\nlet AlldataUnique = allDataRange\r\n | join kind = innerunique (allDataRange) on MemberPath \r\n | distinct \r\n TimeGenerated,\r\n Parentgroup,\r\n MemberPath,\r\n Level,\r\n ObjectClass,\r\n LastLogon,\r\n LastPwdSet,\r\n Enabled\r\n;\r\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | sort by MemberPath asc\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | sort by MemberPath asc\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n | join kind = leftanti (AfterData ) on MemberPath\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n| join kind = innerunique (BeforeData ) on MemberPath\r\n| extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n| join kind = leftanti (InBeforedatabotAfter ) on MemberPath\r\n| extend Actiontype =\"Add/Remove\"\r\n| project \r\n TimeGenerated,\r\n Parentgroup,\r\n Actiontype,\r\n MemberPath,\r\n Level,\r\n ObjectClass,\r\n LastLogon,\r\n LastPwdSet,\r\n Enabled\r\n;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on MemberPath\r\n | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData,AddRemoveindataset,InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype),\"N/A\")\r\n| project\r\n Actiontype,Parentgroup, MemberPath, Level, ObjectClass, LastLogon, LastPwdSet, Enabled", + "size": 3, + "showAnalytics": true, + "title": "Add/Remove information in selected group", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true, + "sortBy": [ + { + "itemKey": "MemberPath", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "MemberPath", + "sortOrder": 1 + } + ] + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "ExchangeServersGroupsGrid - Copy", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "Add/Remove means that the account has been added and removed between the Time Range (so not present Before or After the Time Range)" + }, + "name": "text - 7" } ] }, @@ -2020,6 +2462,13 @@ "groupType": "editable", "title": "AD Group", "items": [ + { + "type": 1, + "content": { + "json": "Please select a group" + }, + "name": "text - 5 - Copy" + }, { "type": 1, "content": { @@ -2043,17 +2492,14 @@ "version": "KqlParameterItem/1.0", "name": "Group", "type": 2, - "query": "ExchangeConfiguration(SpecificSectionList=\"ADGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\r\n| distinct GroupName\r\n| sort by GroupName asc\r\n", + "query": "ExchangeConfiguration(SpecificSectionList=\"ADGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where tostring(CmdletResultValue.Parentgroup) != \"Exchange Enterprise Servers\" and tostring(CmdletResultValue.Parentgroup) <> \"Exchange Services\"\r\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\r\n| distinct GroupName\r\n| sort by GroupName asc\r\n", "typeSettings": { + "additionalResourceOptions": [], "showDefault": false }, - "showExportToExcel": true, - "showAnalytics": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "rowLimit": 10000 - } + "value": null }, { "id": "9d02cad2-f4c5-418d-976f-b88b56f80cb5", @@ -2089,7 +2535,7 @@ { "type": 1, "content": { - "json": "Overview of high privileges AD Groups' content.\r\nSelect a group to display detailed information of its contents.\r\nLevel attribute helps you understand the level of nested groups.\r\n\r\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days" + "json": "Overview of high privileges AD Groups' content.\r\nSelect a group to display detailed information of its contents.\r\nLevel attribute helps you understand the level of nested groups.\r\n\r\n❌ : for last logon displayed when the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days" }, "name": "text - 0" }, @@ -2097,7 +2543,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"ADGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| search CmdletResultValue.Parentgroup == \"{Group}\"\r\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \"\"\r\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \"\"\r\n| where CmdletResultValue.Level != 0\r\n| sort by tostring(CmdletResultValue.MemberPath) asc \r\n| project CmdletResultValue\r\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastLogon = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\"\", \"❌ No logon\",strcat(\"❌\",LastLogon))))\r\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n| extend LastPwdSet = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\"\", \"❌ No logon\",strcat(\"❌\",LastPwdSet))))\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| sort by MemberPath asc\r\n//| extend MemberPath = case( ObjectClass == \"group\", strcat( \"👪 \", MemberPath), ObjectClass == \"computer\", strcat( \"💻 \", MemberPath), strcat( \"🧑‍🦰 \", MemberPath) )\r\n| project-away CmdletResultValue,Parentgroup", + "query": "ExchangeConfiguration(SpecificSectionList=\"ADGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| search CmdletResultValue.Parentgroup == \"{Group}\"\r\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \"\"\r\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \"\"\r\n| where CmdletResultValue.Level != 0\r\n| sort by tostring(CmdletResultValue.MemberPath) asc \r\n| project CmdletResultValue\r\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastLogon = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\"\", \"❌ No logon\",strcat(\"❌\",LastLogon))))\r\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n| extend LastPwdSet = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\"\", \"❌ No logon\",strcat(\"❌\",LastPwdSet))))\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| sort by MemberPath asc\r\n| project-away CmdletResultValue,Parentgroup", "size": 3, "showAnalytics": true, "showExportToExcel": true, @@ -2122,6 +2568,51 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n ESIExchangeConfig_CL\r\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n | where ESIEnvironment_s == _EnvList\r\n | where Section_s == \"ADGroup\"\r\n | extend CmdletResultValue = parse_json(rawData_s)\r\n | project TimeGenerated,CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | sort by MemberPath asc\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n ;\r\nlet AlldataUnique = allDataRange\r\n | join kind = innerunique (allDataRange) on MemberPath \r\n | distinct \r\n TimeGenerated,\r\n Parentgroup,\r\n MemberPath,\r\n Level,\r\n ObjectClass,\r\n LastLogon,\r\n LastPwdSet,\r\n Enabled\r\n;\r\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | sort by MemberPath asc\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | sort by MemberPath asc\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n | join kind = leftanti (AfterData ) on MemberPath\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n| join kind = innerunique (BeforeData ) on MemberPath\r\n| extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n| join kind = leftanti (InBeforedatabotAfter ) on MemberPath\r\n| extend Actiontype =\"Add/Remove\"\r\n| project \r\n TimeGenerated,\r\n Parentgroup,\r\n Actiontype,\r\n MemberPath,\r\n Level,\r\n ObjectClass,\r\n LastLogon,\r\n LastPwdSet,\r\n Enabled\r\n;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on MemberPath\r\n | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData,AddRemoveindataset,InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype),\"N/A\")\r\n| project\r\n Actiontype,Parentgroup, MemberPath, Level, ObjectClass, LastLogon, LastPwdSet, Enabled", + "size": 3, + "showAnalytics": true, + "noDataMessage": "Add/Remove information in selected group", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true, + "sortBy": [ + { + "itemKey": "MemberPath", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "MemberPath", + "sortOrder": 1 + } + ] + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "ExchangeServersGroupsGrid - Compare", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "Add/Remove means that the account has been added and removed between the Time Range (so not present Before or After the Time Range)" + }, + "name": "text - 6" } ] }, @@ -2146,7 +2637,7 @@ { "type": 1, "content": { - "json": "This tab displays differents security configuration for transport components." + "json": "This tab displays different security configurations for transport components." }, "name": "text - 10" }, @@ -2155,7 +2646,7 @@ "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Receive Connectors", + "title": "Receive Connectors with", "items": [ { "type": 3, @@ -2256,7 +2747,8 @@ "durationMs": 86400000 }, "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "value": null }, { "id": "14912e83-60a1-4a21-a34b-500d4662a666", @@ -2282,7 +2774,7 @@ { "type": 1, "content": { - "json": "The toogle buttom help you to sort by:\r\n\r\n- Server\r\n- Receive connectors with no IP restrictions" + "json": "The toggle button helps you to sort by:\r\n\r\n- Server\r\n- Receive connectors with/without no IP restrictions" }, "name": "text - 3" }, @@ -2290,7 +2782,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"RCAnonymous\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project Identity,CmdletResultValue\r\n| extend Identity = tostring(Identity)\r\n| extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.DistinguishedName,\",\",3)),\"[\\\"CN=\",\"\"),\"\\\"]\",\"\")\r\n|join kind=leftouter ( ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\") ) on $left.Identity == $right.Name\r\n| where CmdletResultValue1.Server.Name contains \"{Server}\"\r\n| where (CmdletResultValue1.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue1.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n| where CmdletResultValue1.PermissionGroupsString contains \"Anonymous\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\r\n| extend Server = tostring(CmdletResultValue1.Server.Name)\r\n| extend Name = tostring(CmdletResultValue1.Name)\r\n| extend TransportRole = iff(CmdletResultValue1.TransportRole== \"32\" , \"HubTransport\", \"FrontendTransport\")\r\n| extend Enabled = tostring(CmdletResultValue1.Enabled)\r\n| extend PermissionGroups = tostring(CmdletResultValue1.PermissionGroupsString) \r\n| extend AuthMechanism = tostring(CmdletResultValue1.AuthMechanismString)\r\n| mv-expand RemoteIPall=CmdletResultValue1.RemoteIPRanges\r\n| mv-expand BindingAllall=CmdletResultValue1.Bindings\r\n| extend RemoteIP= RemoteIPall.Expression\r\n| extend IP= strcat (BindingAllall.Address,\"-\",BindingAllall.Port)\r\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\r\n| sort by Server asc", + "query": "ExchangeConfiguration(SpecificSectionList=\"RCAnonymous\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project Identity,CmdletResultValue\r\n| extend Identity = tostring(Identity)\r\n| extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.Identity.DistinguishedName,\",\",3)),\"[\\\"CN=\",\"\"),\"\\\"]\",\"\")\r\n|join kind=leftouter ( ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\") ) on $left.Identity == $right.Name\r\n| where CmdletResultValue1.Server.Name contains \"{Server}\"\r\n| where (CmdletResultValue1.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue1.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n| where CmdletResultValue1.PermissionGroupsString contains \"Anonymous\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\r\n| extend Server = tostring(CmdletResultValue1.Server.Name)\r\n| extend Name = tostring(CmdletResultValue1.Name)\r\n| extend TransportRole = iff(CmdletResultValue1.TransportRole== \"32\" , \"HubTransport\", \"FrontendTransport\")\r\n| extend Enabled = tostring(CmdletResultValue1.Enabled)\r\n| extend PermissionGroups = tostring(CmdletResultValue1.PermissionGroupsString) \r\n| extend AuthMechanism = tostring(CmdletResultValue1.AuthMechanismString)\r\n| mv-expand RemoteIPall=CmdletResultValue1.RemoteIPRanges\r\n| mv-expand BindingAllall=CmdletResultValue1.Bindings\r\n| extend RemoteIP= RemoteIPall.Expression\r\n| extend IP= strcat (BindingAllall.Address,\"-\",BindingAllall.Port)\r\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\r\n| sort by Server asc", "size": 1, "showAnalytics": true, "showExportToExcel": true, @@ -2317,6 +2809,28 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n | extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"RCAnonymous\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| project Identity,CmdletResultValue\r\n| extend Identity = tostring(Identity)\r\n| extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.Identity.DistinguishedName,\",\",3)),\"[\\\"CN=\",\"\"),\"\\\"]\",\"\")\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"RCAnonymous\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project Identity,CmdletResultValue\r\n | extend Identity = tostring(Identity)\r\n | extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.Identity.DistinguishedName,\",\",3)),\"[\\\"CN=\",\"\"),\"\\\"]\",\"\")\r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Server\r\n | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n | join kind = leftanti AfterData on Server\r\n | extend Actiontype =\"Remove\"\r\n | distinct \r\n Actiontype,\r\n Identity,\r\n Server\r\n | project \r\n Actiontype,\r\n Identity,\r\n Server\r\n;\r\nunion DiffAddData, DiffRemoveData\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), \"N/A\")\r\n| project\r\n Actiontype,\r\n Permission = \"ms-Exch-SMTP-Accept-Any-Recipient\",\r\n Identity,\r\n Server\r\n| order by Server\r\n\r\n", + "size": 3, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 4" } ] }, @@ -2357,7 +2871,8 @@ "showDefault": false }, "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "value": null }, { "id": "4ef1d2a2-a13f-4bd4-9e66-2d9a15ad8a7a", @@ -2378,7 +2893,7 @@ { "type": 1, "content": { - "json": "The toogle buttom help you to sort by:\r\n\r\n- Server\r\n- Receive connectors with no IP restrictions" + "json": "The toggle button helps you to sort by:\r\n\r\n- Server\r\n- Receive connectors with/without no IP restrictions" }, "name": "text - 3" }, @@ -2414,6 +2929,28 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| where CmdletResultValue.Server.Name contains \"{Server}\"\r\n| where (CmdletResultValue.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n | where CmdletResultValue.AuthMechanismString contains \"ExternalAuthoritative\"\r\n | project CmdletResultValue,WhenChanged,WhenCreated\r\n | extend Server = tostring(CmdletResultValue.Server.Name)\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \"32\", \"HubTransport\", \"FrontendTransport\")\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\r\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\r\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\r\n | mv-expand BindingAllall=CmdletResultValue.Bindings\r\n | extend RemoteIP= RemoteIPall.Expression\r\n | extend IP= strcat (BindingAllall.Address, \"-\", BindingAllall.Port)\r\n | extend Identity = strcat(Server,'\\\\',Name)\r\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\r\n | sort by Server asc\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | where CmdletResultValue.Server.Name contains \"{Server}\"\r\n | where (CmdletResultValue.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n | where CmdletResultValue.AuthMechanismString contains \"ExternalAuthoritative\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\r\n | project CmdletResultValue, WhenChanged,WhenCreated\r\n | extend Server = tostring(CmdletResultValue.Server.Name)\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \"32\", \"HubTransport\", \"FrontendTransport\")\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\r\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\r\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\r\n | mv-expand BindingAllall=CmdletResultValue.Bindings\r\n | extend RemoteIP= RemoteIPall.Expression\r\n | extend IP= strcat (BindingAllall.Address, \"-\", BindingAllall.Port)\r\n | extend Identity = strcat(Server,'\\\\',Name)\r\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\r\n | sort by Server asc\r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Identity\r\n | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n | join kind = leftanti AfterData on Server\r\n | extend Actiontype =\"Remove\"\r\n | extend Binding = tostring(Bindings)\r\n | extend RIR = tostring(RemoteIPRange)\r\n | distinct\r\n WhenChanged,\r\n Actiontype,\r\n Server,\r\n Name,\r\n TransportRole,\r\n Enabled,\r\n PermissionGroups,\r\n AuthMechanism,\r\n Bindings = Binding,\r\n RemoteIPRange = RIR,\r\n WhenCreated \r\n;\r\nlet DiffModifData = union BeforeData,AfterData\r\n | sort by WhenChanged asc \r\n | sort by Server, Name asc\r\n | extend Identity = strcat(Server,\"\\\\\",Name)\r\n | extend Name = iff(Name != prev(Name) and prev(Name) != \"\" and Identity == prev(Identity) , strcat(\"📍 \", Name, \" (\", prev(Name), \"->\", Name, \" )\"), Name)\r\n | extend TransportRole = iff(TransportRole != prev(TransportRole) and prev(TransportRole) != \"\"and Identity == prev(Identity), strcat(\"📍 \", TransportRole, \" (\", prev(TransportRole), \"->\", TransportRole, \" )\"), TransportRole)\r\n | extend Enabled = iff(Enabled != prev(Enabled) and prev(Enabled) != \"\" and Identity == prev(Identity), strcat(\"📍 \", Enabled, \" (\", prev(Enabled), \"->\", Enabled, \" )\"), Enabled)\r\n | extend PermissionGroups = iff(PermissionGroups != prev(PermissionGroups) and prev(PermissionGroups) != \"\" and Identity == prev(Identity), strcat(\"📍 \", PermissionGroups, \" (\", prev(PermissionGroups), \"->\", PermissionGroups, \" )\"), PermissionGroups)\r\n | extend AuthMechanism = iff(AuthMechanism != prev(AuthMechanism) and prev(AuthMechanism) != \"\" and Identity == prev(Identity), strcat(\"📍 \", AuthMechanism, \" (\", prev(AuthMechanism), \"->\", AuthMechanism, \" )\"), AuthMechanism)\r\n | extend Bindings = iff(tostring(Bindings) != tostring(prev(Bindings)) and tostring(prev(Bindings)) != \"\" and Identity == prev(Identity), strcat(\"📍 \", tostring(Bindings), \" (\", prev(Bindings), \"->\", tostring(Bindings), \" )\"), tostring(Bindings))\r\n | extend RemoteIPRange = iff(tostring(RemoteIPRange) != tostring(prev(RemoteIPRange)) and tostring(prev(RemoteIPRange)) != \"\" and Identity == prev(Identity), strcat(\"📍 \", tostring(RemoteIPRange), \" (\", prev(RemoteIPRange), \"->\", RemoteIPRange, \" )\"), tostring(RemoteIPRange))\r\n | extend ActiontypeR =iff(( Name contains \"📍\" or TransportRole contains \"📍\" or Enabled contains \"📍\" or PermissionGroups contains \"📍\" or AuthMechanism contains \"📍\" or Bindings contains \"📍\" or Bindings contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n WhenChanged,\r\n Actiontype,\r\n Server,\r\n Name,\r\n TransportRole,\r\n Enabled,\r\n PermissionGroups,\r\n AuthMechanism,\r\n tostring=(Bindings),\r\n tostring(RemoteIPRange),\r\n WhenCreated\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n Actiontype,\r\n WhenChanged,\r\n Server,\r\n Name,\r\n TransportRole,\r\n Enabled,\r\n PermissionGroups,\r\n AuthMechanism,\r\n Bindings = Bindings_string,\r\n RemoteIPRange = RemoteIPRange_string,\r\n WhenCreated", + "size": 3, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 4 - Copy" } ] }, @@ -2454,7 +2991,8 @@ "showDefault": false }, "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "value": null }, { "id": "bcb24a01-9242-4fec-b30a-02b0583cbc87", @@ -2477,7 +3015,7 @@ { "type": 1, "content": { - "json": "The toogle buttom help you to sort by:\r\n\r\n- Server\r\n- Receive connectors with no IP restrictions" + "json": "The toggle button helps you to sort by:\r\n- Server\r\n- Receive connectors with/without no IP restrictions" }, "name": "text - 3 - Copy" }, @@ -2513,6 +3051,25 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| where CmdletResultValue.Server.Name contains \"{Server}\"\r\n| where (CmdletResultValue.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n | where CmdletResultValue.PermissionGroupsString contains \"Anonymous\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\r\n | project CmdletResultValue,WhenChanged,WhenCreated\r\n | extend Server = tostring(CmdletResultValue.Server.Name)\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \"32\", \"HubTransport\", \"FrontendTransport\")\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\r\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\r\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\r\n | mv-expand BindingAllall=CmdletResultValue.Bindings\r\n | extend RemoteIP= RemoteIPall.Expression\r\n | extend IP= strcat (BindingAllall.Address, \"-\", BindingAllall.Port)\r\n | extend Identity = strcat(Server,'\\\\',Name)\r\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\r\n | sort by Server asc\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | where CmdletResultValue.Server.Name contains \"{Server}\"\r\n | where (CmdletResultValue.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n | where CmdletResultValue.PermissionGroupsString contains \"Anonymous\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\r\n | project CmdletResultValue, WhenChanged,WhenCreated\r\n | extend Server = tostring(CmdletResultValue.Server.Name)\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \"32\", \"HubTransport\", \"FrontendTransport\")\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\r\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\r\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\r\n | mv-expand BindingAllall=CmdletResultValue.Bindings\r\n | extend RemoteIP= RemoteIPall.Expression\r\n | extend IP= strcat (BindingAllall.Address, \"-\", BindingAllall.Port)\r\n | extend Identity = strcat(Server,'\\\\',Name)\r\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\r\n | sort by Server asc\r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Identity\r\n | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n | join kind = leftanti AfterData on Identity\r\n | extend Actiontype =\"Remove\"\r\n | extend Binding = tostring(Bindings)\r\n | extend RIR = tostring(RemoteIPRange)\r\n | distinct\r\n WhenChanged,\r\n Actiontype,\r\n Server,\r\n Name,\r\n TransportRole,\r\n Enabled,\r\n PermissionGroups,\r\n AuthMechanism,\r\n Bindings = Binding,\r\n RemoteIPRange = RIR,\r\n WhenCreated \r\n;\r\nlet DiffModifData = union BeforeData,AfterData\r\n | sort by WhenChanged asc \r\n | sort by Server, Name asc\r\n | extend Identity = strcat(Server,\"\\\\\",Name)\r\n | extend Name = iff(Name != prev(Name) and prev(Name) != \"\" and Identity == prev(Identity) , strcat(\"📍 \", Name, \" (\", prev(Name), \"->\", Name, \" )\"), Name)\r\n | extend TransportRole = iff(TransportRole != prev(TransportRole) and prev(TransportRole) != \"\"and Identity == prev(Identity), strcat(\"📍 \", TransportRole, \" (\", prev(TransportRole), \"->\", TransportRole, \" )\"), TransportRole)\r\n | extend Enabled = iff(Enabled != prev(Enabled) and prev(Enabled) != \"\" and Identity == prev(Identity), strcat(\"📍 \", Enabled, \" (\", prev(Enabled), \"->\", Enabled, \" )\"), Enabled)\r\n | extend PermissionGroups = iff(PermissionGroups != prev(PermissionGroups) and prev(PermissionGroups) != \"\" and Identity == prev(Identity), strcat(\"📍 \", PermissionGroups, \" (\", prev(PermissionGroups), \"->\", PermissionGroups, \" )\"), PermissionGroups)\r\n | extend AuthMechanism = iff(AuthMechanism != prev(AuthMechanism) and prev(AuthMechanism) != \"\" and Identity == prev(Identity), strcat(\"📍 \", AuthMechanism, \" (\", prev(AuthMechanism), \"->\", AuthMechanism, \" )\"), AuthMechanism)\r\n | extend Bindings = iff(tostring(Bindings) != tostring(prev(Bindings)) and tostring(prev(Bindings)) != \"\" and Identity == prev(Identity), strcat(\"📍 \", tostring(Bindings), \" (\", prev(Bindings), \"->\", tostring(Bindings), \" )\"), tostring(Bindings))\r\n | extend RemoteIPRange = iff(tostring(RemoteIPRange) != tostring(prev(RemoteIPRange)) and tostring(prev(RemoteIPRange)) != \"\" and Identity == prev(Identity), strcat(\"📍 \", tostring(RemoteIPRange), \" (\", prev(RemoteIPRange), \"->\", RemoteIPRange, \" )\"), tostring(RemoteIPRange))\r\n | extend ActiontypeR =iff(( Name contains \"📍\" or TransportRole contains \"📍\" or Enabled contains \"📍\" or PermissionGroups contains \"📍\" or AuthMechanism contains \"📍\" or Bindings contains \"📍\" or Bindings contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n WhenChanged,\r\n Actiontype,\r\n Server,\r\n Name,\r\n TransportRole,\r\n Enabled,\r\n PermissionGroups,\r\n AuthMechanism,\r\n Bindings,\r\n RemoteIPRange,\r\n WhenCreated\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n Actiontype,\r\n WhenChanged,\r\n Server,\r\n Name,\r\n TransportRole,\r\n Enabled,\r\n PermissionGroups,\r\n AuthMechanism,\r\n Bindings = Bindings_string,\r\n RemoteIPRange = RemoteIPRange_string,\r\n WhenCreated", + "size": 3, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 4 - Copy - Copy" } ] }, @@ -2528,7 +3085,7 @@ { "type": 1, "content": { - "json": "A common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\r\n\r\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\r\n- BlindCopyTo\r\n- RedirectMessageTo\r\n- CopyTo\r\n\r\n\r\nFor more information :\r\nMail flow rules in Exchange Serve\r\n", + "json": "A common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\r\n\r\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\r\n- BlindCopyTo\r\n- RedirectMessageTo\r\n- CopyTo\r\n\r\n\r\nFor more information :\r\nMail flow rules in Exchange Server\r\n", "style": "info" }, "conditionalVisibility": { @@ -2557,103 +3114,66 @@ "styleSettings": { "showBorder": true } - } - ] - }, - "name": "Transport Rules actions to monitor" - }, - { - "type": 1, - "content": { - "json": "### Journal Mailboxes" - }, - "name": "JournalMailboxHelp" - }, - { - "type": 1, - "content": { - "json": "The **Journal Mailboxes** contain emails sent and received by specific or all users. The content of these mailboxes is very sensitives.\r\n\r\nJournal Rules should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. Also by default, no one should access to these mailboxes.\r\n\r\nThen, it is recommended to regularly check who have Full Access mailbox or Receive As on these mailboxes.\r\nAdditional information :\r\n\r\nJournaling in Exchange Server\r\n\r\nJournaling procedures\r\n\r\n\r\nMailbox audit logging in Exchange Server\r\n\r\n\r\n", - "style": "info" - }, - "conditionalVisibility": { - "parameterName": "Help", - "comparison": "isEqualTo", - "value": "Yes" - }, - "name": "JournalHelp" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"JournalRule\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend Identity = tostring(CmdletResultValue.Identity)\r\n| extend Status= iff ( tostring(CmdletResultValue.Enabled)== \"Enabled\" or tostring(CmdletResultValue.Enabled)== \"1\" , \"Enabled\", iff(tostring(CmdletResultValue.Enabled)==\"\",\"\", \"Disabled\"))\r\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress)\r\n| extend Recipient = tostring(CmdletResultValue.Recipient)\r\n| sort by Identity asc\r\n| sort by Status desc\r\n| project-away CmdletResultValue\r\n", - "size": 1, - "showAnalytics": true, - "title": "Journal Rules configured in your environment", - "showExportToExcel": true, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "rowLimit": 10000, - "filter": true - } - }, - "name": "JournalQuery", - "styleSettings": { - "showBorder": true - } - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "title": "Journal Recipients on mailbox databases configured in your environment", - "items": [ + }, { - "type": 1, + "type": 3, "content": { - "json": "As Journal Recipient on databases send all the mail send to users in this database to a specific mailbox. The content of these mailboxes is very sensitive.\r\n\r\nJournal Recipients configuration should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. No one should have access to these mailboxes by default.\r\n\r\nIt is recommended to regularly check who have Full Access or Receive As on these mailboxes.\r\n\r\nAdditional information :\r\n\r\nJournaling in Exchange Server\r\n\r\nJournaling procedures\r\n\r\n\r\nMailbox audit logging in Exchange Server\r\n", - "style": "info" + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n | extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\n//let _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| where CmdletResultValue.Server.Name contains \"{Server}\"\r\n| where (CmdletResultValue.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n | where CmdletResultValue.PermissionGroupsString contains \"Anonymous\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\r\n | project CmdletResultValue,WhenChanged,WhenCreated\r\n | extend Server = tostring(CmdletResultValue.Server.Name)\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \"32\", \"HubTransport\", \"FrontendTransport\")\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\r\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\r\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\r\n | mv-expand BindingAllall=CmdletResultValue.Bindings\r\n | extend RemoteIP= RemoteIPall.Expression\r\n | extend IP= strcat (BindingAllall.Address, \"-\", BindingAllall.Port)\r\n | extend Identity = strcat(Server,'\\\\',Name)\r\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\r\n | sort by Server asc\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | where CmdletResultValue.Server.Name contains \"{Server}\"\r\n | where (CmdletResultValue.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n | where CmdletResultValue.PermissionGroupsString contains \"Anonymous\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\r\n | project CmdletResultValue, WhenChanged,WhenCreated\r\n | extend Server = tostring(CmdletResultValue.Server.Name)\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \"32\", \"HubTransport\", \"FrontendTransport\")\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\r\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\r\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\r\n | mv-expand BindingAllall=CmdletResultValue.Bindings\r\n | extend RemoteIP= RemoteIPall.Expression\r\n | extend IP= strcat (BindingAllall.Address, \"-\", BindingAllall.Port)\r\n | extend Identity = strcat(Server,'\\\\',Name)\r\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\r\n | sort by Server asc\r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Identity\r\n | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n | join kind = leftanti AfterData on Server\r\n | extend Actiontype =\"Remove\"\r\n | extend Binding = tostring(Bindings)\r\n | extend RIR = tostring(RemoteIPRange)\r\n | distinct\r\n WhenChanged,\r\n Actiontype,\r\n Server,\r\n Name,\r\n TransportRole,\r\n Enabled,\r\n PermissionGroups,\r\n AuthMechanism,\r\n Bindings = Binding,\r\n RemoteIPRange = RIR,\r\n WhenCreated \r\n;\r\nlet DiffModifData = union BeforeData,AfterData\r\n | sort by WhenChanged asc \r\n | sort by Server, Name asc\r\n | extend Identity = strcat(Server,\"\\\\\",Name)\r\n | extend Name = iff(Name != prev(Name) and prev(Name) != \"\" and Identity == prev(Identity) , strcat(\"📍 \", Name, \" (\", prev(Name), \"->\", Name, \" )\"), Name)\r\n | extend TransportRole = iff(TransportRole != prev(TransportRole) and prev(TransportRole) != \"\"and Identity == prev(Identity), strcat(\"📍 \", TransportRole, \" (\", prev(TransportRole), \"->\", TransportRole, \" )\"), TransportRole)\r\n | extend Enabled = iff(Enabled != prev(Enabled) and prev(Enabled) != \"\" and Identity == prev(Identity), strcat(\"📍 \", Enabled, \" (\", prev(Enabled), \"->\", Enabled, \" )\"), Enabled)\r\n | extend PermissionGroups = iff(PermissionGroups != prev(PermissionGroups) and prev(PermissionGroups) != \"\" and Identity == prev(Identity), strcat(\"📍 \", PermissionGroups, \" (\", prev(PermissionGroups), \"->\", PermissionGroups, \" )\"), PermissionGroups)\r\n | extend AuthMechanism = iff(AuthMechanism != prev(AuthMechanism) and prev(AuthMechanism) != \"\" and Identity == prev(Identity), strcat(\"📍 \", AuthMechanism, \" (\", prev(AuthMechanism), \"->\", AuthMechanism, \" )\"), AuthMechanism)\r\n | extend Bindings = iff(tostring(Bindings) != tostring(prev(Bindings)) and tostring(prev(Bindings)) != \"\" and Identity == prev(Identity), strcat(\"📍 \", tostring(Bindings), \" (\", prev(Bindings), \"->\", tostring(Bindings), \" )\"), tostring(Bindings))\r\n | extend RemoteIPRange = iff(tostring(RemoteIPRange) != tostring(prev(RemoteIPRange)) and tostring(prev(RemoteIPRange)) != \"\" and Identity == prev(Identity), strcat(\"📍 \", tostring(RemoteIPRange), \" (\", prev(RemoteIPRange), \"->\", RemoteIPRange, \" )\"), tostring(RemoteIPRange))\r\n | extend ActiontypeR =iff(( Name contains \"📍\" or TransportRole contains \"📍\" or Enabled contains \"📍\" or PermissionGroups contains \"📍\" or AuthMechanism contains \"📍\" or Bindings contains \"📍\" or Bindings contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n WhenChanged,\r\n Actiontype,\r\n Server,\r\n Name,\r\n TransportRole,\r\n Enabled,\r\n PermissionGroups,\r\n AuthMechanism,\r\n Bindings,\r\n RemoteIPRange,\r\n WhenCreated\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n Actiontype,\r\n WhenChanged,\r\n Server,\r\n Name,\r\n TransportRole,\r\n Enabled,\r\n PermissionGroups,\r\n AuthMechanism,\r\n Bindings = Bindings_string,\r\n RemoteIPRange = RemoteIPRange_string,\r\n WhenCreated", + "size": 3, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibility": { - "parameterName": "Help", + "parameterName": "Compare_Collect", "comparison": "isEqualTo", - "value": "Yes" + "value": "True" }, - "name": "JournalRecipientsHelp" + "name": "query - 4 - Copy - Copy - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"MbxDBJournaling\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.JournalRecipient !=\"\"\r\n| project CmdletResultValue\r\n| extend Identity = tostring(CmdletResultValue.Identity.Name)\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient)\r\n| project-away CmdletResultValue\r\n| sort by Identity asc\r\n", - "size": 1, + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"TransportRule\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n | extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\n//let _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"TransportRule\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| project CmdletResultValue,TimeGenerated\r\n| extend Identity = iif( CmdletResultValue.Identity contains \"OrgHierarchyToIgnore\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\r\n//| extend State = tostring(CmdletResultValue.State)\r\n| extend Status= iff ( tostring(CmdletResultValue.State)== \"Enabled\" or tostring(CmdletResultValue.State)== \"1\" , \"Enabled\",iff(tostring(CmdletResultValue.State)==\"\",\"\", \"Disabled\"))\r\n| extend SentTo = tostring(CmdletResultValue.SentToString)\r\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\r\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\r\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\r\n| extend Mode = tostring(CmdletResultValue.Identity.Mode)\r\n| project-away CmdletResultValue\r\n| sort by Identity asc\r\n| sort by Status desc\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"TransportRule\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| project CmdletResultValue, TimeGenerated\r\n| extend Identity = iif( CmdletResultValue.Identity contains \"OrgHierarchyToIgnore\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\r\n//| extend State = tostring(CmdletResultValue.State)\r\n| extend Status= iff ( tostring(CmdletResultValue.State)== \"Enabled\" or tostring(CmdletResultValue.State)== \"1\" , \"Enabled\",iff(tostring(CmdletResultValue.State)==\"\",\"\", \"Disabled\"))\r\n| extend SentTo = tostring(CmdletResultValue.SentToString)\r\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\r\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\r\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\r\n| extend Mode = tostring(CmdletResultValue.Identity.Mode)\r\n| project-away CmdletResultValue\r\n| sort by Identity asc\r\n| sort by Status desc\r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Identity\r\n | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n | join kind = leftanti AfterData on Identity\r\n | extend Actiontype =\"Remove\"\r\n | distinct\r\n TimeGenerated,\r\n Actiontype,\r\n Identity,\r\n Status,\r\n SentTo,\r\n BlindCopyTo,\r\n CopyTo,\r\n RedirectMessageTo,\r\n Mode\r\n;\r\nlet DiffModifData = union BeforeData,AfterData\r\n | sort by Identity, TimeGenerated asc\r\n | extend Status = iff(Status != prev(Status) and Identity == prev(Identity), strcat(\"📍 \", Status, \" (\", iff(prev(Status)==\"\",\"Null\",prev(Status)), \"->\", Status, \" )\"), Status)\r\n | extend SentTo = iff(SentTo != prev(SentTo) and Identity == prev(Identity), strcat(\"📍 \", SentTo, \" (\", iff(prev(SentTo)==\"\",\"Null\",prev(SentTo)), \"->\", SentTo, \" )\"), SentTo)\r\n | extend BlindCopyTo = iff(BlindCopyTo != prev(BlindCopyTo) and Identity == prev(Identity), strcat(\"📍 \", BlindCopyTo, \" (\", iff(prev(BlindCopyTo)==\"\",\"Null\",prev(BlindCopyTo)), \"->\", BlindCopyTo, \" )\"), BlindCopyTo)\r\n | extend CopyTo = iff(CopyTo != prev(CopyTo) and Identity == prev(Identity), strcat(\"📍 \", CopyTo, \" (\", iff(prev(CopyTo)==\"\",\"Null\",prev(CopyTo)), \"->\", CopyTo, \" )\"), CopyTo)\r\n | extend RedirectMessageTo = iff(CopyTo != prev(RedirectMessageTo) and Identity == prev(Identity), strcat(\"📍 \", RedirectMessageTo, \" (\", iff(prev(RedirectMessageTo)==\"\",\"Null\",prev(RedirectMessageTo)), \"->\", RedirectMessageTo, \" )\"), RedirectMessageTo)\r\n | extend Mode = iff(Mode != prev(Mode) and Identity == prev(Identity), strcat(\"📍 \", Mode, \" (\", iff(prev(Mode)==\"\",\"Null\",prev(Mode)), \"->\", Mode, \" )\"), Mode)\r\n | extend ActiontypeR =iff(( Identity contains \"📍\" or Status contains \"📍\" or SentTo contains \"📍\" or BlindCopyTo contains \"📍\" or CopyTo contains \"📍\" or RedirectMessageTo contains \"📍\" or Mode contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n TimeGenerated,\r\n Actiontype,\r\n Identity,\r\n Status,\r\n SentTo,\r\n BlindCopyTo,\r\n CopyTo,\r\n RedirectMessageTo,\r\n Mode\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by TimeGenerated desc \r\n| project\r\n TimeGenerated,\r\n Actiontype,\r\n Identity,\r\n Status,\r\n SentTo,\r\n BlindCopyTo,\r\n CopyTo,\r\n RedirectMessageTo,\r\n Mode", + "size": 3, "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, - "name": "query - 1", - "styleSettings": { - "showBorder": true - } + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 4 - Copy - Copy - Copy - Copy" } ] }, - "name": "JournalRecipientsGroup" + "name": "Transport Rules actions to monitor" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled", "items": [ { "type": 1, "content": { - "json": "If **AutoForwardEnabled** is set to True for an SMTP domain, then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\r\n\r\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \r\n\r\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\r\n\r\nAdditional information:\r\n\r\nRemote Domains\r\n", + "json": "### Journal Mailboxes" + }, + "name": "JournalMailboxHelp" + }, + { + "type": 1, + "content": { + "json": "The **Journal Mailboxes** contain emails sent and received by specific or all users. The content of these mailboxes is very sensitives.\r\n\r\nJournal Rules should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. Also by default, no one should access to these mailboxes.\r\n\r\nThen, it is recommended to regularly check who have Full Access mailbox or Receive As on these mailboxes.\r\nAdditional information :\r\n\r\nJournaling in Exchange Server\r\n\r\nJournaling procedures\r\n\r\n\r\nMailbox audit logging in Exchange Server\r\n\r\n\r\n", "style": "info" }, "conditionalVisibility": { @@ -2661,15 +3181,16 @@ "comparison": "isEqualTo", "value": "Yes" }, - "name": "AutoForwardHelp" + "name": "JournalHelp" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"RemoteDomain\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend Name = tostring(CmdletResultValue.Name)\r\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\r\n| extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address == \"*\", strcat (\"❌\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address != \"*\", strcat (\"⚠️\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\"✅\",tostring(CmdletResultValue.AutoForwardEnabled))))\r\n| project-away CmdletResultValue\r\n| sort by Address asc ", + "query": "ExchangeConfiguration(SpecificSectionList=\"JournalRule\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend Name = tostring(CmdletResultValue.Name)\r\n| extend Status= iff ( tostring(CmdletResultValue.Enabled)== \"true\" , \"Enabled\", iff(tostring(CmdletResultValue.Enabled)==\"\",\"\", \"Disabled\"))\r\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\r\n| extend Recipient = tostring(CmdletResultValue.Recipient.Address)\r\n| sort by Name asc\r\n| sort by Status desc\r\n| project-away CmdletResultValue\r\n", "size": 1, "showAnalytics": true, + "title": "Journal Rules configured in your environment", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -2678,50 +3199,224 @@ "filter": true } }, - "name": "query - 1", + "name": "JournalQuery", "styleSettings": { "showBorder": true } }, { - "type": 1, + "type": 3, "content": { - "json": "Accepted domains set to * authorize Open Relay.\r\n\r\nMore information:\r\n\r\nAccepted domains\r\n", - "style": "info" + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"JournalRule\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n ESIExchangeConfig_CL\r\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n | where ESIEnvironment_s == _EnvList\r\n | where Section_s == \"JournalRule\"\r\n | extend CmdletResultValue = parse_json(rawData_s)\r\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n | project CmdletResultValue, TimeGenerated\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend Status= iff (tostring(CmdletResultValue.Enabled) == \"true\", \"Enabled\", iff(tostring(CmdletResultValue.Enabled) == \"\", \"\", \"Disabled\"))\r\n //| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\r\n | extend Recipient = tostring(CmdletResultValue.Recipient.Address)\r\n | extend Allinfo = strcat(Name,JournalEmailAddress,Recipient)\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n | sort by Name asc\r\n | sort by Status desc\r\n;\r\nlet AlldataUnique = allDataRange\r\n | join kind = innerunique (allDataRange) on Allinfo \r\n | distinct \r\n TimeGenerated,\r\n Name,\r\n Status,\r\n JournalEmailAddress,\r\n Recipient,\r\n Allinfo\r\n;\r\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\"JournalRule\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend Status= iff (tostring(CmdletResultValue.Enabled) == \"true\", \"Enabled\", iff(tostring(CmdletResultValue.Enabled) == \"\", \"\", \"Disabled\"))\r\n //| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\r\n | extend Recipient = tostring(CmdletResultValue.Recipient.Address)\r\n | extend Allinfo = strcat(Name,JournalEmailAddress,Recipient)\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n | sort by Name asc\r\n | sort by Status desc\r\n ;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"JournalRule\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend Status= iff (tostring(CmdletResultValue.Enabled) == \"true\", \"Enabled\", iff(tostring(CmdletResultValue.Enabled) == \"\", \"\", \"Disabled\"))\r\n //| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\r\n | extend Recipient = tostring(CmdletResultValue.Recipient.Address)\r\n | extend Allinfo = strcat(Name,JournalEmailAddress,Recipient)\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n | sort by Name asc\r\n | sort by Status desc\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n | join kind = leftanti (AfterData) on Allinfo\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n | join kind = innerunique (BeforeData) on Allinfo\r\n | extend Actiontype = iff (Name != \"\", \"Remove\", \"\")\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n | join kind = leftanti (InBeforedatabotAfter) on Allinfo\r\n | extend Actiontype =\"Add/Remove\"\r\n;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Allinfo\r\n | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype), \"N/A\")\r\n| where Name <> \"\"\r\n| project\r\n Actiontype,\r\n Name,\r\n Status,\r\n JournalEmailAddress,\r\n Recipient", + "size": 3, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibility": { - "parameterName": "Help", + "parameterName": "Compare_Collect", "comparison": "isEqualTo", - "value": "Yes" + "value": "True" }, - "name": "text - 3" + "name": "query - 4 - Copy - Copy - Copy - Copy - Copy" }, { - "type": 3, + "type": 12, "content": { - "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"AcceptedDomain\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where CmdletResultValue.DomainName.Address == \"*\"\r\n| extend Name = tostring(CmdletResultValue.Name)\r\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\r\n| extend Address = \"* : ❌ OpenRelay configuration\"\r\n| extend DomainType = case(CmdletResultValue.DomainType==\"0\",\"Authoritative Domain\",CmdletResultValue.DomainType==\"1\",\"ExternalRelay\",CmdletResultValue.DomainType==\"2\",\"InternalRelay\",\"NotApplicable\")\r\n| project-away CmdletResultValue", - "size": 1, - "showAnalytics": true, - "title": "Accepted domain with *", - "noDataMessage": "Accepted Domain * not confirgured (no Open Relay)", - "noDataMessageStyle": 3, - "showExportToExcel": true, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "rowLimit": 10000, - "filter": true - } + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Journal Recipients on mailbox databases configured in your environment", + "items": [ + { + "type": 1, + "content": { + "json": "As Journal Recipient on databases send all the mail send to users in this database to a specific mailbox. The content of these mailboxes is very sensitive.\r\n\r\nJournal Recipients configuration should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. No one should have access to these mailboxes by default.\r\n\r\nIt is recommended to regularly check who have Full Access or Receive As on these mailboxes.\r\n\r\nAdditional information :\r\n\r\nJournaling in Exchange Server\r\n\r\nJournaling procedures\r\n\r\n\r\nMailbox audit logging in Exchange Server\r\n", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "JournalRecipientsHelp" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ExchangeConfiguration(SpecificSectionList=\"MbxDBJournaling\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.JournalRecipient !=\"\"\r\n| project CmdletResultValue\r\n| extend Identity = tostring(CmdletResultValue.Identity.Name)\r\n| extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient.Name)\r\n| project-away CmdletResultValue\r\n| sort by Identity asc\r\n", + "size": 1, + "showAnalytics": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "sortBy": [ + { + "itemKey": "JournalRecipient", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "JournalRecipient", + "sortOrder": 1 + } + ] + }, + "name": "query - 1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"MbxDBJournaling\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n | extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\n//let _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"MbxDBJournaling\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| project CmdletResultValue,WhenChanged,WhenCreated\r\n| extend Identity = tostring(CmdletResultValue.Identity.Name)\r\n| extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient.Name)\r\n| project-away CmdletResultValue\r\n| sort by Identity asc \r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"MbxDBJournaling\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue,WhenChanged,WhenCreated\r\n | extend Identity = tostring(CmdletResultValue.Identity.Name)\r\n | extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient.Name)\r\n | project-away CmdletResultValue\r\n | sort by Identity asc \r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Identity\r\n | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n | join kind = leftanti AfterData on Identity\r\n | extend Actiontype =\"Remove\"\r\n | distinct\r\n WhenChanged,\r\n Actiontype,\r\n Identity,\r\n JournalRecipient,\r\n WhenCreated \r\n;\r\nlet DiffModifData = union BeforeData,AfterData\r\n | sort by Identity, WhenChanged asc\r\n | extend JournalRecipient = iff(JournalRecipient != prev(JournalRecipient) and Identity == prev(Identity), strcat(\"📍 \", JournalRecipient, \" (\", iff(prev(JournalRecipient)==\"\",\"Null\",prev(JournalRecipient)), \"->\", JournalRecipient, \" )\"), JournalRecipient)\r\n | extend ActiontypeR =iff(( Identity contains \"📍\" or JournalRecipient contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n WhenChanged,\r\n Actiontype,\r\n Identity,\r\n JournalRecipient,\r\n WhenCreated\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n WhenChanged,\r\n Actiontype,\r\n Identity,\r\n JournalRecipient,\r\n WhenCreated", + "size": 3, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 4 - Copy - Copy - Copy - Copy - Copy" + } + ] }, - "name": "query - 4", - "styleSettings": { - "showBorder": true - } + "name": "JournalRecipientsGroup" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled", + "items": [ + { + "type": 1, + "content": { + "json": "If **AutoForwardEnabled** is set to True for an SMTP domain, then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\r\n\r\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \r\n\r\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\r\n\r\nAdditional information:\r\n\r\nRemote Domains\r\n", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "AutoForwardHelp" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ExchangeConfiguration(SpecificSectionList=\"RemoteDomain\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend Name = tostring(CmdletResultValue.Name)\r\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\r\n| extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address == \"*\", strcat (\"❌\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address != \"*\", strcat (\"⚠️\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\"✅\",tostring(CmdletResultValue.AutoForwardEnabled))))\r\n| project-away CmdletResultValue\r\n| sort by Address asc ", + "size": 1, + "showAnalytics": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"RemoteDomain\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"RemoteDomain\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| project CmdletResultValue,WhenChanged,WhenCreated\r\n| extend Name = tostring(CmdletResultValue.Name)\r\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\r\n| extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address == \"*\", strcat (\"❌\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address != \"*\", strcat (\"⚠️\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\"✅\",tostring(CmdletResultValue.AutoForwardEnabled))))\r\n| project-away CmdletResultValue\r\n| sort by Address asc \r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"RemoteDomain\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue,WhenChanged,WhenCreated\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend Address = tostring(CmdletResultValue.DomainName.Address)\r\n | extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address == \"*\", strcat (\"❌\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address != \"*\", strcat (\"⚠️\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\"✅\",tostring(CmdletResultValue.AutoForwardEnabled))))\r\n | project-away CmdletResultValue\r\n | sort by Address asc \r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Name\r\n | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n | join kind = leftanti AfterData on Name\r\n | extend Actiontype =\"Remove\"\r\n | distinct\r\n WhenChanged,\r\n Actiontype,\r\n Name,\r\n Address,\r\n AutoForwardEnabled,\r\n WhenCreated \r\n;\r\nlet DiffModifData = union BeforeData,AfterData\r\n | sort by WhenChanged asc \r\n | sort by Name asc\r\n //| extend Name = iff(Name != prev(Name) and prev(Name) != \"\" , strcat(\"📍 \", Name, \" (\", prev(Name), \"->\", Name, \" )\"), Name)\r\n | extend Address = iff(Address != prev(Address) and prev(Address) != \"\" and Name == prev(Name), strcat(\"📍 \", Address, \" (\", prev(Address), \"->\", Address, \" )\"), Address)\r\n | extend AutoForwardEnabled = iff(AutoForwardEnabled != prev(AutoForwardEnabled) and prev(AutoForwardEnabled) != \"\" and Name == prev(Name), strcat(\"📍 \", AutoForwardEnabled, \" (\", prev(AutoForwardEnabled), \"->\", AutoForwardEnabled, \" )\"), AutoForwardEnabled)\r\n | extend ActiontypeR =iff(( Name contains \"📍\" or Address contains \"📍\" or AutoForwardEnabled contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n WhenChanged,\r\n Actiontype,\r\n Name,\r\n Address,\r\n AutoForwardEnabled,\r\n WhenCreated\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n WhenChanged,\r\n Actiontype,\r\n Name,\r\n Address,\r\n AutoForwardEnabled,\r\n WhenCreated", + "size": 3, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 4 - Copy - Copy - Copy - Copy" + }, + { + "type": 1, + "content": { + "json": "Accepted domains set to * authorize Open Relay.\r\n\r\nMore information:\r\n\r\nAccepted domains\r\n", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "text - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ExchangeConfiguration(SpecificSectionList=\"AcceptedDomain\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where CmdletResultValue.DomainName.Address == \"*\"\r\n| extend Name = tostring(CmdletResultValue.Name)\r\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\r\n| extend Address = \"* : ❌ OpenRelay configuration\"\r\n| extend DomainType = case(CmdletResultValue.DomainType==\"0\",\"Authoritative Domain\",CmdletResultValue.DomainType==\"1\",\"ExternalRelay\",CmdletResultValue.DomainType==\"2\",\"InternalRelay\",\"NotApplicable\")\r\n| project-away CmdletResultValue", + "size": 1, + "showAnalytics": true, + "title": "Accepted domain with *", + "noDataMessage": "Accepted Domain * not confirgured (no Open Relay)", + "noDataMessageStyle": 3, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 4", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"AcceptedDomain\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"AcceptedDomain\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue, WhenChanged, WhenCreated\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend Address = tostring(CmdletResultValue.DomainName.Address)\r\n | extend DomainType = case(CmdletResultValue.DomainType==\"0\",\"Authoritative Domain\",CmdletResultValue.DomainType==\"1\",\"ExternalRelay\",CmdletResultValue.DomainType==\"2\",\"InternalRelay\",\"NotApplicable\")\r\n | project-away CmdletResultValue\r\n | sort by Address asc \r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"AcceptedDomain\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue, WhenChanged, WhenCreated\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend Address = tostring(CmdletResultValue.DomainName.Address)\r\n | extend DomainType = case(CmdletResultValue.DomainType==\"0\",\"Authoritative Domain\",CmdletResultValue.DomainType==\"1\",\"ExternalRelay\",CmdletResultValue.DomainType==\"2\",\"InternalRelay\",\"NotApplicable\")\r\n | project-away CmdletResultValue\r\n | sort by Address asc \r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Name\r\n | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n | join kind = leftanti AfterData on Name\r\n | extend Actiontype =\"Remove\"\r\n | distinct\r\n WhenChanged,\r\n Actiontype,\r\n Name,\r\n Address,\r\n DomainType,\r\n WhenCreated \r\n;\r\nlet DiffModifData = union BeforeData, AfterData\r\n | sort by WhenChanged asc \r\n | sort by Name asc\r\n // | extend Name = iff(Name != prev(Name) and prev(Name) != \"\", strcat(\"📍 \", Name, \" (\", prev(Name), \"->\", Name, \" )\"), Name)\r\n | extend Address = iff(Address != prev(Address) and prev(Address) != \"\" and Name == prev(Name), strcat(\"📍 \", Address, \" (\", prev(Address), \"->\", Address, \" )\"), Address)\r\n | extend DomainType = iff(DomainType != prev(DomainType) and prev(DomainType) != \"\" and Name == prev(Name), strcat(\"📍 \", DomainType, \" (\", prev(DomainType), \"->\", DomainType, \" )\"), DomainType)\r\n | extend ActiontypeR =iff((Name contains \"📍\" or Address contains \"📍\" or DomainType contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n WhenChanged,\r\n Actiontype,\r\n Name,\r\n Address,\r\n DomainType,\r\n WhenCreated\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n WhenChanged,\r\n Actiontype,\r\n Name,\r\n Address,\r\n DomainType,\r\n WhenCreated", + "size": 3, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 4 - Copy - Copy - Copy - Copy - Copy" + } + ] + }, + "name": "ForwardGroup" } ] }, - "name": "ForwardGroup" + "name": "Journal Rules" } ] }, diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index e15144438e5..1bf6f4c9f4d 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -5689,7 +5689,7 @@ "MicrosoftExchangeAdminActivity-OnlineBlack.png", "MicrosoftExchangeAdminActivity-OnlineWhite.png" ], - "version": "1.0.0", + "version": "1.0.1", "title": "Microsoft Exchange Admin Activity - Online", "templateRelativePath": "Microsoft Exchange Admin Activity - Online.json", "subtitle": "", @@ -5730,7 +5730,7 @@ "MicrosoftExchangeSecurityReviewBlack.png", "MicrosoftExchangeSecurityReviewWhite.png" ], - "version": "1.0.1", + "version": "2.0.0", "title": "Microsoft Exchange Security Review", "templateRelativePath": "Microsoft Exchange Security Review.json", "subtitle": "", From fce564d8a7e23427779d9fb1f8b93cd6b7af6407 Mon Sep 17 00:00:00 2001 From: nlepagnez Date: Mon, 26 Aug 2024 19:58:38 +0200 Subject: [PATCH 06/19] Update Data Connectors using DCR --- .../Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json index 21e93c66161..16f6e8641ff 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json @@ -140,7 +140,7 @@ }, { "title": "Create Custom Table using PowerShell in Cloud Shell", - "description": "1. From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @''@\n3. Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4. Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/ExchangeHttpProxy_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams" + "description": "1. From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t \"schema\": {\n\t\t\t\t\t\t\"name\": \"ExchangeHttpProxy_CL\",\n\t\t\t\t\t\t\"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AccountForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ActivityContextLifeTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ADLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AnchorMailbox\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticatedUser\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticationType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthModulePerfContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndCookie\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndGenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendProcessingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BuildVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CalculateTargetBackEndLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientIpAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CoreLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"DatabaseGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"EdgeTraceId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ErrorCode\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericErrors\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GlsLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerCompletionLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerToModuleSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpPipelineLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpProxyOverhead\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"IsAuthenticated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"KerberosAuthHeaderLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MajorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Method\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MinorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ModuleToHandlerSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Organization\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"PartitionEndpointLookupLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Protocol\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProtocolAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestHandlerLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResourceForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResponseBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RevisionVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RouteRefresherLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingHint\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerHostName\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"SharedCacheLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetOutstandingRequests\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServer\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServerVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalAccountForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalGlsLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalRequestTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalResourceForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalSharedCacheLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlQuery\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlStem\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserADObjectGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserAgent\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t }\n\t\t\t }\n\t\t }\n\t\t '@\n3. Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4. Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/ExchangeHttpProxy_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams" } ] }, From d7cd062fb4fb871a91e0d716e5b47f2dc4236d9f Mon Sep 17 00:00:00 2001 From: nlepagnez Date: Fri, 30 Aug 2024 10:24:16 +0200 Subject: [PATCH 07/19] Add Parsers --- .../Parsers/MESCompareDataOnPMRA.yaml | 183 +++++++++++++ .../Parsers/README.md | 40 +++ .../ReleaseNotes.md | 2 +- .../Parsers/MESCompareDataMRA.yaml | 247 +++++++++--------- .../Parsers/README.md | 5 +- 5 files changed, 351 insertions(+), 126 deletions(-) create mode 100644 Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/MESCompareDataOnPMRA.yaml diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/MESCompareDataOnPMRA.yaml b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/MESCompareDataOnPMRA.yaml new file mode 100644 index 00000000000..a1ed584b886 --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/MESCompareDataOnPMRA.yaml @@ -0,0 +1,183 @@ +id: 0a0f4ea0-6b94-4420-892e-41ca985f2f01 +Function: + Title: Parser for MRA Configuration Data Comparison On-Premises + Version: '1.0.0' + LastUpdated: '2024-08-30' +Category: Microsoft Sentinel Parser +FunctionName: MESCompareDataOnPMRA +FunctionAlias: MESCompareDataOnPMRA +FunctionParams: + - Name: SectionCompare + Type: string + Description: The Section to compare. Default value is "". + Default: '' + - Name: DateCompare + Type: string + Description: The date of the source comparison. Default value is "lastdate". + Default: 'lastdate' + - Name: CurrentDate + Type: string + Description: The date of the target comparison. Default value is "lastdate". + Default: 'lastdate' + - Name: EnvList + Type: string + Description: List of environments to compare. Default value is "All". + Default: 'All' + - Name: TypeEnv + Type: string + Description: Type of environment to compare. Default value is "Online". + Default: 'Online' + - Name: CurrentRole + Type: string + Description: A specific role to compare. Default value is "". + Default: '' + - Name: ExclusionsAcct + Type: dynamic + Description: List of actors to exclude. Default value is "dynamic('')". + Default: dynamic('') +FunctionQuery: | + // Version: 1.0.0 + // Last Updated: 30/08/2024 + // + // DESCRIPTION: + // This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them. + // + // USAGE: +// Parameters : 7 parameters to add during creation. +// 1. SectionCompare, type string, default value "" +// 2. DateCompare, type string, default value "lastdate" +// 3. CurrentDate, type string, default value "lastdate" +// 4. EnvList, type string, default value "All" +// 5. TypeEnv, type string, default value "Online" +// 6. CurrentRole, type string, default value "" +// 7. ExclusionsAcct, type dynamic, default value dynamic("") +// +// Parameters simulation +// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values. +// +// let SectionCompare = "SampleEntry"; +// let EnvList = "All"; +// let TypeEnv = "Online"; +// let CurrentRole = ""; +// let ExclusionsAcct = dynamic(""); +// let DateCompare = "lastdate"; +// let CurrentDate = "lastdate"; +// +// Parameters definition +let _SectionCompare = SectionCompare; +let _EnvList =EnvList; +let _TypeEnv = TypeEnv; +let _CurrentRole =CurrentRole; +let _ExclusionsAcct = ExclusionsAcct; +let _DateCompare = DateCompare; +let _CurrentDate = CurrentDate; +let _DateCompareB = todatetime(DateCompare); +let _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv) +| summarize TimeMax = max(TimeGenerated) +| extend TimeMax = tostring(split(TimeMax,"T")[0]) +| project TimeMax); +let _CurrentDateB = todatetime(toscalar(_currD)); +let BeforeData = + ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv) + | where CmdletResultValue.Role contains _CurrentRole + and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) + and CmdletResultValue.Name !contains "Deleg" + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== "0" or CmdletResultValue.RoleAssigneeType== "2" , "User", CmdletResultValue.RoleAssigneeType== "10","Group","LinkedGroup") + | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name) +| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name) +| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope=="0","None",CmdletResultValue.RecipientWriteScope=="2","Organization",CmdletResultValue.RecipientWriteScope=="3","MyGAL", CmdletResultValue.RecipientWriteScope=="4","Self",CmdletResultValue.RecipientWriteScope=="7", "CustomRecipientScope",CmdletResultValue.RecipientWriteScope=="8","MyDistributionGroups","NotApplicable") +| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope=="0","None",CmdletResultValue.ConfigWriteScope=="7","CustomConfigScope",CmdletResultValue.ConfigWriteScope=="10","OrganizationConfig","NotApplicable") + | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) + | extend Status= tostring(CmdletResultValue.Enabled) + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend Role = tostring(CmdletResultValue.Role) + ; +let AfterData = + ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv) + | where CmdletResultValue.Role contains _CurrentRole + and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) + and CmdletResultValue.Name !contains "Deleg" + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== "0" or CmdletResultValue.RoleAssigneeType== "2" , "User", CmdletResultValue.RoleAssigneeType== "10","Group","LinkedGroup") + | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name) +| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name) +| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope=="0","None",CmdletResultValue.RecipientWriteScope=="2","Organization",CmdletResultValue.RecipientWriteScope=="3","MyGAL", CmdletResultValue.RecipientWriteScope=="4","Self",CmdletResultValue.RecipientWriteScope=="7", "CustomRecipientScope",CmdletResultValue.RecipientWriteScope=="8","MyDistributionGroups","NotApplicable") +| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope=="0","None",CmdletResultValue.ConfigWriteScope=="7","CustomConfigScope",CmdletResultValue.ConfigWriteScope=="10","OrganizationConfig","NotApplicable") + | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) + | extend Status= tostring(CmdletResultValue.Enabled) + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend Role = tostring(CmdletResultValue.Role) + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") + ; +let i=0; +let allDataRange = + ESIExchangeConfig_CL + | where TimeGenerated between (_DateCompareB .. _CurrentDateB) + | where ESIEnvironment_s == _EnvList + | where Section_s == "MRA" + | extend CmdletResultValue = parse_json(rawData_s) + | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t + | where CmdletResultValue.Role contains _CurrentRole + and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) + and CmdletResultValue.Name !contains "Deleg" + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== "0" or CmdletResultValue.RoleAssigneeType== "2" , "User", CmdletResultValue.RoleAssigneeType== "10","Group","LinkedGroup") + | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name) +| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name) +| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope=="0","None",CmdletResultValue.RecipientWriteScope=="2","Organization",CmdletResultValue.RecipientWriteScope=="3","MyGAL", CmdletResultValue.RecipientWriteScope=="4","Self",CmdletResultValue.RecipientWriteScope=="7", "CustomRecipientScope",CmdletResultValue.RecipientWriteScope=="8","MyDistributionGroups","NotApplicable") +| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope=="0","None",CmdletResultValue.ConfigWriteScope=="7","CustomConfigScope",CmdletResultValue.ConfigWriteScope=="10","OrganizationConfig","NotApplicable") + | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) + | extend Status= tostring(CmdletResultValue.Enabled) + | extend Role = tostring(CmdletResultValue.Role) + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") + ; +let DiffAddDataP1 = allDataRange + | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated +; +let DiffAddDataP2 = allDataRange + | join kind = innerunique (allDataRange ) on WhenCreated + | where WhenCreated >=_DateCompareB + | where bin(WhenCreated,5m)==bin(WhenChanged,5m) + | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + ; +let DiffAddData = union DiffAddDataP1,DiffAddDataP2 +| extend Actiontype ="Add"; +let DiffRemoveData = allDataRange + | join kind = leftanti AfterData on RoleAssigneeName + | extend Actiontype ="Remove" + | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + ; +let DiffModifData = union AfterData,allDataRange +| sort by ManagementRoleAssignement,WhenChanged asc +| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !="" , strcat("📍 ", Status, " (",prev(Status),"->", Status," )"),Status) +| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !="" , strcat("📍 ", CustomRecipientWriteScope, " (", prev(CustomRecipientWriteScope),"->", CustomRecipientWriteScope, ")"),CustomRecipientWriteScope) +| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !="" , strcat("📍 ", CustomConfigWriteScope, " (", prev(CustomConfigWriteScope),"->", CustomConfigWriteScope, ")"),CustomConfigWriteScope) +| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !="" , strcat("📍 ", RecipientWriteScope, " (", prev(RecipientWriteScope),"->", RecipientWriteScope, ")"),RecipientWriteScope) +| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !="" , strcat("📍 ", ConfigWriteScope, " (", prev(ConfigWriteScope),"->", ConfigWriteScope, ")"),ConfigWriteScope) +| extend ActiontypeR =iff((Status contains "📍" or CustomRecipientWriteScope contains"📍" or CustomConfigWriteScope contains"📍" or RecipientWriteScope contains"📍" or ConfigWriteScope contains"📍" ), i=i + 1, i) +| extend Actiontype =iff(ActiontypeR > 0, "Modif", "NO") +| where ActiontypeR == 1 +| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated +; +union DiffAddData, DiffRemoveData, DiffModifData +| extend RoleAssigneeName = iff(RoleAssigneeType == "User", strcat("🧑‍🦰 ", RoleAssigneeName), strcat("👪 ", RoleAssigneeName)) +| extend WhenChanged = iff (Actiontype == "Modif", WhenChanged, iff(Actiontype == "Add",WhenCreated, WhenChanged)) +//| extend WhenChanged = case(Actiontype == "Modif" , tostring(bin(WhenChanged,1m)), Actiontype == "Add",tostring(bin(WhenChanged,1m)),Actiontype == "Remove","NoInformation","N/A") +| extend Actiontype = case(Actiontype == "Add", strcat("➕ ", Actiontype), Actiontype == "Remove", strcat("➖ ", Actiontype), Actiontype == "Modif", strcat("📍 ", Actiontype), "N/A") +| sort by WhenChanged desc +| project + WhenChanged, + Actiontype, + RoleAssigneeName, + RoleAssigneeType, + Status, + CustomRecipientWriteScope, + CustomConfigWriteScope, + RecipientWriteScope, + ConfigWriteScope, + ManagementRoleAssignement, + RoleAssignmentDelegationType, + WhenCreated \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md index 56b98e50e99..d3e7780a041 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md @@ -28,6 +28,10 @@ Parsers are created [using functions in Azure monitor log queries](https://docs. - [Parser Description](#parser-description-3) - [Parser dependency](#parser-dependency-1) - [Parser Setup](#parser-setup-3) + - [Microsoft Exchange Compare Data MRA Parser for On-Premises](#microsoft-exchange-compare-data-mra-parser-for-on-premises) + - [Parser Definition](#parser-definition-4) + - [Parser Description](#parser-description-4) + - [Parser Setup](#parser-setup-4) ## ExchangeConfiguration Parser @@ -184,3 +188,39 @@ This parser is linked to "ExchangeVIP" whatchlist >1 parameter to add during creation : UserToCheck, type string, No default value 1. Function App usually take 10-15 minutes to activate. You can then use Function Alias for other queries + +## Microsoft Exchange Compare Data MRA Parser for On-Premises + +### Parser Definition + +- Title: Microsoft Exchange Compare Data MRA Parser for On-Premises +- Version: 1.0.0 +- Last Updated: 30/08/2024 +- Description: This parser compare data from MRA and ESI Exchange Collector to find differences + +|**Version** |**Details** | +|---------|-----------------------------------------------------------------------------------------------------------------------| +|v1.0 |
  • Function initilisation for Sentinel Solution
| + +### Parser Description + +This parser compare data from MRA and ESI Exchange Collector to find differences + +### Parser Setup + + 1. Open Log Analytics/Microsoft Sentinel Logs blade. Copy the query below and paste into the Logs query window. + 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter the Function Name "MESCompareDataMRA". + 3. Function App usually take 10-15 minutes to activate. You can then use Function Alias for other queries + 4. This parser is linked to "MRA" and "ESI Exchange Collector" tables + +>#### **Parameters:** + +>7 parameter to add during creation : +> +> 1. SectionCompare, type string, default value "" +> 2. DateCompare, type string, default value "lastdate" +> 3. CurrentDate, type string, default value "lastdate" +> 4. EnvList, type string, default value "All" +> 5. TypeEnv, type string, default value "Online" +> 6. CurrentRole, type string, default value "" +> 7. ExclusionsAcct, type dynamic, default value dynamic("") \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md b/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md index 7485d9e61de..4dafd1d15f8 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md @@ -1,6 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| -| 3.3.0 | 26-08-2024 | Add Compare in Exchange Security Review | +| 3.3.0 | 26-08-2024 | Add Compare in Exchange Security Review. Create DataConnectors for Azure Monitor Agent. Correct bugs | | 3.2.0 | 09-04-2024 | Explode "ExchangeAdminAuditLogEvents" dataconnector to multiple simplier dataconnectors | | 3.1.5 | 26-04-2024 | Repackaged for fix on parser in maintemplate to have old parsername and parentid | | 3.1.4 | 18-04-2024 | Repackaged for parser issue while redeployment | diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml index 8f5b3cd4e4c..d9907009f04 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml @@ -1,8 +1,8 @@ id: 39f51672-8c63-4600-882a-5db8275f798f Function: Title: Parser for MRA Configuration Data Comparison - Version: '1.0.0' - LastUpdated: '2024-02-25' + Version: '1.1.0' + LastUpdated: '2024-08-30' Category: Microsoft Sentinel Parser FunctionName: MESCompareDataMRA FunctionAlias: MESCompareDataMRA @@ -36,8 +36,8 @@ FunctionParams: Description: List of actors to exclude. Default value is "dynamic('')". Default: dynamic('') FunctionQuery: | - // Version: 1.0.0 - // Last Updated: 25/02/2024 + // Version: 1.1.0 + // Last Updated: 30/08/2024 // // DESCRIPTION: // This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them. @@ -65,122 +65,123 @@ FunctionQuery: | // // Parameters definition let _SectionCompare = SectionCompare; - let _EnvList =EnvList; - let _TypeEnv = TypeEnv; - let _CurrentRole =CurrentRole; - let _ExclusionsAcct = ExclusionsAcct; - let _DateCompare = DateCompare; - let _CurrentDate = CurrentDate; - let _DateCompareB = todatetime(DateCompare); - let _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv) - | summarize TimeMax = max(TimeGenerated) - | extend TimeMax = tostring(split(TimeMax,"T")[0]) - | project TimeMax); - let _CurrentDateB = todatetime(toscalar(_currD)); - let BeforeData = - ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv) - | where CmdletResultValue.Role contains _CurrentRole - and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) - and CmdletResultValue.Name !contains "Deleg" - | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) - | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == "User", "User", "RoleGroup") - | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope) - | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope) - | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope) - | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope) - | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope) - | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) - | extend Status= tostring(CmdletResultValue.Enabled) - | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6", "Delegating", "Regular") - | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) - | extend Role = tostring(CmdletResultValue.Role) - | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType) - ; - let AfterData = - ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv) - | where CmdletResultValue.Role contains _CurrentRole - and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) - and CmdletResultValue.Name !contains "Deleg" - | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) - | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == "User", "User", "RoleGroup") - | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope) - | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope) - | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope) - | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope) - | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope) - | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) - | extend Status= tostring(CmdletResultValue.Enabled) - | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) - | extend Role = tostring(CmdletResultValue.Role) - | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType) - ; - let i=0; - let allDataRange = - ESIExchangeOnlineConfig_CL - | where TimeGenerated between (_DateCompareB .. _CurrentDateB) - | where ESIEnvironment_s == _EnvList - | where Section_s == "MRA" - | extend CmdletResultValue = parse_json(rawData_s) - | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t - | where CmdletResultValue.Role contains _CurrentRole - and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) - and CmdletResultValue.Name !contains "Deleg" - | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) - | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == "User", "User", "RoleGroup") - | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope) - | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope) - | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope) - | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope) - | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope) - | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) - | extend Status= tostring(CmdletResultValue.Enabled) - | extend Role = tostring(CmdletResultValue.Role) - | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType) - ; - let DiffAddDataP1 = allDataRange - | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated - ; - let DiffAddDataP2 = allDataRange - | join kind = innerunique (allDataRange ) on WhenCreated - | where WhenCreated >=_DateCompareB - | where bin(WhenCreated,5m)==bin(WhenChanged,5m) - | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated - ; - let DiffAddData = union DiffAddDataP1,DiffAddDataP2 - | extend Actiontype ="Add"; - let DiffRemoveData = allDataRange - | join kind = leftanti AfterData on RoleAssigneeName - | extend Actiontype ="Remove" - | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated - | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated - ; - let DiffModifData = union AfterData,allDataRange - | sort by ManagementRoleAssignement,WhenChanged asc - | extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !="" , strcat("📍 ", Status, " (",prev(Status),"->", Status," )"),Status) - | extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !="" , strcat("📍 ", CustomRecipientWriteScope, " (", prev(CustomRecipientWriteScope),"->", CustomRecipientWriteScope, ")"),CustomRecipientWriteScope) - | extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !="" , strcat("📍 ", CustomConfigWriteScope, " (", prev(CustomConfigWriteScope),"->", CustomConfigWriteScope, ")"),CustomConfigWriteScope) - | extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !="" , strcat("📍 ", RecipientWriteScope, " (", prev(RecipientWriteScope),"->", RecipientWriteScope, ")"),RecipientWriteScope) - | extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !="" , strcat("📍 ", ConfigWriteScope, " (", prev(ConfigWriteScope),"->", ConfigWriteScope, ")"),ConfigWriteScope) - | extend ActiontypeR =iff((Status contains "📍" or CustomRecipientWriteScope contains"📍" or CustomConfigWriteScope contains"📍" or RecipientWriteScope contains"📍" or ConfigWriteScope contains"📍" ), i=i + 1, i) - | extend Actiontype =iff(ActiontypeR > 0, "Modif", "NO") - | where ActiontypeR == 1 - | project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated - ; - union DiffAddData, DiffRemoveData, DiffModifData - | extend RoleAssigneeName = iff(RoleAssigneeType == "User", strcat("🧑‍🦰 ", RoleAssigneeName), strcat("👪 ", RoleAssigneeName)) - | extend WhenChanged = iff (Actiontype == "Modif", WhenChanged, iff(Actiontype == "Add",WhenCreated, WhenChanged)) - | extend Actiontype = case(Actiontype == "Add", strcat("➕ ", Actiontype), Actiontype == "Remove", strcat("➖ ", Actiontype), Actiontype == "Modif", strcat("📍 ", Actiontype), "N/A") - | sort by WhenChanged desc - | project - WhenChanged, - Actiontype, - RoleAssigneeName, - RoleAssigneeType, - Status, - CustomRecipientWriteScope, - CustomConfigWriteScope, - RecipientWriteScope, - ConfigWriteScope, - ManagementRoleAssignement, - RoleAssignmentDelegationType, - WhenCreated \ No newline at end of file +let _EnvList =EnvList; +let _TypeEnv = TypeEnv; +let _CurrentRole =CurrentRole; +let _ExclusionsAcct = ExclusionsAcct; +let _DateCompare = DateCompare; +let _CurrentDate = CurrentDate; +let _DateCompareB = todatetime(DateCompare); +let _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv) +| summarize TimeMax = max(TimeGenerated) +| extend TimeMax = tostring(split(TimeMax,"T")[0]) +| project TimeMax); +let _CurrentDateB = todatetime(toscalar(_currD)); +let BeforeData = + ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv) + | where CmdletResultValue.Role contains _CurrentRole + and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) + and CmdletResultValue.Name !contains "Deleg" + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == "User", "User", "RoleGroup") + | extend CustomRecipientWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope)) + | extend CustomConfigWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope)) + | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope) + | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope) + | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope) + | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) + | extend Status= tostring(CmdletResultValue.Enabled) + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend Role = tostring(CmdletResultValue.Role) + | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType) + ; +let AfterData = + ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv) + | where CmdletResultValue.Role contains _CurrentRole + and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) + and CmdletResultValue.Name !contains "Deleg" + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == "User", "User", "RoleGroup") + | extend CustomRecipientWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope.Name)) + | extend CustomConfigWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope)) + | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope) + | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope) + | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope) + | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) + | extend Status= tostring(CmdletResultValue.Enabled) + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend Role = tostring(CmdletResultValue.Role) + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") + | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType) + ; +let i=0; +let allDataRange = + ESIExchangeOnlineConfig_CL + | where TimeGenerated between (_DateCompareB .. _CurrentDateB) + | where ESIEnvironment_s == _EnvList + | where Section_s == "MRA" + | extend CmdletResultValue = parse_json(rawData_s) + | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t + | where CmdletResultValue.Role contains _CurrentRole + and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) + and CmdletResultValue.Name !contains "Deleg" + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == "User", "User", "RoleGroup") + | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope) + | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope) + | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope) + | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope) + | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope) + | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) + | extend Status= tostring(CmdletResultValue.Enabled) + | extend Role = tostring(CmdletResultValue.Role) + | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType) + ; +let DiffAddDataP1 = allDataRange + | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated +; +let DiffAddDataP2 = allDataRange + | join kind = innerunique (allDataRange ) on WhenCreated + | where WhenCreated >=_DateCompareB + | where bin(WhenCreated,5m)==bin(WhenChanged,5m) + | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + ; +let DiffAddData = union DiffAddDataP1,DiffAddDataP2 +| extend Actiontype ="Add"; +let DiffRemoveData = allDataRange + | join kind = leftanti AfterData on RoleAssigneeName + | extend Actiontype ="Remove" + | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + ; +let DiffModifData = union AfterData,allDataRange +| sort by ManagementRoleAssignement,WhenChanged asc +| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !="" , strcat("📍 ", Status, " (",prev(Status),"->", Status," )"),Status) +| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !="" , strcat("📍 ", CustomRecipientWriteScope, " (", prev(CustomRecipientWriteScope),"->", CustomRecipientWriteScope, ")"),CustomRecipientWriteScope) +| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !="" , strcat("📍 ", CustomConfigWriteScope, " (", prev(CustomConfigWriteScope),"->", CustomConfigWriteScope, ")"),CustomConfigWriteScope) +| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !="" , strcat("📍 ", RecipientWriteScope, " (", prev(RecipientWriteScope),"->", RecipientWriteScope, ")"),RecipientWriteScope) +| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !="" , strcat("📍 ", ConfigWriteScope, " (", prev(ConfigWriteScope),"->", ConfigWriteScope, ")"),ConfigWriteScope) +| extend ActiontypeR =iff((Status contains "📍" or CustomRecipientWriteScope contains"📍" or CustomConfigWriteScope contains"📍" or RecipientWriteScope contains"📍" or ConfigWriteScope contains"📍" ), i=i + 1, i) +| extend Actiontype =iff(ActiontypeR > 0, "Modif", "NO") +| where ActiontypeR == 1 +| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated +; +union DiffAddData, DiffRemoveData, DiffModifData +| extend RoleAssigneeName = iff(RoleAssigneeType == "User", strcat("🧑‍🦰 ", RoleAssigneeName), strcat("👪 ", RoleAssigneeName)) +| extend WhenChanged = iff (Actiontype == "Modif", WhenChanged, iff(Actiontype == "Add",WhenCreated, WhenChanged)) +| extend Actiontype = case(Actiontype == "Add", strcat("➕ ", Actiontype), Actiontype == "Remove", strcat("➖ ", Actiontype), Actiontype == "Modif", strcat("📍 ", Actiontype), "N/A") +| sort by WhenChanged desc +| project + WhenChanged, + Actiontype, + RoleAssigneeName, + RoleAssigneeType, + Status, + CustomRecipientWriteScope, + CustomConfigWriteScope, + RecipientWriteScope, + ConfigWriteScope, + ManagementRoleAssignement, + RoleAssignmentDelegationType, + WhenCreated \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md index 46169e80260..fa0469c1ecf 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md @@ -164,12 +164,13 @@ If you need to test the parser execution without saving it as a function, add th ### Parser Definition - Title: Microsoft Exchange Compare Data MRA Parser -- Version: 1.0.0 -- Last Updated: 25/02/2024 +- Version: 1.1.0 +- Last Updated: 30/08/2024 - Description: This parser compare data from MRA and ESI Exchange Collector to find differences |**Version** |**Details** | |---------|-----------------------------------------------------------------------------------------------------------------------| +|v1.1 |
  • Function Adaptation for On-Premises table
| |v1.0 |
  • Function initilisation for Sentinel Solution
| ### Parser Description From ef1d3fb20ef039dfcc0997fe054a65304c5723ec Mon Sep 17 00:00:00 2001 From: nlepagnez Date: Fri, 30 Aug 2024 12:31:15 +0200 Subject: [PATCH 08/19] UpdateWorkbookData --- Workbooks/WorkbooksMetadata.json | 15330 +++++++++++++++-------------- 1 file changed, 7808 insertions(+), 7522 deletions(-) diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index 1bf6f4c9f4d..2562d2d7262 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -1,7626 +1,7912 @@ [ - { - "workbookKey": "1PasswordWorkbook", - "logoFileName": "1password.svg", - "description": "Gain insights and comprehensive monitoring into 1Password events data by analyzing traffic and user activities.\nThis workbook provides insights into various 1Password events types.\nYou can use this workbook to get visibility in to your 1Password Security Events and quickly identify threats, anamolies, traffic patterns, application usage, blocked IP addresses and more.", - "dataTypesDependencies": [ - "OnePasswordEventLogs_CL" - ], - "dataConnectorsDependencies": [ - "1Password" - ], - "previewImagesFileNames": [ - "1PasswordLogsBlack1.png", - "1PasswordLogsBlack2.png", - "1PasswordLogsBlack3.png", - "1PasswordLogsBlack4.png", - "1PasswordLogsWhite1.png", - "1PasswordLogsWhite2.png", - "1PasswordLogsWhite3.png", - "1PasswordLogsWhite4.png" - ], - "version": "1.0.0", - "title": "1Password Events Workbook", - "templateRelativePath": "1Password.json", - "subtitle": "", - "provider": "1Password" - }, - { - "workbookKey": "42CrunchAPIProtectionWorkbook", - "logoFileName": "42CrunchLogo.svg", - "description": "Monitor and protect APIs using the 42Crunch API microfirewall", - "dataTypesDependencies": [ - "apifirewall_log_1_CL" - ], - "dataConnectorsDependencies": [ - "42CrunchAPIProtection" - ], - "previewImagesFileNames": [ - "42CrunchInstancesBlack.png", - "42CrunchInstancesWhite.png", - "42CrunchRequestsBlack.png", - "42CrunchRequestsWhite.png", - "42CrunchStatusBlack.png", - "42CrunchStatusWhite.png" - ], - "version": "1.0.0", - "title": "42Crunch API Protection Workbook", - "templateRelativePath": "42CrunchAPIProtectionWorkbook.json", - "subtitle": "", - "provider": "42Crunch" - }, - { - "workbookKey": "AttackSurfaceReduction", - "logoFileName": "M365securityposturelogo.svg", - "description": "This workbook helps you implement the ASR rules of Windows/Defender, and to monitor them over time. The workbook can filter on ASR rules in Audit mode and Block mode.", - "dataTypesDependencies": [ - "DeviceEvents" - ], - "dataConnectorsDependencies": [ - "MicrosoftThreatProtection" - ], - "previewImagesFileNames": [ - "AttackSurfaceReductionWhite.png", - "AttackSurfaceReductionBlack.png" - ], - "version": "1.0.0", - "title": "Attack Surface Reduction Dashboard", - "templateRelativePath": "AttackSurfaceReduction.json", - "subtitle": "", - "provider": "Microsoft Sentinel community" - }, - { - "workbookKey": "ForcepointNGFWAdvanced", - "logoFileName": "FPAdvLogo.svg", - "description": "Gain threat intelligence correlated security and application insights on Forcepoint NGFW (Next Generation Firewall). Monitor Forcepoint logging servers health.", - "dataTypesDependencies": [ - "CommonSecurityLog", - "ThreatIntelligenceIndicator" - ], - "dataConnectorsDependencies": [ - "ForcepointNgfw", - "ThreatIntelligence", - "ForcepointNgfwAma", - "CefAma" - ], - "previewImagesFileNames": [ - "ForcepointNGFWAdvancedWhite.png", - "ForcepointNGFWAdvancedBlack.png" - ], - "version": "1.0.0", - "title": "Forcepoint Next Generation Firewall (NGFW) Advanced Workbook", - "templateRelativePath": "ForcepointNGFWAdvanced.json", - "subtitle": "", - "provider": "Forcepoint" - }, - { - "workbookKey": "AzureActivityWorkbook", - "logoFileName": "azureactivity_logo.svg", - "description": "Gain extensive insight into your organization's Azure Activity by analyzing, and correlating all user operations and events.\nYou can learn about all user operations, trends, and anomalous changes over time.\nThis workbook gives you the ability to drill down into caller activities and summarize detected failure and warning events.", - "dataTypesDependencies": [ - "AzureActivity" - ], - "dataConnectorsDependencies": [ - "AzureActivity" - ], - "previewImagesFileNames": [ - "AzureActivityWhite1.png", - "AzureActivityBlack1.png" - ], - "version": "2.0.0", - "title": "Azure Activity", - "templateRelativePath": "AzureActivity.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "IdentityAndAccessWorkbook", - "logoFileName": "Microsoft_logo.svg", - "description": "Gain insights into Identity and access operations by collecting and analyzing security logs, using the audit and sign-in logs to gather insights into use of Microsoft products.\nYou can view anomalies and trends across login events from all users and machines. This workbook also identifies suspicious entities from login and access events.", - "dataTypesDependencies": [ - "SecurityEvent" - ], - "dataConnectorsDependencies": [ - "SecurityEvents", - "WindowsSecurityEvents" - ], - "previewImagesFileNames": [ - "IdentityAndAccessWhite.png", - "IdentityAndAccessBlack.png" - ], - "version": "1.1.0", - "title": "Identity & Access", - "templateRelativePath": "IdentityAndAccess.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "ConditionalAccessTrendsandChangesWorkbook", - "logoFileName": "Microsoft_logo.svg", - "description": "Gain insights into Conditional Access Trends and Changes.", - "dataTypesDependencies": [ "SigninLogs" ], - "dataConnectorsDependencies": [ "AzureActiveDirectory" ], - "previewImagesFileNames": [ "catrendsWhite.png", "catrendsBlack.png" ], - "version": "1.0.0", - "title": "Conditional Access Trends and Changes", - "templateRelativePath": "ConditionalAccessTrendsandChanges.json", - "subtitle": "", - "provider": "Microsoft", - "support": { - "tier": "Community" - }, - "author": { - "name": "Microsoft Sentinel Community" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ "Identity" ] - } - }, - { - "workbookKey": "CheckPointWorkbook", - "logoFileName": "checkpoint_logo.svg", - "description": "Gain insights into Check Point network activities, including number of gateways and servers, security incidents, and identify infected hosts.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "CheckPoint" - ], - "previewImagesFileNames": [ - "CheckPointWhite.png", - "CheckPointBlack.png" - ], - "version": "1.0.0", - "title": "Check Point Software Technologies", - "templateRelativePath": "CheckPoint.json", - "subtitle": "", - "provider": "Check Point" - }, - { - "workbookKey": "CiscoWorkbook", - "logoFileName": "cisco_logo.svg", - "description": "Gain insights into your Cisco ASA firewalls by analyzing traffic, events, and firewall operations.\nThis workbook analyzes Cisco ASA threat events and identifies suspicious ports, users, protocols and IP addresses.\nYou can learn about trends across user and data traffic directions, and drill down into the Cisco filter results.\nEasily detect attacks on your organization by monitoring management operations, such as configuration and logins.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "CiscoASA" - ], - "previewImagesFileNames": [ - "CiscoWhite.png", - "CiscoBlack.png" - ], - "version": "1.1.0", - "title": "Cisco - ASA", - "templateRelativePath": "Cisco.json", - "subtitle": "", - "provider": "Microsoft" - }, - - { - "workbookKey": "ExchangeOnlineWorkbook", - "logoFileName": "office365_logo.svg", - "description": "Gain insights into Microsoft Exchange online by tracing and analyzing all Exchange operations and user activities.\nThis workbook let you monitor user activities, including logins, account operations, permission changes, and mailbox creations to discover suspicious trends among them.", - "dataTypesDependencies": [ - "OfficeActivity" - ], - "dataConnectorsDependencies": [ - "Office365" - ], - "previewImagesFileNames": [ - "ExchangeOnlineWhite.png", - "ExchangeOnlineBlack.png" - ], - "version": "2.0.0", - "title": "Exchange Online", - "templateRelativePath": "ExchangeOnline.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "CloudNGFW-OverviewWorkbook", - "logoFileName": "paloalto_logo.svg", - "description": "Gain insights and comprehensive monitoring into Azure CloudNGFW by Palo Alto Networks by analyzing traffic and activities.\nThis workbook correlates all Palo Alto data with threat events to identify suspicious entities and relationships.\nYou can learn about trends across user and data traffic, and drill down into Palo Alto Wildfire and filter results.", - "dataTypesDependencies": [ - "fluentbit_CL" - ], - "dataConnectorsDependencies": [ - "CloudNgfwByPAN" - ], - "previewImagesFileNames": [ - "PaloAltoOverviewWhite1.png", - "PaloAltoOverviewBlack1.png", - "PaloAltoOverviewWhite2.png", - "PaloAltoOverviewBlack2.png", - "PaloAltoOverviewWhite3.png", - "PaloAltoOverviewBlack3.png" - ], - "version": "1.2.0", - "title": "Azure CloudNGFW By Palo Alto Networks - Overview", - "templateRelativePath": "CloudNGFW-Overview.json", - "subtitle": "", - "provider": "Palo Alto Networks" - }, - { - "workbookKey": "CloudNGFW-NetworkThreatWorkbook", - "logoFileName": "paloalto_logo.svg", - "description": "Gain insights into Azure CloudNGFW activities by analyzing threat events.\nYou can extract meaningful security information by correlating data between threats, applications, and time.\nThis workbook makes it easy to track malware, vulnerability, and virus log events.", - "dataTypesDependencies": [ - "fluentbit_CL" - ], - "dataConnectorsDependencies": [ - "CloudNgfwByPAN" - ], - "previewImagesFileNames": [ - "PaloAltoNetworkThreatWhite1.png", - "PaloAltoNetworkThreatBlack1.png", - "PaloAltoNetworkThreatWhite2.png", - "PaloAltoNetworkThreatBlack2.png" - ], - "version": "1.2.0", - "title": "Azure CloudNGFW By Palo Alto Networks - Network Threats", - "templateRelativePath": "CloudNGFW-NetworkThreat.json", - "subtitle": "", - "provider": "Palo Alto Networks" - }, - { - "workbookKey": "PaloAltoOverviewWorkbook", - "logoFileName": "paloalto_logo.svg", - "description": "Gain insights and comprehensive monitoring into Palo Alto firewalls by analyzing traffic and activities.\nThis workbook correlates all Palo Alto data with threat events to identify suspicious entities and relationships.\nYou can learn about trends across user and data traffic, and drill down into Palo Alto Wildfire and filter results.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "PaloAltoNetworks", - "CefAma" - ], - "previewImagesFileNames": [ - "PaloAltoOverviewWhite1.png", - "PaloAltoOverviewBlack1.png", - "PaloAltoOverviewWhite2.png", - "PaloAltoOverviewBlack2.png", - "PaloAltoOverviewWhite3.png", - "PaloAltoOverviewBlack3.png" - ], - "version": "1.2.0", - "title": "Palo Alto overview", - "templateRelativePath": "PaloAltoOverview.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "PaloAltoNetworkThreatWorkbook", - "logoFileName": "paloalto_logo.svg", - "description": "Gain insights into Palo Alto network activities by analyzing threat events.\nYou can extract meaningful security information by correlating data between threats, applications, and time.\nThis workbook makes it easy to track malware, vulnerability, and virus log events.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "PaloAltoNetworks", - "CefAma" - ], - "previewImagesFileNames": [ - "PaloAltoNetworkThreatWhite1.png", - "PaloAltoNetworkThreatBlack1.png", - "PaloAltoNetworkThreatWhite2.png", - "PaloAltoNetworkThreatBlack2.png" - ], - "version": "1.1.0", - "title": "Palo Alto Network Threat", - "templateRelativePath": "PaloAltoNetworkThreat.json", - "subtitle": "", - "provider": "Palo Alto Networks" - }, - { - "workbookKey": "EsetSMCWorkbook", - "logoFileName": "eset-logo.svg", - "description": "Visualize events and threats from Eset Security Management Center.", - "dataTypesDependencies": [ - "eset_CL" - ], - "dataConnectorsDependencies": [ - "EsetSMC" - ], - "previewImagesFileNames": [ - "esetSMCWorkbook-black.png", - "esetSMCWorkbook-white.png" - ], - "version": "1.0.0", - "title": "Eset Security Management Center Overview", - "templateRelativePath": "esetSMCWorkbook.json", - "subtitle": "", - "provider": "Community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Tomáš Kubica" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ "Security - Others" ] - } - }, - { - "workbookKey": "FortigateWorkbook", - "logoFileName": "fortinet_logo.svg", - "description": "Gain insights into Fortigate firewalls by analyzing traffic and activities.\nThis workbook finds correlations in Fortigate threat events and identifies suspicious ports, users, protocols and IP addresses.\nYou can learn about trends across user and data traffic, and drill down into the Fortigate filter results.\nEasily detect attacks on your organization by monitoring management operations such as configuration and logins.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "Fortinet" - ], - "previewImagesFileNames": [ - "FortigateWhite.png", - "FortigateBlack.png" - ], - "version": "1.1.0", - "title": "FortiGate", - "templateRelativePath": "Fortigate.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "DnsWorkbook", - "logoFileName": "dns_logo.svg", - "description": "Gain extensive insight into your organization's DNS by analyzing, collecting and correlating all DNS events.\nThis workbook exposes a variety of information about suspicious queries, malicious IP addresses and domain operations.", - "dataTypesDependencies": [ - "DnsInventory", - "DnsEvents" - ], - "dataConnectorsDependencies": [ - "DNS" - ], - "previewImagesFileNames": [ - "DnsWhite.png", - "DnsBlack.png" - ], - "version": "1.3.0", - "title": "DNS", - "templateRelativePath": "Dns.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "Office365Workbook", - "logoFileName": "office365_logo.svg", - "description": "Gain insights into Office 365 by tracing and analyzing all operations and activities. You can drill down into your SharePoint, OneDrive, and Exchange.\nThis workbook lets you find usage trends across users, files, folders, and mailboxes, making it easier to identify anomalies in your network.", - "dataTypesDependencies": [ - "OfficeActivity" - ], - "dataConnectorsDependencies": [ - "Office365" - ], - "previewImagesFileNames": [ - "Office365White1.png", - "Office365Black1.png", - "Office365White2.png", - "Office365Black2.png", - "Office365White3.png", - "Office365Black3.png" - ], - "version": "2.0.1", - "title": "Office 365", - "templateRelativePath": "Office365.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "SharePointAndOneDriveWorkbook", - "logoFileName": "office365_logo.svg", - "description": "Gain insights into SharePoint and OneDrive by tracing and analyzing all operations and activities.\nYou can view trends across user operation, find correlations between users and files, and identify interesting information such as user IP addresses.", - "dataTypesDependencies": [ - "OfficeActivity" - ], - "dataConnectorsDependencies": [ - "Office365" - ], - "previewImagesFileNames": [ - "SharePointAndOneDriveBlack1.png", - "SharePointAndOneDriveBlack2.png", - "SharePointAndOneDriveWhite1.png", - "SharePointAndOneDriveWhite2.png" - ], - "version": "2.0.0", - "title": "SharePoint & OneDrive", - "templateRelativePath": "SharePointAndOneDrive.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "AzureActiveDirectorySigninLogsWorkbook", - "logoFileName": "azureactivedirectory_logo.svg", - "description": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures.", - "dataTypesDependencies": [ - "SigninLogs" - ], - "dataConnectorsDependencies": [ - "AzureActiveDirectory" - ], - "previewImagesFileNames": [ - "AADsigninBlack1.png", - "AADsigninBlack2.png", - "AADsigninWhite1.png", - "AADsigninWhite2.png" - ], - "version": "2.4.0", - "title": "Microsoft Entra ID Sign-in logs", - "templateRelativePath": "AzureActiveDirectorySignins.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "VirtualMachinesInsightsWorkbook", - "logoFileName": "azurevirtualmachine_logo.svg", - "description": "Gain rich insight into your organization's virtual machines from Azure Monitor, which analyzes and correlates data in your VM network. \nYou will get visibility on your VM parameters and behavior, and will be able to trace sent and received data. \nIdentify malicious attackers and their targets, and drill down into the protocols, source and destination IP addresses, countries, and ports the attacks occur across.", - "dataTypesDependencies": [ - "VMConnection", - "ServiceMapComputer_CL", - "ServiceMapProcess_CL" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "VMInsightBlack1.png", - "VMInsightWhite1.png" - ], - "version": "1.3.0", - "title": "VM insights", - "templateRelativePath": "VirtualMachinesInsights.json", - "subtitle": "", - "provider": "Microsoft", - "support": { - "tier": "Microsoft" - }, - "author": { - "name": "Microsoft Corporation" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "IT Operations", - "Platform" - ] - } - }, - { - "workbookKey": "AzureActiveDirectoryAuditLogsWorkbook", - "logoFileName": "azureactivedirectory_logo.svg", - "description": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the audit logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.", - "dataTypesDependencies": [ - "AuditLogs" - ], - "dataConnectorsDependencies": [ - "AzureActiveDirectory" - ], - "previewImagesFileNames": [ - "AzureADAuditLogsBlack1.png", - "AzureADAuditLogsWhite1.png" - ], - "version": "1.2.0", - "title": "Microsoft Entra ID Audit logs", - "templateRelativePath": "AzureActiveDirectoryAuditLogs.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "ThreatIntelligenceWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Gain insights into threat indicators ingestion and search for indicators at scale across Microsoft 1st Party, 3rd Party, On-Premises, Hybrid, and Multi-Cloud Workloads. Indicators Search facilitates a simple interface for finding IP, File, Hash, Sender and more across your data. Seamless pivots to correlate indicators with Microsoft Sentinel: Incidents to make your threat intelligence actionable.", - "dataTypesDependencies": [ - "ThreatIntelligenceIndicator", - "SecurityIncident" - ], - "dataConnectorsDependencies": [ - "ThreatIntelligence", - "ThreatIntelligenceTaxii", - "MicrosoftDefenderThreatIntelligence", - "ThreatIntelligenceUploadIndicatorsAPI" - ], - "previewImagesFileNames": [ - "ThreatIntelligenceWhite.png", - "ThreatIntelligenceBlack.png" - ], - "version": "5.0.0", - "title": "Threat Intelligence", - "templateRelativePath": "ThreatIntelligence.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "WebApplicationFirewallOverviewWorkbook", - "logoFileName": "waf_logo.svg", - "description": "Gain insights into your organization's Azure web application firewall (WAF). You will get a general overview of your application gateway firewall and application gateway access events.", - "dataTypesDependencies": [ - "AzureDiagnostics" - ], - "dataConnectorsDependencies": [ - "WAF" - ], - "previewImagesFileNames": [ - "WAFOverviewBlack.png", - "WAFOverviewWhite.png" - ], - "version": "1.1.0", - "title": "Microsoft Web Application Firewall (WAF) - overview", - "templateRelativePath": "WebApplicationFirewallOverview.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "WebApplicationFirewallFirewallEventsWorkbook", - "logoFileName": "waf_logo.svg", - "description": "Gain insights into your organization's Azure web application firewall (WAF). You will get visibility in to your application gateway firewall. You can view anomalies and trends across all firewall event triggers, attack events, blocked URL addresses and more.", - "dataTypesDependencies": [ - "AzureDiagnostics" - ], - "dataConnectorsDependencies": [ - "WAF" - ], - "previewImagesFileNames": [ - "WAFFirewallEventsBlack1.png", - "WAFFirewallEventsBlack2.png", - "WAFFirewallEventsWhite1.png", - "WAFFirewallEventsWhite2.png" - ], - "version": "1.1.0", - "title": "Microsoft Web Application Firewall (WAF) - firewall events", - "templateRelativePath": "WebApplicationFirewallFirewallEvents.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "WebApplicationFirewallGatewayAccessEventsWorkbook", - "logoFileName": "waf_logo.svg", - "description": "Gain insights into your organization's Azure web application firewall (WAF). You will get visibility in to your application gateway access events. You can view anomalies and trends across received and sent data, client IP addresses, URL addresses and more, and drill down into details.", - "dataTypesDependencies": [ - "AzureDiagnostics" - ], - "dataConnectorsDependencies": [ - "WAF" - ], - "previewImagesFileNames": [ - "WAFGatewayAccessEventsBlack1.png", - "WAFGatewayAccessEventsBlack2.png", - "WAFGatewayAccessEventsWhite1.png", - "WAFGatewayAccessEventsWhite2.png" - ], - "version": "1.2.0", - "title": "Microsoft Web Application Firewall (WAF) - gateway access events", - "templateRelativePath": "WebApplicationFirewallGatewayAccessEvents.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "LinuxMachinesWorkbook", - "logoFileName": "azurevirtualmachine_logo.svg", - "description": "Gain insights into your workspaces' Linux machines by connecting Microsoft Sentinel and using the logs to gather insights around Linux events and errors.", - "dataTypesDependencies": [ - "Syslog" - ], - "dataConnectorsDependencies": [ - "Syslog" - ], - "previewImagesFileNames": [ - "LinuxMachinesWhite.png", - "LinuxMachinesBlack.png" - ], - "version": "1.1.0", - "title": "Linux machines", - "templateRelativePath": "LinuxMachines.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "AzureFirewallWorkbook", - "logoFileName": "AzFirewalls.svg", - "description": "Gain insights into Azure Firewall events. You can learn about your application and network rules, see metrics for firewall activities across URLs, ports, and addresses across multiple workspaces.", - "dataTypesDependencies": [ - "AzureDiagnostics" - ], - "dataConnectorsDependencies": [ - "AzureFirewall" - ], - "previewImagesFileNames": [ - "AzureFirewallWorkbookWhite1.PNG", - "AzureFirewallWorkbookBlack1.PNG", - "AzureFirewallWorkbookWhite2.PNG", - "AzureFirewallWorkbookBlack2.PNG", - "AzureFirewallWorkbookWhite3.PNG", - "AzureFirewallWorkbookBlack3.PNG", - "AzureFirewallWorkbookWhite4.PNG", - "AzureFirewallWorkbookBlack4.PNG", - "AzureFirewallWorkbookWhite5.PNG", - "AzureFirewallWorkbookBlack5.PNG" - ], - "version": "1.3.0", - "title": "Azure Firewall", - "templateRelativePath": "AzureFirewallWorkbook.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "AzureFirewallWorkbook-StructuredLogs", - "logoFileName": "AzFirewalls.svg", - "description": "Gain insights into Azure Firewall events using the new Structured Logs for Azure Firewall. You can learn about your application and network rules, see metrics for firewall activities across URLs, ports, and addresses across multiple workspaces.", - "dataTypesDependencies": [ - "AZFWNetworkRule", - "AZFWApplicationRule", - "AZFWDnsQuery", - "AZFWThreatIntel" - ], - "dataConnectorsDependencies": [ - "AzureFirewall" - ], - "previewImagesFileNames": [ - "AzureFirewallWorkbookWhite1.PNG", - "AzureFirewallWorkbookBlack1.PNG", - "AzureFirewallWorkbookWhite2.PNG", - "AzureFirewallWorkbookBlack2.PNG", - "AzureFirewallWorkbookWhite3.PNG", - "AzureFirewallWorkbookBlack3.PNG", - "AzureFirewallWorkbookWhite4.PNG", - "AzureFirewallWorkbookBlack4.PNG", - "AzureFirewallWorkbookWhite5.PNG", - "AzureFirewallWorkbookBlack5.PNG" - ], - "version": "1.0.0", - "title": "Azure Firewall Structured Logs", - "templateRelativePath": "AzureFirewallWorkbook-StructuredLogs.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "AzureDDoSStandardProtection", - "logoFileName": "AzDDoS.svg", - "description": "This workbook visualizes security-relevant Azure DDoS events across several filterable panels. Offering a summary tab, metrics and a investigate tabs across multiple workspaces.", - "dataTypesDependencies": [ - "AzureDiagnostics" - ], - "dataConnectorsDependencies": [ - "DDOS" - ], - "previewImagesFileNames": [ - "AzureDDoSWhite1.PNG", - "AzureDDoSBlack1.PNG", - "AzureDDoSWhite2.PNG", - "AzureDDoSBlack2.PNG", - "AzureDDoSWhite2.PNG", - "AzureDDoSBlack2.PNG" - ], - "version": "1.0.2", - "title": "Azure DDoS Protection Workbook", - "templateRelativePath": "AzDDoSStandardWorkbook.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "MicrosoftCloudAppSecurityWorkbook", - "logoFileName": "Microsoft_logo.svg", - "description": "Using this workbook, you can identify which cloud apps are being used in your organization, gain insights from usage trends and drill down to a specific user and application.", - "dataTypesDependencies": [ - "McasShadowItReporting" - ], - "dataConnectorsDependencies": [ - "MicrosoftCloudAppSecurity" - ], - "previewImagesFileNames": [ - "McasDiscoveryBlack.png", - "McasDiscoveryWhite.png" - ], - "version": "1.2.0", - "title": "Microsoft Cloud App Security - discovery logs", - "templateRelativePath": "MicrosoftCloudAppSecurity.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "F5BIGIPSytemMetricsWorkbook", - "logoFileName": "f5_logo.svg", - "description": "Gain insight into F5 BIG-IP health and performance. This workbook provides visibility of various metrics including CPU, memory, connectivity, throughput and disk utilization.", - "dataTypesDependencies": [ - "F5Telemetry_system_CL", - "F5Telemetry_AVR_CL" - ], - "dataConnectorsDependencies": [ - "F5BigIp" - ], - "previewImagesFileNames": [ - "F5SMBlack.png", - "F5SMWhite.png" - ], - "version": "1.1.0", - "title": "F5 BIG-IP System Metrics", - "templateRelativePath": "F5BIGIPSystemMetrics.json", - "subtitle": "", - "provider": "F5 Networks" - }, - { - "workbookKey": "F5NetworksWorkbook", - "logoFileName": "f5_logo.svg", - "description": "Gain insights into F5 BIG-IP Application Security Manager (ASM), by analyzing traffic and activities.\nThis workbook provides insight into F5's web application firewall events and identifies attack traffic patterns across multiple ASM instances as well as overall BIG-IP health.", - "dataTypesDependencies": [ - "F5Telemetry_LTM_CL", - "F5Telemetry_system_CL", - "F5Telemetry_ASM_CL" - ], - "dataConnectorsDependencies": [ - "F5BigIp" - ], - "previewImagesFileNames": [ - "F5White.png", - "F5Black.png" - ], - "version": "1.1.0", - "title": "F5 BIG-IP ASM", - "templateRelativePath": "F5Networks.json", - "subtitle": "", - "provider": "F5 Networks" - }, - { - "workbookKey": "AzureNetworkWatcherWorkbook", - "logoFileName": "networkwatcher_logo.svg", - "description": "Gain deeper understanding of your organization's Azure network traffic by analyzing, and correlating Network Security Group flow logs. \nYou can trace malicious traffic flows, and drill down into their protocols, source and destination IP addresses, machines, countries, and subnets. \nThis workbook also helps you protect your network by identifying weak NSG rules.", - "dataTypesDependencies": [ - "AzureNetworkAnalytics_CL" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "AzureNetworkWatcherWhite.png", - "AzureNetworkWatcherBlack.png" - ], - "version": "1.1.0", - "title": "Azure Network Watcher", - "templateRelativePath": "AzureNetworkWatcher.json", - "subtitle": "", - "provider": "Microsoft", - "support": { - "tier": "Microsoft" - }, - "author": { - "name": "Microsoft Corporation" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security - Network" - ] - } - }, - { - "workbookKey": "ZscalerFirewallWorkbook", - "logoFileName": "zscaler_logo.svg", - "description": "Gain insights into your ZIA cloud firewall logs by connecting to Microsoft Sentinel.\nThe Zscaler firewall overview workbook provides an overview and ability to drill down into all cloud firewall activity in your Zscaler instance including non-web related networking events, security events, firewall rules, and bandwidth consumption", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "Zscaler", - "CefAma" - ], - "previewImagesFileNames": [ - "ZscalerFirewallWhite1.png", - "ZscalerFirewallBlack1.png", - "ZscalerFirewallWhite2.png", - "ZscalerFirewallBlack2.png" - ], - "version": "1.1.0", - "title": "Zscaler Firewall", - "templateRelativePath": "ZscalerFirewall.json", - "subtitle": "", - "provider": "Zscaler" - }, - { - "workbookKey": "ZscalerWebOverviewWorkbook", - "logoFileName": "zscaler_logo.svg", - "description": "Gain insights into your ZIA web logs by connecting to Microsoft Sentinel.\nThe Zscaler web overview workbook provides a bird's eye view and ability to drill down into all the security and networking events related to web transactions, types of devices, and bandwidth consumption.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "Zscaler", - "CefAma" - ], - "previewImagesFileNames": [ - "ZscalerWebOverviewWhite.png", - "ZscalerWebOverviewBlack.png" - ], - "version": "1.1.0", - "title": "Zscaler Web Overview", - "templateRelativePath": "ZscalerWebOverview.json", - "subtitle": "", - "provider": "Zscaler" - }, - { - "workbookKey": "ZscalerThreatsOverviewWorkbook", - "logoFileName": "zscaler_logo.svg", - "description": "Gain insights into threats blocked by Zscaler Internet access on your network.\nThe Zscaler threat overview workbook shows your entire threat landscape including blocked malware, IPS/AV rules, and blocked cloud apps. Threats are displayed by threat categories, filetypes, inbound vs outbound threats, usernames, user location, and more.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "Zscaler", - "CefAma" - ], - "previewImagesFileNames": [ - "ZscalerThreatsWhite.png", - "ZscalerThreatsBlack.png" - ], - "version": "1.2.0", - "title": "Zscaler Threats", - "templateRelativePath": "ZscalerThreats.json", - "subtitle": "", - "provider": "Zscaler" - }, - { - "workbookKey": "ZscalerOffice365AppsWorkbook", - "logoFileName": "zscaler_logo.svg", - "description": "Gain insights into Office 365 use on your network.\nThe Zscaler Office 365 overview workbook shows you the Microsoft apps running on your network and their individual bandwidth consumption. It also helps identify phishing attempts in which attackers disguised themselves as Microsoft services.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "Zscaler", - "CefAma" - ], - "previewImagesFileNames": [ - "ZscalerOffice365White.png", - "ZscalerOffice365Black.png" - ], - "version": "1.1.0", - "title": "Zscaler Office365 Apps", - "templateRelativePath": "ZscalerOffice365Apps.json", - "subtitle": "", - "provider": "Zscaler" - }, - { - "workbookKey": "InsecureProtocolsWorkbook", - "logoFileName": "Microsoft_logo.svg", - "description": "Gain insights into insecure protocol traffic by collecting and analyzing security events from Microsoft products.\nYou can view analytics and quickly identify use of weak authentication as well as sources of legacy protocol traffic, like NTLM and SMBv1.\nYou will also have the ability to monitor use of weak ciphers, allowing you to find weak spots in your organization's security.", - "dataTypesDependencies": [ - "SecurityEvent", - "Event", - "SigninLogs" - ], - "dataConnectorsDependencies": [ - "SecurityEvents", - "AzureActiveDirectory", - "WindowsSecurityEvents" - ], - "previewImagesFileNames": [ - "InsecureProtocolsWhite1.png", - "InsecureProtocolsBlack1.png", - "InsecureProtocolsWhite2.png", - "InsecureProtocolsBlack2.png" - ], - "version": "2.1.0", - "title": "Insecure Protocols", - "templateRelativePath": "InsecureProtocols.json", - "subtitle": "", - "provider": "Microsoft", - "support": { - "tier": "Microsoft" - }, - "author": { - "name": "Microsoft Corporation" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security - Others" - ] - } -}, -{ - "workbookKey": "usecasemapper", - "logoFileName": "ucasemapper.svg", - "description": "A simple tool to map Use Cases to Content Hub relevant Microsoft Sentinel solutions", - "previewImagesFileNames": [ "useCaseMapperWhite1.png", "useCaseMapperWhite2.png", "useCaseMapperWhite3.png", "useCaseMapperBlack1.png", "useCaseMapperBlack2.png", "useCaseMapperBlack3.png"], - "version": "1.0.0", - "title": "Use Case Mapper", - "templateRelativePath": "usecasemapper.json", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "subtitle": "", - "provider": "Microsoft Sentinel community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Microsoft Sentinel Community" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security - Cloud Security" - ] - } - }, - { - "workbookKey": "AzureInformationProtectionWorkbook", - "logoFileName": "informationProtection.svg", - "description": "The Azure Information Protection Usage report workbook provides information on the volume of labeled and protected documents and emails over time, label distribution of files by label type, along with where the label was applied.", - "dataTypesDependencies": [ - "SecurityEvent", - "Event", - "SigninLogs" - ], - "dataConnectorsDependencies": [ - "SecurityEvents", - "AzureActiveDirectory", - "WindowsSecurityEvents" - ], - "previewImagesFileNames": [ - "InsecureProtocolsWhite1.png", - "InsecureProtocolsBlack1.png", - "InsecureProtocolsWhite2.png", - "InsecureProtocolsBlack2.png" - ], - "version": "2.1.0", - "title": "Insecure Protocols", - "templateRelativePath": "InsecureProtocols.json", - "subtitle": "", - "provider": "Microsoft", - "support": { - "tier": "Microsoft" - }, - "author": { - "name": "Amit Bergman" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ "Security - Others" ] - } -}, - { - "workbookKey": "AmazonWebServicesNetworkActivitiesWorkbook", - "logoFileName": "amazon_web_services_Logo.svg", - "description": "Gain insights into AWS network related resource activities, including the creation, update, and deletions of security groups, network ACLs and routes, gateways, elastic load balancers, VPCs, subnets, and network interfaces.", - "dataTypesDependencies": [ - "AWSCloudTrail" - ], - "dataConnectorsDependencies": [ - "AWS" - ], - "previewImagesFileNames": [ - "AwsNetworkActivitiesWhite.png", - "AwsNetworkActivitiesBlack.png" - ], - "version": "1.0.0", - "title": "AWS Network Activities", - "templateRelativePath": "AmazonWebServicesNetworkActivities.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "AmazonWebServicesUserActivitiesWorkbook", - "logoFileName": "amazon_web_services_Logo.svg", - "description": "Gain insights into AWS user activities, including failed sign-in attempts, IP addresses, regions, user agents, and identity types, as well as potential malicious user activities with assumed roles.", - "dataTypesDependencies": [ - "AWSCloudTrail" - ], - "dataConnectorsDependencies": [ - "AWS" - ], - "previewImagesFileNames": [ - "AwsUserActivitiesWhite.png", - "AwsUserActivitiesBlack.png" - ], - "version": "1.0.0", - "title": "AWS User Activities", - "templateRelativePath": "AmazonWebServicesUserActivities.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "TrendMicroDeepSecurityAttackActivityWorkbook", - "logoFileName": "trendmicro_logo.svg", - "description": "Visualize and gain insights into the MITRE ATT&CK related activity detected by Trend Micro Deep Security.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "TrendMicro", - "CefAma" - ], - "previewImagesFileNames": [ - "TrendMicroDeepSecurityAttackActivityWhite.png", - "TrendMicroDeepSecurityAttackActivityBlack.png" - ], - "version": "1.0.0", - "title": "Trend Micro Deep Security ATT&CK Related Activity", - "templateRelativePath": "TrendMicroDeepSecurityAttackActivity.json", - "subtitle": "", - "provider": "Trend Micro" - }, - { - "workbookKey": "TrendMicroDeepSecurityOverviewWorkbook", - "logoFileName": "trendmicro_logo.svg", - "description": "Gain insights into your Trend Micro Deep Security security event data by visualizing your Deep Security Anti-Malware, Firewall, Integrity Monitoring, Intrusion Prevention, Log Inspection, and Web Reputation event data.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "TrendMicro", - "CefAma" - ], - "previewImagesFileNames": [ - "TrendMicroDeepSecurityOverviewWhite1.png", - "TrendMicroDeepSecurityOverviewBlack1.png", - "TrendMicroDeepSecurityOverviewWhite2.png", - "TrendMicroDeepSecurityOverviewBlack2.png" - ], - "version": "1.0.0", - "title": "Trend Micro Deep Security Events", - "templateRelativePath": "TrendMicroDeepSecurityOverview.json", - "subtitle": "", - "provider": "Trend Micro" - }, - { - "workbookKey": "ExtraHopDetectionSummaryWorkbook", - "logoFileName": "extrahop_logo.svg", - "description": "Gain insights into ExtraHop Reveal(x) detections by analyzing traffic and activities.\nThis workbook provides an overview of security detections in your organization's network, including high-risk detections and top participants.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "ExtraHopNetworks", - "ExtraHopNetworksAma", - "CefAma" - ], - "previewImagesFileNames": [ - "ExtrahopWhite.png", - "ExtrahopBlack.png" - ], - "version": "1.0.0", - "title": "ExtraHop", - "templateRelativePath": "ExtraHopDetectionSummary.json", - "subtitle": "", - "provider": "ExtraHop Networks" - }, - { - "workbookKey": "BarracudaCloudFirewallWorkbook", - "logoFileName": "barracuda_logo.svg", - "description": "Gain insights into your Barracuda CloudGen Firewall by analyzing firewall operations and events.\nThis workbook provides insights into rule enforcement, network activities, including number of connections, top users, and helps you identify applications that are popular on your network.", - "dataTypesDependencies": [ - "CommonSecurityLog", - "Syslog" - ], - "dataConnectorsDependencies": [ - "BarracudaCloudFirewall", - "SyslogAma" - ], - "previewImagesFileNames": [ - "BarracudaWhite1.png", - "BarracudaBlack1.png", - "BarracudaWhite2.png", - "BarracudaBlack2.png" - ], - "version": "1.0.0", - "title": "Barracuda CloudGen FW", - "templateRelativePath": "Barracuda.json", - "subtitle": "", - "provider": "Barracuda" - }, - { - "workbookKey": "CitrixWorkbook", - "logoFileName": "citrix_logo.svg", - "description": "Citrix Analytics for Security aggregates and correlates information across network traffic, users, files and endpoints in Citrix environments. This generates actionable insights that enable Citrix administrators and security teams to remediate user security threats through automation while optimizing IT operations. Machine learning and artificial intelligence empowers Citrix Analytics for Security to identify and take automated action to prevent data exfiltration. While delivered as a cloud service, Citrix Analytics for Security can generate insights from resources located on-premises, in the cloud, or in hybrid architectures. The Citrix Analytics Workbook further enhances the value of both your Citrix Analytics for Security and Microsoft Sentinel. The Workbook enables you to integrate data sources together, helping you gain even richer insights. It also gives Security Operations (SOC) teams the ability to correlate data from disparate logs, helping you identify and proactively remediate security risk quickly. Additionally, valuable dashboards that were unique to the Citrix Analytics for Security can now be implemented in Sentinel. You can also create new custom Workbooks that were not previously available, helping extend the value of both investments.", - "dataTypesDependencies": [ - "CitrixAnalytics_userProfile_CL", - "CitrixAnalytics_riskScoreChange_CL", - "CitrixAnalytics_indicatorSummary_CL", - "CitrixAnalytics_indicatorEventDetails_CL" - ], - "dataConnectorsDependencies": [ - "Citrix" - ], - "previewImagesFileNames": [ - "CitrixWhite.png", - "CitrixBlack.png" - ], - "version": "2.1.0", - "title": "Citrix Analytics", - "templateRelativePath": "Citrix.json", - "subtitle": "", - "provider": "Citrix Systems Inc." - }, - { - "workbookKey": "OneIdentityWorkbook", - "logoFileName": "oneIdentity_logo.svg", - "description": "This simple workbook gives an overview of sessions going through your SafeGuard for Privileged Sessions device.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "OneIdentity" - ], - "previewImagesFileNames": [ - "OneIdentityWhite.png", - "OneIdentityBlack.png" - ], - "version": "1.0.0", - "title": "One Identity", - "templateRelativePath": "OneIdentity.json", - "subtitle": "", - "provider": "One Identity LLC.", - "support": { - "tier": "Community" - }, - "author": { - "name": "Amit Bergman" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ "Identity" ] - } - }, - { - "workbookKey": "SecurityStatusWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook gives an overview of Security Settings for VMs and Azure Arc.", - "dataTypesDependencies": [ - "CommonSecurityLog", - "SecurityEvent", - "Syslog" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "AzureSentinelSecurityStatusBlack.png", - "AzureSentinelSecurityStatusWhite.png" - ], - "version": "1.3.0", - "title": "Security Status", - "templateRelativePath": "SecurityStatus.json", - "subtitle": "", - "provider": "Microsoft", - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft" - }, - "categories": { - "verticals": [], - "domains": [ - "IT Operations", - "Security - Others", - "Compliance" - ] - } - }, - { - "workbookKey": "AzureSentinelSecurityAlertsWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Security Alerts dashboard for alerts in your Microsoft Sentinel environment.", - "dataTypesDependencies": [ - "SecurityAlert" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "AzureSentinelSecurityAlertsWhite.png", - "AzureSentinelSecurityAlertsBlack.png" - ], - "version": "1.1.0", - "title": "Security Alerts", - "templateRelativePath": "AzureSentinelSecurityAlerts.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "SquadraTechnologiesSecRMMWorkbook", - "logoFileName": "SquadraTechnologiesLogo.svg", - "description": "This workbook gives an overview of security data for removable storage activity such as USB thumb drives and USB connected mobile devices.", - "dataTypesDependencies": [ - "secRMM_CL" - ], - "dataConnectorsDependencies": [ - "SquadraTechnologiesSecRmm" - ], - "previewImagesFileNames": [ - "SquadraTechnologiesSecRMMWhite.PNG", - "SquadraTechnologiesSecRMMBlack.PNG" - ], - "version": "1.0.0", - "title": "Squadra Technologies SecRMM - USB removable storage security", - "templateRelativePath": "SquadraTechnologiesSecRMM.json", - "subtitle": "", - "provider": "Squadra Technologies" - }, - { - "workbookKey": "IoT-Alerts", - "logoFileName": "IoTIcon.svg", - "description": "Gain insights into your IoT data workloads from Azure IoT Hub managed deployments, monitor alerts across all your IoT Hub deployments, detect devices at risk and act upon potential threats.", - "dataTypesDependencies": [ - "SecurityAlert" - ], - "dataConnectorsDependencies": [ - "IoT" - ], - "previewImagesFileNames": [ - "IOTBlack1.png", - "IOTWhite1.png" - ], - "version": "1.2.0", - "title": "Azure Defender for IoT Alerts", - "templateRelativePath": "IOT_Alerts.json", - "subtitle": "", - "provider": "Microsoft", - "support": { - "tier": "Community" - }, - "author": { - "name": "morshabi" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Internet of Things (IoT)" - ] - } - }, - { - "workbookKey": "IoTAssetDiscovery", - "logoFileName": "IoTIcon.svg", - "description": "IoT Devices asset discovery from Firewall logs By Azure Defender for IoT", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "Fortinet" - ], - "previewImagesFileNames": [ - "workbook-iotassetdiscovery-screenshot-Black.PNG", - "workbook-iotassetdiscovery-screenshot-White.PNG" - ], - "version": "1.0.0", - "title": "IoT Asset Discovery", - "templateRelativePath": "IoTAssetDiscovery.json", - "subtitle": "", - "provider": "Microsoft", - "support": { - "tier": "Community" - }, - "author": { - "name": "jomeczyk" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Internet of Things (IoT)" - ] - } - }, - { - "workbookKey": "ForcepointCASBWorkbook", - "logoFileName": "FP_Green_Emblem_RGB-01.svg", - "description": "Get insights on user risk with the Forcepoint CASB (Cloud Access Security Broker) workbook.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "ForcepointCasb", - "ForcepointCasbAma", - "CefAma" - ], - "previewImagesFileNames": [ - "ForcepointCASBWhite.png", - "ForcepointCASBBlack.png" - ], - "version": "1.0.0", - "title": "Forcepoint Cloud Access Security Broker (CASB)", - "templateRelativePath": "ForcepointCASB.json", - "subtitle": "", - "provider": "Forcepoint" - }, - { - "workbookKey": "ForcepointNGFWWorkbook", - "logoFileName": "FP_Green_Emblem_RGB-01.svg", - "description": "Get insights on firewall activities with the Forcepoint NGFW (Next Generation Firewall) workbook.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "ForcepointNgfw", - "ForcepointNgfwAma", - "CefAma" - ], - "previewImagesFileNames": [ - "ForcepointNGFWWhite.png", - "ForcepointNGFWBlack.png" - ], - "version": "1.0.0", - "title": "Forcepoint Next Generation Firewall (NGFW)", - "templateRelativePath": "ForcepointNGFW.json", - "subtitle": "", - "provider": "Forcepoint" - }, - { - "workbookKey": "ForcepointDLPWorkbook", - "logoFileName": "FP_Green_Emblem_RGB-01.svg", - "description": "Get insights on DLP incidents with the Forcepoint DLP (Data Loss Prevention) workbook.", - "dataTypesDependencies": [ - "ForcepointDLPEvents_CL" - ], - "dataConnectorsDependencies": [ - "ForcepointDlp" - ], - "previewImagesFileNames": [ - "ForcepointDLPWhite.png", - "ForcepointDLPBlack.png" - ], - "version": "1.0.0", - "title": "Forcepoint Data Loss Prevention (DLP)", - "templateRelativePath": "ForcepointDLP.json", - "subtitle": "", - "provider": "Forcepoint" - }, - { - "workbookKey": "ZimperiumMTDWorkbook", - "logoFileName": "ZIMPERIUM-logo_square2.svg", - "description": "This workbook provides insights on Zimperium Mobile Threat Defense (MTD) threats and mitigations.", - "dataTypesDependencies": [ - "ZimperiumThreatLog_CL", - "ZimperiumMitigationLog_CL" - ], - "dataConnectorsDependencies": [ - "ZimperiumMtdAlerts" - ], - "previewImagesFileNames": [ - "ZimperiumWhite.png", - "ZimperiumBlack.png" - ], - "version": "1.0.0", - "title": "Zimperium Mobile Threat Defense (MTD)", - "templateRelativePath": "ZimperiumWorkbooks.json", - "subtitle": "", - "provider": "Zimperium" - }, - { - "workbookKey": "AzureAuditActivityAndSigninWorkbook", - "logoFileName": "azureactivedirectory_logo.svg", - "description": "Gain insights into Microsoft Entra ID Audit, Activity and Signins with one workbook. This workbook can be used by Security and Azure administrators.", - "dataTypesDependencies": [ - "AzureActivity", - "AuditLogs", - "SigninLogs" - ], - "dataConnectorsDependencies": [ - "AzureActiveDirectory" - ], - "previewImagesFileNames": [ - "AzureAuditActivityAndSigninWhite1.png", - "AzureAuditActivityAndSigninWhite2.png", - "AzureAuditActivityAndSigninBlack1.png", - "AzureAuditActivityAndSigninBlack2.png" - ], - "version": "1.3.0", - "title": "Azure AD Audit, Activity and Sign-in logs", - "templateRelativePath": "AzureAuditActivityAndSignin.json", - "subtitle": "", - "provider": "Microsoft Sentinel community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Sem Tijsseling" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Identity" - ] - } - }, - { - "workbookKey": "WindowsFirewall", - "logoFileName": "Microsoft_logo.svg", - "description": "Gain insights into Windows Firewall logs in combination with security and Azure signin logs", - "dataTypesDependencies": [ - "WindowsFirewall", - "SecurityEvent", - "SigninLogs" - ], - "dataConnectorsDependencies": [ - "SecurityEvents", - "WindowsFirewall", - "WindowsSecurityEvents" - ], - "previewImagesFileNames": [ - "WindowsFirewallWhite1.png", - "WindowsFirewallWhite2.png", - "WindowsFirewallBlack1.png", - "WindowsFirewallBlack2.png" - ], - "version": "1.0.0", - "title": "Windows Firewall", - "templateRelativePath": "WindowsFirewall.json", - "subtitle": "", - "provider": "Microsoft Sentinel community" - }, - { - "workbookKey": "EventAnalyzerwWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "The Event Analyzer workbook allows to explore, audit and speed up analysis of Windows Event Logs, including all event details and attributes, such as security, application, system, setup, directory service, DNS and others.", - "dataTypesDependencies": [ - "SecurityEvent" - ], - "dataConnectorsDependencies": [ - "SecurityEvents", - "WindowsSecurityEvents" - ], - "previewImagesFileNames": [ - "EventAnalyzer-Workbook-White.png", - "EventAnalyzer-Workbook-Black.png" - ], - "version": "1.0.0", - "title": "Event Analyzer", - "templateRelativePath": "EventAnalyzer.json", - "subtitle": "", - "provider": "Microsoft Sentinel community" - }, - { - "workbookKey": "ASC-ComplianceandProtection", - "logoFileName": "Azure_Sentinel.svg", - "description": "Gain insight into regulatory compliance, alert trends, security posture, and more with this workbook based on Azure Security Center data.", - "dataTypesDependencies": [ - "SecurityAlert", - "ProtectionStatus", - "SecurityRecommendation", - "SecurityBaseline", - "SecurityBaselineSummary", - "Update", - "ConfigurationChange" - ], - "dataConnectorsDependencies": [ - "AzureSecurityCenter" - ], - "previewImagesFileNames": [ - "ASCCaPBlack.png", - "ASCCaPWhite.png" - ], - "version": "1.2.0", - "title": "ASC Compliance and Protection", - "templateRelativePath": "ASC-ComplianceandProtection.json", - "subtitle": "", - "provider": "Microsoft Sentinel community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Matt Lowe" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security - Cloud Security" - ] - } - }, - { - "workbookKey": "AIVectraDetectWorkbook", - "logoFileName": "AIVectraDetect.svg", - "description": "Start investigating network attacks surfaced by Vectra Detect directly from Sentinel. View critical hosts, accounts, campaigns and detections. Also monitor Vectra system health and audit logs.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "AIVectraDetect", - "CefAma" - ], - "previewImagesFileNames": [ - "AIVectraDetectWhite1.png", - "AIVectraDetectBlack1.png" - ], - "version": "1.1.1", - "title": "Vectra AI Detect", - "templateRelativePath": "AIVectraDetectWorkbook.json", - "subtitle": "", - "provider": "Vectra AI" - }, - { - "workbookKey": "Perimeter81OverviewWorkbook", - "logoFileName": "Perimeter81_Logo.svg", - "description": "Gain insights and comprehensive monitoring into your Perimeter 81 account by analyzing activities.", - "dataTypesDependencies": [ - "Perimeter81_CL" - ], - "dataConnectorsDependencies": [ - "Perimeter81ActivityLogs" - ], - "previewImagesFileNames": [ - "Perimeter81OverviewWhite1.png", - "Perimeter81OverviewBlack1.png", - "Perimeter81OverviewWhite2.png", - "Perimeter81OverviewBlack2.png" - ], - "version": "1.0.0", - "title": "Perimeter 81 Overview", - "templateRelativePath": "Perimeter81OverviewWorkbook.json", - "subtitle": "", - "provider": "Perimeter 81" - }, - { - "workbookKey": "SymantecProxySGWorkbook", - "logoFileName": "symantec_logo.svg", - "description": "Gain insight into Symantec ProxySG by analyzing, collecting and correlating proxy data.\nThis workbook provides visibility into ProxySG Access logs", - "dataTypesDependencies": [ - "Syslog" - ], - "dataConnectorsDependencies": [ - "SymantecProxySG", - "SyslogAma" - ], - "previewImagesFileNames": [ - "SymantecProxySGWhite.png", - "SymantecProxySGBlack.png" - ], - "version": "1.0.0", - "title": "Symantec ProxySG", - "templateRelativePath": "SymantecProxySG.json", - "subtitle": "", - "provider": "Symantec" - }, - { - "workbookKey": "IllusiveASMWorkbook", - "logoFileName": "illusive_logo_workbook.svg", - "description": "Gain insights into your organization's Cyber Hygiene and Attack Surface risk.\nIllusive ASM automates discovery and clean-up of credential violations, allows drill-down inspection of pathways to critical assets, and provides risk insights that inform intelligent decision-making to reduce attacker mobility.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "illusiveAttackManagementSystem", - "illusiveAttackManagementSystemAma", - "CefAma" - ], - "previewImagesFileNames": [ - "IllusiveASMWhite.png", - "IllusiveASMBlack.png" - ], - "version": "1.0.0", - "title": "Illusive ASM Dashboard", - "templateRelativePath": "IllusiveASM.json", - "subtitle": "", - "provider": "Illusive" - }, - { - "workbookKey": "IllusiveADSWorkbook", - "logoFileName": "illusive_logo_workbook.svg", - "description": "Gain insights into unauthorized lateral movement in your organization's network.\nIllusive ADS is designed to paralyzes attackers and eradicates in-network threats by creating a hostile environment for the attackers across all the layers of the attack surface.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "illusiveAttackManagementSystem", - "illusiveAttackManagementSystemAma", - "CefAma" - ], - "previewImagesFileNames": [ - "IllusiveADSWhite.png", - "IllusiveADSBlack.png" - ], - "version": "1.0.0", - "title": "Illusive ADS Dashboard", - "templateRelativePath": "IllusiveADS.json", - "subtitle": "", - "provider": "Illusive" - }, - { - "workbookKey": "PulseConnectSecureWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Gain insight into Pulse Secure VPN by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into user VPN activities", - "dataTypesDependencies": [ - "Syslog" - ], - "dataConnectorsDependencies": [ - "PulseConnectSecure", - "SyslogAma" - ], - "previewImagesFileNames": [ - "PulseConnectSecureWhite.png", - "PulseConnectSecureBlack.png" - ], - "version": "1.0.0", - "title": "Pulse Connect Secure", - "templateRelativePath": "PulseConnectSecure.json", - "subtitle": "", - "provider": "Pulse Secure" - }, - { - "workbookKey": "InfobloxNIOSWorkbook", - "logoFileName": "infoblox_logo.svg", - "description": "Gain insight into Infoblox NIOS by analyzing, collecting and correlating DHCP and DNS data.\nThis workbook provides visibility into DHCP and DNS traffic", - "dataTypesDependencies": [ - "Syslog" - ], - "dataConnectorsDependencies": [ - "InfobloxNIOS", - "SyslogAma" - ], - "previewImagesFileNames": [ - "InfobloxNIOSWhite.png", - "InfobloxNIOSBlack.png" - ], - "version": "1.1.0", - "title": "Infoblox NIOS", - "templateRelativePath": "Infoblox-Workbook-V2.json", - "subtitle": "", - "provider": "Infoblox" - }, - { - "workbookKey": "SymantecVIPWorkbook", - "logoFileName": "symantec_logo.svg", - "description": "Gain insight into Symantec VIP by analyzing, collecting and correlating strong authentication data.\nThis workbook provides visibility into user authentications", - "dataTypesDependencies": [ - "Syslog" - ], - "dataConnectorsDependencies": [ - "SymantecVIP", - "SyslogAma" - ], - "previewImagesFileNames": [ - "SymantecVIPWhite.png", - "SymantecVIPBlack.png" - ], - "version": "1.0.0", - "title": "Symantec VIP", - "templateRelativePath": "SymantecVIP.json", - "subtitle": "", - "provider": "Symantec" - }, - { - "workbookKey": "ProofPointTAPWorkbook", - "logoFileName": "proofpointlogo.svg", - "description": "Gain extensive insight into Proofpoint Targeted Attack Protection (TAP) by analyzing, collecting and correlating TAP log events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked", - "dataTypesDependencies": [ - "ProofPointTAPMessagesBlocked_CL", - "ProofPointTAPMessagesDelivered_CL", - "ProofPointTAPClicksPermitted_CL", - "ProofPointTAPClicksBlocked_CL" - ], - "dataConnectorsDependencies": [ - "ProofpointTAP" - ], - "previewImagesFileNames": [ - "ProofpointTAPWhite.png", - "ProofpointTAPBlack.png" - ], - "version": "1.0.0", - "title": "Proofpoint TAP", - "templateRelativePath": "ProofpointTAP.json", - "subtitle": "", - "provider": "Proofpoint" - }, - { - "workbookKey": "QualysVMWorkbook", - "logoFileName": "qualys_logo.svg", - "description": "Gain insight into Qualys Vulnerability Management by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into vulnerabilities detected from vulnerability scans", - "dataTypesDependencies": [ - "QualysHostDetection_CL" - ], - "dataConnectorsDependencies": [ - "QualysVulnerabilityManagement" - ], - "previewImagesFileNames": [ - "QualysVMWhite.png", - "QualysVMBlack.png" - ], - "version": "1.0.0", - "title": "Qualys Vulnerability Management", - "templateRelativePath": "QualysVM.json", - "subtitle": "", - "provider": "Qualys" - }, - { - "workbookKey": "QualysVMV2Workbook", - "logoFileName": "qualys_logo.svg", - "description": "Gain insight into Qualys Vulnerability Management by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into vulnerabilities detected from vulnerability scans", - "dataTypesDependencies": [ - "QualysHostDetectionV2_CL" - ], - "dataConnectorsDependencies": [ - "QualysVulnerabilityManagement" - ], - "previewImagesFileNames": [ - "QualysVMWhite.png", - "QualysVMBlack.png" - ], - "version": "1.0.0", - "title": "Qualys Vulnerability Management", - "templateRelativePath": "QualysVMv2.json", - "subtitle": "", - "provider": "Qualys" - }, - { - "workbookKey": "GitHubSecurity", - "logoFileName": "GitHub.svg", - "description": "Gain insights to GitHub activities that may be interesting for security.", - "dataTypesDependencies": [ - "Github_CL", - "GitHubRepoLogs_CL" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "GitHubSecurityWhite.png", - "GitHubSecurityBlack.png" - ], - "version": "1.0.0", - "title": "GitHub Security", - "templateRelativePath": "GitHubSecurityWorkbook.json", - "subtitle": "", - "provider": "Microsoft Sentinel community" - }, - { - "workbookKey": "VisualizationDemo", - "logoFileName": "Azure_Sentinel.svg", - "description": "Learn and explore the many ways of displaying information within Microsoft Sentinel workbooks", - "dataTypesDependencies": [ - "SecurityAlert" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "VisualizationDemoBlack.png", - "VisualizationDemoWhite.png" - ], - "version": "1.0.0", - "title": "Visualizations Demo", - "templateRelativePath": "VisualizationDemo.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Matt Lowe" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Platform" - ] - } - }, - { - "workbookKey": "SophosXGFirewallWorkbook", - "logoFileName": "sophos_logo.svg", - "description": "Gain insight into Sophos XG Firewall by analyzing, collecting and correlating firewall data.\nThis workbook provides visibility into network traffic", - "dataTypesDependencies": [ - "Syslog" - ], - "dataConnectorsDependencies": [ - "SophosXGFirewall", - "SyslogAma" - ], - "previewImagesFileNames": [ - "SophosXGFirewallWhite.png", - "SophosXGFirewallBlack.png" - ], - "version": "1.0.0", - "title": "Sophos XG Firewall", - "templateRelativePath": "SophosXGFirewall.json", - "subtitle": "", - "provider": "Sophos" - }, - { - "workbookKey": "SysmonThreatHuntingWorkbook", - "logoFileName": "sysmonthreathunting_logo.svg", - "description": "Simplify your threat hunts using Sysmon data mapped to MITRE ATT&CK data. This workbook gives you the ability to drilldown into system activity based on known ATT&CK techniques as well as other threat hunting entry points such as user activity, network connections or virtual machine Sysmon events.\nPlease note that for this workbook to work you must have deployed Sysmon on your virtual machines in line with the instructions at https://github.com/BlueTeamLabs/sentinel-attack/wiki/Onboarding-sysmon-data-to-Azure-Sentinel", - "dataTypesDependencies": [ - "Event" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "SysmonThreatHuntingWhite1.png", - "SysmonThreatHuntingBlack1.png" - ], - "version": "1.4.0", - "title": "Sysmon Threat Hunting", - "templateRelativePath": "SysmonThreatHunting.json", - "subtitle": "", - "provider": "Microsoft Sentinel community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Edoardo Gerosa" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security - Threat Protection", - "Application" - ] - } - }, - { - "workbookKey": "WebApplicationFirewallWAFTypeEventsWorkbook", - "logoFileName": "webapplicationfirewall(WAF)_logo.svg", - "description": "Gain insights into your organization's Azure web application firewall (WAF) across various services such as Azure Front Door Service and Application Gateway. You can view event triggers, full messages, attacks over time, among other data. Several aspects of the workbook are interactable to allow users to further understand their data", - "dataTypesDependencies": [ - "AzureDiagnostics" - ], - "dataConnectorsDependencies": [ - "WAF" - ], - "previewImagesFileNames": [ - "WAFFirewallWAFTypeEventsBlack1.PNG", - "WAFFirewallWAFTypeEventsBlack2.PNG", - "WAFFirewallWAFTypeEventsBlack3.PNG", - "WAFFirewallWAFTypeEventsBlack4.PNG", - "WAFFirewallWAFTypeEventsWhite1.png", - "WAFFirewallWAFTypeEventsWhite2.PNG", - "WAFFirewallWAFTypeEventsWhite3.PNG", - "WAFFirewallWAFTypeEventsWhite4.PNG" - ], - "version": "1.1.0", - "title": "Microsoft Web Application Firewall (WAF) - Azure WAF", - "templateRelativePath": "WebApplicationFirewallWAFTypeEvents.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "OrcaAlertsOverviewWorkbook", - "logoFileName": "Orca_logo.svg", - "description": "A visualized overview of Orca security alerts.\nExplore, analize and learn about your security posture using Orca alerts Overview", - "dataTypesDependencies": [ - "OrcaAlerts_CL" - ], - "dataConnectorsDependencies": [ - "OrcaSecurityAlerts" - ], - "previewImagesFileNames": [ - "OrcaAlertsWhite.png", - "OrcaAlertsBlack.png" - ], - "version": "1.1.0", - "title": "Orca alerts overview", - "templateRelativePath": "OrcaAlerts.json", - "subtitle": "", - "provider": "Orca Security" - }, - { - "workbookKey": "CyberArkWorkbook", - "logoFileName": "CyberArk_Logo.svg", - "description": "The CyberArk Syslog connector allows you to easily connect all your CyberArk security solution logs with your Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. Integration between CyberArk and Microsoft Sentinel makes use of the CEF Data Connector to properly parse and display CyberArk Syslog messages.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "CyberArk", - "CyberArkAma", - "CefAma" - ], - "previewImagesFileNames": [ - "CyberArkActivitiesWhite.PNG", - "CyberArkActivitiesBlack.PNG" - ], - "version": "1.1.0", - "title": "CyberArk EPV Events", - "templateRelativePath": "CyberArkEPV.json", - "subtitle": "", - "provider": "CyberArk" - }, - { - "workbookKey": "UserEntityBehaviorAnalyticsWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Identify compromised users and insider threats using User and Entity Behavior Analytics. Gain insights into anomalous user behavior from baselines learned from behavior patterns", - "dataTypesDependencies": [ - "Anomalies" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "UserEntityBehaviorAnalyticsBlack2.png", - "UserEntityBehaviorAnalyticsWhite2.png" - ], - "version": "2.0", - "title": "User And Entity Behavior Analytics", - "templateRelativePath": "UserEntityBehaviorAnalytics.json", - "subtitle": "", - "provider": "Microsoft", - "support": { - "tier": "Microsoft" - }, - "author": { - "name": "Microsoft Corporation" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "User Behavior (UEBA)" - ] - } - }, - { - "workbookKey": "CitrixWAF", - "logoFileName": "citrix_logo.svg", - "description": "Gain insight into the Citrix WAF logs", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "CitrixWAF", - "CitrixWAFAma", - "CefAma" - ], - "previewImagesFileNames": [ - "CitrixWAFBlack.png", - "CitrixWAFWhite.png" - ], - "version": "1.0.0", - "title": "Citrix WAF (Web App Firewall)", - "templateRelativePath": "CitrixWAF.json", - "subtitle": "", - "provider": "Citrix Systems Inc." - }, - { - "workbookKey": "UnifiSGWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Gain insights into Unifi Security Gateways analyzing traffic and activities.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "UnifiSGBlack.png", - "UnifiSGWhite.png" - ], - "version": "1.0.0", - "title": "Unifi Security Gateway", - "templateRelativePath": "UnifiSG.json", - "subtitle": "", - "provider": "Microsoft Sentinel community", - "support": { - "tier": "Community" - }, - "author": { - "name": "SecurityJedi" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security - Network" - ] - } - }, - { - "workbookKey": "UnifiSGNetflowWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Gain insights into Unifi Security Gateways analyzing traffic and activities using Netflow.", - "dataTypesDependencies": [ - "netflow_CL" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "UnifiSGNetflowBlack.png", - "UnifiSGNetflowWhite.png" - ], - "version": "1.0.0", - "title": "Unifi Security Gateway - NetFlow", - "templateRelativePath": "UnifiSGNetflow.json", - "subtitle": "", - "provider": "Microsoft Sentinel community", - "support": { - "tier": "Community" - }, - "author": { - "name": "SecurityJedi" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security - Network" - ] - } - }, - { - "workbookKey": "NormalizedNetworkEventsWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "See insights on multiple networking appliances and other network sessions, that have been parsed or mapped to the normalized networking sessions table. Note this requires enabling parsers for the different products - to learn more, visit https://aka.ms/sentinelnormalizationdocs", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "NormalizedNetworkEventsWhite.png", - "NormalizedNetworkEventsBlack.png" - ], - "version": "1.0.0", - "title": "Normalized network events", - "templateRelativePath": "NormalizedNetworkEvents.json", - "subtitle": "", - "provider": "Microsoft", - "support": { - "tier": "Community" - }, - "author": { - "name": "yoav fransis" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Networking" - ] - } - }, - { - "workbookKey": "WorkspaceAuditingWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Workspace auditing report\r\nUse this report to understand query runs across your workspace.", - "dataTypesDependencies": [ - "LAQueryLogs" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "WorkspaceAuditingWhite.png", - "WorkspaceAuditingBlack.png" - ], - "version": "1.0.0", - "title": "Workspace audit", - "templateRelativePath": "WorkspaceAuditing.json", - "subtitle": "", - "provider": "Microsoft Sentinel community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Sarah Young" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "IT Operations" - ] - } - }, - { - "workbookKey": "MITREATTACKWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Workbook to showcase MITRE ATT&CK Coverage for Microsoft Sentinel", - "dataTypesDependencies": [ - "SecurityAlert" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "MITREATTACKWhite1.PNG", - "MITREATTACKWhite2.PNG", - "MITREATTACKBlack1.PNG", - "MITREATTACKBlack2.PNG" - ], - "version": "1.0.1", - "title": "MITRE ATT&CK Workbook", - "templateRelativePath": "MITREAttack.json", - "subtitle": "", - "provider": "Microsoft Sentinel community" - }, - { - "workbookKey": "BETTERMTDWorkbook", - "logoFileName": "BETTER_MTD_logo.svg", - "description": "Workbook using the BETTER Mobile Threat Defense (MTD) connector, to give insights into your mobile devices, installed application and overall device security posture.", - "dataTypesDependencies": [ - "BetterMTDDeviceLog_CL", - "BetterMTDAppLog_CL", - "BetterMTDIncidentLog_CL", - "BetterMTDNetflowLog_CL" - ], - "dataConnectorsDependencies": [ - "BetterMTD" - ], - "previewImagesFileNames": [ - "BetterMTDWorkbookPreviewWhite1.png", - "BetterMTDWorkbookPreviewWhite2.png", - "BetterMTDWorkbookPreviewWhite3.png", - "BetterMTDWorkbookPreviewBlack1.png", - "BetterMTDWorkbookPreviewBlack2.png", - "BetterMTDWorkbookPreviewBlack3.png" - ], - "version": "1.1.0", - "title": "BETTER Mobile Threat Defense (MTD)", - "templateRelativePath": "BETTER_MTD_Workbook.json", - "subtitle": "", - "provider": "BETTER Mobile" - }, - { - "workbookKey": "AlsidIoEWorkbook", - "logoFileName": "Alsid.svg", - "description": "Workbook showcasing the state and evolution of your Alsid for AD Indicators of Exposures alerts.", - "dataTypesDependencies": [ - "AlsidForADLog_CL" - ], - "dataConnectorsDependencies": [ - "AlsidForAD" - ], - "previewImagesFileNames": [ - "AlsidIoEBlack1.png", - "AlsidIoEBlack2.png", - "AlsidIoEBlack3.png", - "AlsidIoEWhite1.png", - "AlsidIoEWhite2.png", - "AlsidIoEWhite3.png" - ], - "version": "1.0.0", - "title": "Alsid for AD | Indicators of Exposure", - "templateRelativePath": "AlsidIoE.json", - "subtitle": "", - "provider": "Alsid" - }, - { - "workbookKey": "AlsidIoAWorkbook", - "logoFileName": "Alsid.svg", - "description": "Workbook showcasing the state and evolution of your Alsid for AD Indicators of Attack alerts.", - "dataTypesDependencies": [ - "AlsidForADLog_CL" - ], - "dataConnectorsDependencies": [ - "AlsidForAD" - ], - "previewImagesFileNames": [ - "AlsidIoABlack1.png", - "AlsidIoABlack2.png", - "AlsidIoABlack3.png", - "AlsidIoAWhite1.png", - "AlsidIoAWhite2.png", - "AlsidIoAWhite3.png" - ], - "version": "1.0.0", - "title": "Alsid for AD | Indicators of Attack", - "templateRelativePath": "AlsidIoA.json", - "subtitle": "", - "provider": "Alsid" - }, - { - "workbookKey": "InvestigationInsightsWorkbook", - "logoFileName": "Microsoft_logo.svg", - "description": "Help analysts gain insight into incident, bookmark and entity data through the Investigation Insights Workbook. This workbook provides common queries and detailed visualizations to help an analyst investigate suspicious activities quickly with an easy to use interface. Analysts can start their investigation from a Microsoft Sentinel incident, bookmark, or by simply entering the entity data into the workbook manually.", - "dataTypesDependencies": [ - "AuditLogs", - "AzureActivity", - "CommonSecurityLog", - "OfficeActivity", - "SecurityEvent", - "SigninLogs", - "ThreatIntelligenceIndicator" - ], - "dataConnectorsDependencies": [ - "AzureActivity", - "SecurityEvents", - "Office365", - "AzureActiveDirectory", - "ThreatIntelligence", - "ThreatIntelligenceTaxii", - "WindowsSecurityEvents" - ], - "previewImagesFileNames": [ - "InvestigationInsightsWhite1.png", - "InvestigationInsightsBlack1.png", - "InvestigationInsightsWhite2.png", - "InvestigationInsightsBlack2.png" - ], - "version": "1.4.1", - "title": "Investigation Insights", - "templateRelativePath": "InvestigationInsights.json", - "subtitle": "", - "provider": "Microsoft Sentinel community" - }, - { - "workbookKey": "AksSecurityWorkbook", - "logoFileName": "Kubernetes_services.svg", - "description": "See insights about the security of your AKS clusters. The workbook helps to identify sensitive operations in the clusters and get insights based on Azure Defender alerts.", - "dataTypesDependencies": [ - "SecurityAlert", - "AzureDiagnostics" - ], - "dataConnectorsDependencies": [ - "AzureSecurityCenter", - "AzureKubernetes" - ], - "previewImagesFileNames": [ - "AksSecurityWhite.png", - "AksSecurityBlack.png" - ], - "version": "1.5.0", - "title": "Azure Kubernetes Service (AKS) Security", - "templateRelativePath": "AksSecurity.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "AzureKeyVaultWorkbook", - "logoFileName": "KeyVault.svg", - "description": "See insights about the security of your Azure key vaults. The workbook helps to identify sensitive operations in the key vaults and get insights based on Azure Defender alerts.", - "dataTypesDependencies": [ - "SecurityAlert", - "AzureDiagnostics" - ], - "dataConnectorsDependencies": [ - "AzureSecurityCenter", - "AzureKeyVault" - ], - "previewImagesFileNames": [ - "AkvSecurityWhite.png", - "AkvSecurityBlack.png" - ], - "version": "1.1.0", - "title": "Azure Key Vault Security", - "templateRelativePath": "AzureKeyVaultWorkbook.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "IncidentOverview", - "logoFileName": "Azure_Sentinel.svg", - "description": "The Incident Overview workbook is designed to assist in triaging and investigation by providing in-depth information about the incident, including:\r\n* General information\r\n* Entity data\r\n* Triage time (time between incident creation and first response)\r\n* Mitigation time (time between incident creation and closing)\r\n* Comments\r\n\r\nCustomize this workbook by saving and editing it. \r\nYou can reach this workbook template from the incidents panel as well. Once you have customized it, the link from the incident panel will open the customized workbook instead of the template.\r\n", - "dataTypesDependencies": [ - "SecurityAlert", - "SecurityIncident" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "IncidentOverviewBlack1.png", - "IncidentOverviewWhite1.png", - "IncidentOverviewBlack2.png", - "IncidentOverviewWhite2.png" - ], - "version": "2.1.0", - "title": "Incident overview", - "templateRelativePath": "IncidentOverview.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "SecurityOperationsEfficiency", - "logoFileName": "Azure_Sentinel.svg", - "description": "Security operations center managers can view overall efficiency metrics and measures regarding the performance of their team. They can find operations by multiple indicators over time including severity, MITRE tactics, mean time to triage, mean time to resolve and more. The SOC manager can develop a picture of the performance in both general and specific areas over time and use it to improve efficiency.", - "dataTypesDependencies": [ - "SecurityAlert", - "SecurityIncident" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "SecurityEfficiencyWhite1.png", - "SecurityEfficiencyWhite2.png", - "SecurityEfficiencyBlack1.png", - "SecurityEfficiencyBlack2.png" - ], - "version": "1.5.1", - "title": "Security Operations Efficiency", - "templateRelativePath": "SecurityOperationsEfficiency.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "DataCollectionHealthMonitoring", - "logoFileName": "Azure_Sentinel.svg", - "description": "Gain insights into your workspace's data ingestion status. In this workbook, you can view additional monitors and detect anomalies that will help you determine your workspace's data collection health.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "HealthMonitoringWhite1.png", - "HealthMonitoringWhite2.png", - "HealthMonitoringWhite3.png", - "HealthMonitoringBlack1.png", - "HealthMonitoringBlack2.png", - "HealthMonitoringBlack3.png" - ], - "version": "1.0.0", - "title": "Data collection health monitoring", - "templateRelativePath": "DataCollectionHealthMonitoring.json", - "subtitle": "", - "provider": "Microsoft", - "support": { "tier": "Community" }, - "author": { "name": "morshabi" }, - "source": { "kind": "Community" }, - "categories": { "domains": [ "IT Operations", "Platform" ] } - }, - { - "workbookKey": "OnapsisAlarmsWorkbook", - "logoFileName": "onapsis_logo.svg", - "description": "Gain insights into what is going on in your SAP Systems with this overview of the alarms triggered in the Onapsis Platform. Incidents are enriched with context and next steps to help your Security team respond effectively.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "OnapsisPlatform", - "CefAma" - ], - "previewImagesFileNames": [ - "OnapsisWhite1.PNG", - "OnapsisBlack1.PNG", - "OnapsisWhite2.PNG", - "OnapsisBlack2.PNG" - ], - "version": "1.0.0", - "title": "Onapsis Alarms Overview", - "templateRelativePath": "OnapsisAlarmsOverview.json", - "subtitle": "", - "provider": "Onapsis" - }, - { - "workbookKey": "DelineaWorkbook", - "logoFileName": "DelineaLogo.svg", - "description": "The Delinea Secret Server Syslog connector", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "DelineaSecretServer_CEF", - "DelineaSecretServerAma", - "CefAma" - ], - "previewImagesFileNames": [ - "DelineaWorkbookWhite.PNG", - "DelineaWorkbookBlack.PNG" - ], - "version": "1.0.0", - "title": "Delinea Secret Server Workbook", - "templateRelativePath": "DelineaWorkbook.json", - "subtitle": "", - "provider": "Delinea" - }, - { - "workbookKey": "ForcepointCloudSecurityGatewayWorkbook", - "logoFileName": "Forcepoint_new_logo.svg", - "description": "Use this report to understand query runs across your workspace.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "ForcepointCSG", - "ForcepointCSGAma", - "CefAma" - ], - "previewImagesFileNames": [ - "ForcepointCloudSecurityGatewayWhite.png", - "ForcepointCloudSecurityGatewayBlack.png" - ], - "version": "1.0.0", - "title": "Forcepoint Cloud Security Gateway Workbook", - "templateRelativePath": "ForcepointCloudSecuirtyGateway.json", - "subtitle": "", - "provider": "Forcepoint" - }, - { - "workbookKey": "IntsightsIOCWorkbook", - "logoFileName": "IntSights_logo.svg", - "description": "This Microsoft Sentinel workbook provides an overview of Indicators of Compromise (IOCs) and their correlations allowing users to analyze and visualize indicators based on severity, type, and other parameters.", - "dataTypesDependencies": [ - "ThreatIntelligenceIndicator", - "SecurityAlert" - ], - "dataConnectorsDependencies": [ - "ThreatIntelligenceTaxii" - ], - "previewImagesFileNames": [ - "IntsightsIOCWhite.png", - "IntsightsMatchedWhite.png", - "IntsightsMatchedBlack.png", - "IntsightsIOCBlack.png" - ], - "version": "2.0.0", - "title": "IntSights IOC Workbook", - "templateRelativePath": "IntsightsIOCWorkbook.json", - "subtitle": "", - "provider": "IntSights Cyber Intelligence" - }, - { - "workbookKey": "DarktraceSummaryWorkbook", - "logoFileName": "Darktrace.svg", - "description": "A workbook containing relevant KQL queries to help you visualise the data in model breaches from the Darktrace Connector", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "Darktrace", - "DarktraceAma", - "CefAma" - ], - "previewImagesFileNames": [ - "AIA-DarktraceSummaryWhite.png", - "AIA-DarktraceSummaryBlack.png" - ], - "version": "1.1.0", - "title": "AI Analyst Darktrace Model Breach Summary", - "templateRelativePath": "AIA-Darktrace.json", - "subtitle": "", - "provider": "Darktrace" - }, - { - "workbookKey": "TrendMicroXDR", - "logoFileName": "trendmicro_logo.svg", - "description": "Gain insights from Trend Vision One with this overview of the Alerts triggered.", - "dataTypesDependencies": [ - "TrendMicro_XDR_WORKBENCH_CL" - ], - "dataConnectorsDependencies": [ - "TrendMicroXDR" - ], - "previewImagesFileNames": [ - "TrendMicroXDROverviewWhite.png", - "TrendMicroXDROverviewBlack.png" - ], - "version": "1.3.0", - "title": "Trend Vision One Alert Overview", - "templateRelativePath": "TrendMicroXDROverview.json", - "subtitle": "", - "provider": "Trend Micro" - }, - { - "workbookKey": "CyberpionOverviewWorkbook", - "logoFileName": "cyberpion_logo.svg", - "description": "Use Cyberpion's Security Logs and this workbook, to get an overview of your online assets, gain insights into their current state, and find ways to better secure your ecosystem.", - "dataTypesDependencies": [ - "CyberpionActionItems_CL" - ], - "dataConnectorsDependencies": [ - "CyberpionSecurityLogs" - ], - "previewImagesFileNames": [ - "CyberpionActionItemsBlack.png", - "CyberpionActionItemsWhite.png" - ], - "version": "1.0.0", - "title": "Cyberpion Overview", - "templateRelativePath": "CyberpionOverviewWorkbook.json", - "subtitle": "", - "provider": "Cyberpion" - }, - { - "workbookKey": "SolarWindsPostCompromiseHuntingWorkbook", - "logoFileName": "MSTIC-Logo.svg", - "description": "This hunting workbook is intended to help identify activity related to the Solorigate compromise and subsequent attacks discovered in December 2020", - "dataTypesDependencies": [ - "CommonSecurityLog", - "SigninLogs", - "AuditLogs", - "AADServicePrincipalSignInLogs", - "OfficeActivity", - "BehaviorAnalytics", - "SecurityEvent", - "DeviceProcessEvents", - "SecurityAlert", - "DnsEvents" - ], - "dataConnectorsDependencies": [ - "AzureActiveDirectory", - "SecurityEvents", - "Office365", - "MicrosoftThreatProtection", - "DNS", - "WindowsSecurityEvents" - ], - "previewImagesFileNames": [ - "SolarWindsPostCompromiseHuntingWhite.png", - "SolarWindsPostCompromiseHuntingBlack.png" - ], - "version": "1.5.1", - "title": "SolarWinds Post Compromise Hunting", - "templateRelativePath": "SolarWindsPostCompromiseHunting.json", - "subtitle": "", - "provider": "Microsoft", - "support": { - "tier": "Microsoft" - }, - "author": { - "name": "Shain" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ "Security - Others" ] - } - }, - { - "workbookKey": "ProofpointPODWorkbook", - "logoFileName": "proofpointlogo.svg", - "description": "Gain insights into your Proofpoint on Demand Email Security activities, including maillog and messages data. The Workbook provides users with an executive dashboard showing the reporting capabilities, message traceability and monitoring.", - "dataTypesDependencies": [ - "ProofpointPOD_maillog_CL", - "ProofpointPOD_message_CL" - ], - "dataConnectorsDependencies": [ - "ProofpointPOD" - ], - "previewImagesFileNames": [ - "ProofpointPODMainBlack1.png", - "ProofpointPODMainBlack2.png", - "ProofpointPODMainWhite1.png", - "ProofpointPODMainWhite2.png", - "ProofpointPODMessageSummaryBlack.png", - "ProofpointPODMessageSummaryWhite.png", - "ProofpointPODTLSBlack.png", - "ProofpointPODTLSWhite.png" - ], - "version": "1.0.0", - "title": "Proofpoint On-Demand Email Security", - "templateRelativePath": "ProofpointPOD.json", - "subtitle": "", - "provider": "Proofpoint" - }, - { - "workbookKey": "CiscoUmbrellaWorkbook", - "logoFileName": "cisco_logo.svg", - "description": "Gain insights into Cisco Umbrella activities, including the DNS, Proxy and Cloud Firewall data. Workbook shows general information along with threat landscape including categories, blocked destinations and URLs.", + { + "workbookKey": "1PasswordWorkbook", + "logoFileName": "1password.svg", + "description": "Gain insights and comprehensive monitoring into 1Password events data by analyzing traffic and user activities.\nThis workbook provides insights into various 1Password events types.\nYou can use this workbook to get visibility in to your 1Password Security Events and quickly identify threats, anamolies, traffic patterns, application usage, blocked IP addresses and more.", + "dataTypesDependencies": [ + "OnePasswordEventLogs_CL" + ], + "dataConnectorsDependencies": [ + "1Password" + ], + "previewImagesFileNames": [ + "1PasswordLogsBlack1.png", + "1PasswordLogsBlack2.png", + "1PasswordLogsBlack3.png", + "1PasswordLogsBlack4.png", + "1PasswordLogsWhite1.png", + "1PasswordLogsWhite2.png", + "1PasswordLogsWhite3.png", + "1PasswordLogsWhite4.png" + ], + "version": "1.0.0", + "title": "1Password Events Workbook", + "templateRelativePath": "1Password.json", + "subtitle": "", + "provider": "1Password" + }, + { + "workbookKey": "42CrunchAPIProtectionWorkbook", + "logoFileName": "42CrunchLogo.svg", + "description": "Monitor and protect APIs using the 42Crunch API microfirewall", + "dataTypesDependencies": [ + "apifirewall_log_1_CL" + ], + "dataConnectorsDependencies": [ + "42CrunchAPIProtection" + ], + "previewImagesFileNames": [ + "42CrunchInstancesBlack.png", + "42CrunchInstancesWhite.png", + "42CrunchRequestsBlack.png", + "42CrunchRequestsWhite.png", + "42CrunchStatusBlack.png", + "42CrunchStatusWhite.png" + ], + "version": "1.0.0", + "title": "42Crunch API Protection Workbook", + "templateRelativePath": "42CrunchAPIProtectionWorkbook.json", + "subtitle": "", + "provider": "42Crunch" + }, + { + "workbookKey": "AttackSurfaceReduction", + "logoFileName": "M365securityposturelogo.svg", + "description": "This workbook helps you implement the ASR rules of Windows/Defender, and to monitor them over time. The workbook can filter on ASR rules in Audit mode and Block mode.", + "dataTypesDependencies": [ + "DeviceEvents" + ], + "dataConnectorsDependencies": [ + "MicrosoftThreatProtection" + ], + "previewImagesFileNames": [ + "AttackSurfaceReductionWhite.png", + "AttackSurfaceReductionBlack.png" + ], + "version": "1.0.0", + "title": "Attack Surface Reduction Dashboard", + "templateRelativePath": "AttackSurfaceReduction.json", + "subtitle": "", + "provider": "Microsoft Sentinel community" + }, + { + "workbookKey": "ForcepointNGFWAdvanced", + "logoFileName": "FPAdvLogo.svg", + "description": "Gain threat intelligence correlated security and application insights on Forcepoint NGFW (Next Generation Firewall). Monitor Forcepoint logging servers health.", + "dataTypesDependencies": [ + "CommonSecurityLog", + "ThreatIntelligenceIndicator" + ], + "dataConnectorsDependencies": [ + "ForcepointNgfw", + "ThreatIntelligence", + "ForcepointNgfwAma", + "CefAma" + ], + "previewImagesFileNames": [ + "ForcepointNGFWAdvancedWhite.png", + "ForcepointNGFWAdvancedBlack.png" + ], + "version": "1.0.0", + "title": "Forcepoint Next Generation Firewall (NGFW) Advanced Workbook", + "templateRelativePath": "ForcepointNGFWAdvanced.json", + "subtitle": "", + "provider": "Forcepoint" + }, + { + "workbookKey": "AzureActivityWorkbook", + "logoFileName": "azureactivity_logo.svg", + "description": "Gain extensive insight into your organization's Azure Activity by analyzing, and correlating all user operations and events.\nYou can learn about all user operations, trends, and anomalous changes over time.\nThis workbook gives you the ability to drill down into caller activities and summarize detected failure and warning events.", + "dataTypesDependencies": [ + "AzureActivity" + ], + "dataConnectorsDependencies": [ + "AzureActivity" + ], + "previewImagesFileNames": [ + "AzureActivityWhite1.png", + "AzureActivityBlack1.png" + ], + "version": "2.0.0", + "title": "Azure Activity", + "templateRelativePath": "AzureActivity.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "IdentityAndAccessWorkbook", + "logoFileName": "Microsoft_logo.svg", + "description": "Gain insights into Identity and access operations by collecting and analyzing security logs, using the audit and sign-in logs to gather insights into use of Microsoft products.\nYou can view anomalies and trends across login events from all users and machines. This workbook also identifies suspicious entities from login and access events.", + "dataTypesDependencies": [ + "SecurityEvent" + ], + "dataConnectorsDependencies": [ + "SecurityEvents", + "WindowsSecurityEvents" + ], + "previewImagesFileNames": [ + "IdentityAndAccessWhite.png", + "IdentityAndAccessBlack.png" + ], + "version": "1.1.0", + "title": "Identity & Access", + "templateRelativePath": "IdentityAndAccess.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "ConditionalAccessTrendsandChangesWorkbook", + "logoFileName": "Microsoft_logo.svg", + "description": "Gain insights into Conditional Access Trends and Changes.", + "dataTypesDependencies": [ + "SigninLogs" + ], + "dataConnectorsDependencies": [ + "AzureActiveDirectory" + ], + "previewImagesFileNames": [ + "catrendsWhite.png", + "catrendsBlack.png" + ], + "version": "1.0.0", + "title": "Conditional Access Trends and Changes", + "templateRelativePath": "ConditionalAccessTrendsandChanges.json", + "subtitle": "", + "provider": "Microsoft", + "support": { + "tier": "Community" + }, + "author": { + "name": "Microsoft Sentinel Community" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Identity" + ] + } + }, + { + "workbookKey": "CheckPointWorkbook", + "logoFileName": "checkpoint_logo.svg", + "description": "Gain insights into Check Point network activities, including number of gateways and servers, security incidents, and identify infected hosts.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "CheckPoint" + ], + "previewImagesFileNames": [ + "CheckPointWhite.png", + "CheckPointBlack.png" + ], + "version": "1.0.0", + "title": "Check Point Software Technologies", + "templateRelativePath": "CheckPoint.json", + "subtitle": "", + "provider": "Check Point" + }, + { + "workbookKey": "CiscoWorkbook", + "logoFileName": "cisco_logo.svg", + "description": "Gain insights into your Cisco ASA firewalls by analyzing traffic, events, and firewall operations.\nThis workbook analyzes Cisco ASA threat events and identifies suspicious ports, users, protocols and IP addresses.\nYou can learn about trends across user and data traffic directions, and drill down into the Cisco filter results.\nEasily detect attacks on your organization by monitoring management operations, such as configuration and logins.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "CiscoASA" + ], + "previewImagesFileNames": [ + "CiscoWhite.png", + "CiscoBlack.png" + ], + "version": "1.1.0", + "title": "Cisco - ASA", + "templateRelativePath": "Cisco.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "ExchangeOnlineWorkbook", + "logoFileName": "office365_logo.svg", + "description": "Gain insights into Microsoft Exchange online by tracing and analyzing all Exchange operations and user activities.\nThis workbook let you monitor user activities, including logins, account operations, permission changes, and mailbox creations to discover suspicious trends among them.", + "dataTypesDependencies": [ + "OfficeActivity" + ], + "dataConnectorsDependencies": [ + "Office365" + ], + "previewImagesFileNames": [ + "ExchangeOnlineWhite.png", + "ExchangeOnlineBlack.png" + ], + "version": "2.0.0", + "title": "Exchange Online", + "templateRelativePath": "ExchangeOnline.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "CloudNGFW-OverviewWorkbook", + "logoFileName": "paloalto_logo.svg", + "description": "Gain insights and comprehensive monitoring into Azure CloudNGFW by Palo Alto Networks by analyzing traffic and activities.\nThis workbook correlates all Palo Alto data with threat events to identify suspicious entities and relationships.\nYou can learn about trends across user and data traffic, and drill down into Palo Alto Wildfire and filter results.", + "dataTypesDependencies": [ + "fluentbit_CL" + ], + "dataConnectorsDependencies": [ + "CloudNgfwByPAN" + ], + "previewImagesFileNames": [ + "PaloAltoOverviewWhite1.png", + "PaloAltoOverviewBlack1.png", + "PaloAltoOverviewWhite2.png", + "PaloAltoOverviewBlack2.png", + "PaloAltoOverviewWhite3.png", + "PaloAltoOverviewBlack3.png" + ], + "version": "1.2.0", + "title": "Azure CloudNGFW By Palo Alto Networks - Overview", + "templateRelativePath": "CloudNGFW-Overview.json", + "subtitle": "", + "provider": "Palo Alto Networks" + }, + { + "workbookKey": "CloudNGFW-NetworkThreatWorkbook", + "logoFileName": "paloalto_logo.svg", + "description": "Gain insights into Azure CloudNGFW activities by analyzing threat events.\nYou can extract meaningful security information by correlating data between threats, applications, and time.\nThis workbook makes it easy to track malware, vulnerability, and virus log events.", + "dataTypesDependencies": [ + "fluentbit_CL" + ], + "dataConnectorsDependencies": [ + "CloudNgfwByPAN" + ], + "previewImagesFileNames": [ + "PaloAltoNetworkThreatWhite1.png", + "PaloAltoNetworkThreatBlack1.png", + "PaloAltoNetworkThreatWhite2.png", + "PaloAltoNetworkThreatBlack2.png" + ], + "version": "1.2.0", + "title": "Azure CloudNGFW By Palo Alto Networks - Network Threats", + "templateRelativePath": "CloudNGFW-NetworkThreat.json", + "subtitle": "", + "provider": "Palo Alto Networks" + }, + { + "workbookKey": "PaloAltoOverviewWorkbook", + "logoFileName": "paloalto_logo.svg", + "description": "Gain insights and comprehensive monitoring into Palo Alto firewalls by analyzing traffic and activities.\nThis workbook correlates all Palo Alto data with threat events to identify suspicious entities and relationships.\nYou can learn about trends across user and data traffic, and drill down into Palo Alto Wildfire and filter results.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "PaloAltoNetworks", + "CefAma" + ], + "previewImagesFileNames": [ + "PaloAltoOverviewWhite1.png", + "PaloAltoOverviewBlack1.png", + "PaloAltoOverviewWhite2.png", + "PaloAltoOverviewBlack2.png", + "PaloAltoOverviewWhite3.png", + "PaloAltoOverviewBlack3.png" + ], + "version": "1.2.0", + "title": "Palo Alto overview", + "templateRelativePath": "PaloAltoOverview.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "PaloAltoNetworkThreatWorkbook", + "logoFileName": "paloalto_logo.svg", + "description": "Gain insights into Palo Alto network activities by analyzing threat events.\nYou can extract meaningful security information by correlating data between threats, applications, and time.\nThis workbook makes it easy to track malware, vulnerability, and virus log events.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "PaloAltoNetworks", + "CefAma" + ], + "previewImagesFileNames": [ + "PaloAltoNetworkThreatWhite1.png", + "PaloAltoNetworkThreatBlack1.png", + "PaloAltoNetworkThreatWhite2.png", + "PaloAltoNetworkThreatBlack2.png" + ], + "version": "1.1.0", + "title": "Palo Alto Network Threat", + "templateRelativePath": "PaloAltoNetworkThreat.json", + "subtitle": "", + "provider": "Palo Alto Networks" + }, + { + "workbookKey": "EsetSMCWorkbook", + "logoFileName": "eset-logo.svg", + "description": "Visualize events and threats from Eset Security Management Center.", + "dataTypesDependencies": [ + "eset_CL" + ], + "dataConnectorsDependencies": [ + "EsetSMC" + ], + "previewImagesFileNames": [ + "esetSMCWorkbook-black.png", + "esetSMCWorkbook-white.png" + ], + "version": "1.0.0", + "title": "Eset Security Management Center Overview", + "templateRelativePath": "esetSMCWorkbook.json", + "subtitle": "", + "provider": "Community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Tomáš Kubica" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Others" + ] + } + }, + { + "workbookKey": "FortigateWorkbook", + "logoFileName": "fortinet_logo.svg", + "description": "Gain insights into Fortigate firewalls by analyzing traffic and activities.\nThis workbook finds correlations in Fortigate threat events and identifies suspicious ports, users, protocols and IP addresses.\nYou can learn about trends across user and data traffic, and drill down into the Fortigate filter results.\nEasily detect attacks on your organization by monitoring management operations such as configuration and logins.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "Fortinet", + "CefAma" + ], + "previewImagesFileNames": [ + "FortigateWhite.png", + "FortigateBlack.png" + ], + "version": "1.1.0", + "title": "FortiGate", + "templateRelativePath": "Fortigate.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "DnsWorkbook", + "logoFileName": "dns_logo.svg", + "description": "Gain extensive insight into your organization's DNS by analyzing, collecting and correlating all DNS events.\nThis workbook exposes a variety of information about suspicious queries, malicious IP addresses and domain operations.", + "dataTypesDependencies": [ + "DnsInventory", + "DnsEvents" + ], + "dataConnectorsDependencies": [ + "DNS" + ], + "previewImagesFileNames": [ + "DnsWhite.png", + "DnsBlack.png" + ], + "version": "1.3.0", + "title": "DNS", + "templateRelativePath": "Dns.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "Office365Workbook", + "logoFileName": "office365_logo.svg", + "description": "Gain insights into Office 365 by tracing and analyzing all operations and activities. You can drill down into your SharePoint, OneDrive, and Exchange.\nThis workbook lets you find usage trends across users, files, folders, and mailboxes, making it easier to identify anomalies in your network.", + "dataTypesDependencies": [ + "OfficeActivity" + ], + "dataConnectorsDependencies": [ + "Office365" + ], + "previewImagesFileNames": [ + "Office365White1.png", + "Office365Black1.png", + "Office365White2.png", + "Office365Black2.png", + "Office365White3.png", + "Office365Black3.png" + ], + "version": "2.0.1", + "title": "Office 365", + "templateRelativePath": "Office365.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "SharePointAndOneDriveWorkbook", + "logoFileName": "office365_logo.svg", + "description": "Gain insights into SharePoint and OneDrive by tracing and analyzing all operations and activities.\nYou can view trends across user operation, find correlations between users and files, and identify interesting information such as user IP addresses.", + "dataTypesDependencies": [ + "OfficeActivity" + ], + "dataConnectorsDependencies": [ + "Office365" + ], + "previewImagesFileNames": [ + "SharePointAndOneDriveBlack1.png", + "SharePointAndOneDriveBlack2.png", + "SharePointAndOneDriveWhite1.png", + "SharePointAndOneDriveWhite2.png" + ], + "version": "2.0.0", + "title": "SharePoint & OneDrive", + "templateRelativePath": "SharePointAndOneDrive.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "AzureActiveDirectorySigninLogsWorkbook", + "logoFileName": "azureactivedirectory_logo.svg", + "description": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures.", + "dataTypesDependencies": [ + "SigninLogs" + ], + "dataConnectorsDependencies": [ + "AzureActiveDirectory" + ], + "previewImagesFileNames": [ + "AADsigninBlack1.png", + "AADsigninBlack2.png", + "AADsigninWhite1.png", + "AADsigninWhite2.png" + ], + "version": "2.4.0", + "title": "Microsoft Entra ID Sign-in logs", + "templateRelativePath": "AzureActiveDirectorySignins.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "VirtualMachinesInsightsWorkbook", + "logoFileName": "azurevirtualmachine_logo.svg", + "description": "Gain rich insight into your organization's virtual machines from Azure Monitor, which analyzes and correlates data in your VM network. \nYou will get visibility on your VM parameters and behavior, and will be able to trace sent and received data. \nIdentify malicious attackers and their targets, and drill down into the protocols, source and destination IP addresses, countries, and ports the attacks occur across.", + "dataTypesDependencies": [ + "VMConnection", + "ServiceMapComputer_CL", + "ServiceMapProcess_CL" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "VMInsightBlack1.png", + "VMInsightWhite1.png" + ], + "version": "1.3.0", + "title": "VM insights", + "templateRelativePath": "VirtualMachinesInsights.json", + "subtitle": "", + "provider": "Microsoft", + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Microsoft Corporation" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "IT Operations", + "Platform" + ] + } + }, + { + "workbookKey": "AzureActiveDirectoryAuditLogsWorkbook", + "logoFileName": "azureactivedirectory_logo.svg", + "description": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the audit logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.", + "dataTypesDependencies": [ + "AuditLogs" + ], + "dataConnectorsDependencies": [ + "AzureActiveDirectory" + ], + "previewImagesFileNames": [ + "AzureADAuditLogsBlack1.png", + "AzureADAuditLogsWhite1.png" + ], + "version": "1.2.0", + "title": "Microsoft Entra ID Audit logs", + "templateRelativePath": "AzureActiveDirectoryAuditLogs.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "ThreatIntelligenceWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Gain insights into threat indicators ingestion and search for indicators at scale across Microsoft 1st Party, 3rd Party, On-Premises, Hybrid, and Multi-Cloud Workloads. Indicators Search facilitates a simple interface for finding IP, File, Hash, Sender and more across your data. Seamless pivots to correlate indicators with Microsoft Sentinel: Incidents to make your threat intelligence actionable.", + "dataTypesDependencies": [ + "ThreatIntelligenceIndicator", + "SecurityIncident" + ], + "dataConnectorsDependencies": [ + "ThreatIntelligence", + "ThreatIntelligenceTaxii", + "MicrosoftDefenderThreatIntelligence", + "ThreatIntelligenceUploadIndicatorsAPI" + ], + "previewImagesFileNames": [ + "ThreatIntelligenceWhite.png", + "ThreatIntelligenceBlack.png" + ], + "version": "5.0.0", + "title": "Threat Intelligence", + "templateRelativePath": "ThreatIntelligence.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "WebApplicationFirewallOverviewWorkbook", + "logoFileName": "waf_logo.svg", + "description": "Gain insights into your organization's Azure web application firewall (WAF). You will get a general overview of your application gateway firewall and application gateway access events.", + "dataTypesDependencies": [ + "AzureDiagnostics" + ], + "dataConnectorsDependencies": [ + "WAF" + ], + "previewImagesFileNames": [ + "WAFOverviewBlack.png", + "WAFOverviewWhite.png" + ], + "version": "1.1.0", + "title": "Microsoft Web Application Firewall (WAF) - overview", + "templateRelativePath": "WebApplicationFirewallOverview.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "WebApplicationFirewallFirewallEventsWorkbook", + "logoFileName": "waf_logo.svg", + "description": "Gain insights into your organization's Azure web application firewall (WAF). You will get visibility in to your application gateway firewall. You can view anomalies and trends across all firewall event triggers, attack events, blocked URL addresses and more.", + "dataTypesDependencies": [ + "AzureDiagnostics" + ], + "dataConnectorsDependencies": [ + "WAF" + ], + "previewImagesFileNames": [ + "WAFFirewallEventsBlack1.png", + "WAFFirewallEventsBlack2.png", + "WAFFirewallEventsWhite1.png", + "WAFFirewallEventsWhite2.png" + ], + "version": "1.1.0", + "title": "Microsoft Web Application Firewall (WAF) - firewall events", + "templateRelativePath": "WebApplicationFirewallFirewallEvents.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "WebApplicationFirewallGatewayAccessEventsWorkbook", + "logoFileName": "waf_logo.svg", + "description": "Gain insights into your organization's Azure web application firewall (WAF). You will get visibility in to your application gateway access events. You can view anomalies and trends across received and sent data, client IP addresses, URL addresses and more, and drill down into details.", + "dataTypesDependencies": [ + "AzureDiagnostics" + ], + "dataConnectorsDependencies": [ + "WAF" + ], + "previewImagesFileNames": [ + "WAFGatewayAccessEventsBlack1.png", + "WAFGatewayAccessEventsBlack2.png", + "WAFGatewayAccessEventsWhite1.png", + "WAFGatewayAccessEventsWhite2.png" + ], + "version": "1.2.0", + "title": "Microsoft Web Application Firewall (WAF) - gateway access events", + "templateRelativePath": "WebApplicationFirewallGatewayAccessEvents.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "LinuxMachinesWorkbook", + "logoFileName": "azurevirtualmachine_logo.svg", + "description": "Gain insights into your workspaces' Linux machines by connecting Microsoft Sentinel and using the logs to gather insights around Linux events and errors.", + "dataTypesDependencies": [ + "Syslog" + ], + "dataConnectorsDependencies": [ + "Syslog" + ], + "previewImagesFileNames": [ + "LinuxMachinesWhite.png", + "LinuxMachinesBlack.png" + ], + "version": "1.1.0", + "title": "Linux machines", + "templateRelativePath": "LinuxMachines.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "AzureFirewallWorkbook", + "logoFileName": "AzFirewalls.svg", + "description": "Gain insights into Azure Firewall events. You can learn about your application and network rules, see metrics for firewall activities across URLs, ports, and addresses across multiple workspaces.", + "dataTypesDependencies": [ + "AzureDiagnostics" + ], + "dataConnectorsDependencies": [ + "AzureFirewall" + ], + "previewImagesFileNames": [ + "AzureFirewallWorkbookWhite1.PNG", + "AzureFirewallWorkbookBlack1.PNG", + "AzureFirewallWorkbookWhite2.PNG", + "AzureFirewallWorkbookBlack2.PNG", + "AzureFirewallWorkbookWhite3.PNG", + "AzureFirewallWorkbookBlack3.PNG", + "AzureFirewallWorkbookWhite4.PNG", + "AzureFirewallWorkbookBlack4.PNG", + "AzureFirewallWorkbookWhite5.PNG", + "AzureFirewallWorkbookBlack5.PNG" + ], + "version": "1.3.0", + "title": "Azure Firewall", + "templateRelativePath": "AzureFirewallWorkbook.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "AzureFirewallWorkbook-StructuredLogs", + "logoFileName": "AzFirewalls.svg", + "description": "Gain insights into Azure Firewall events using the new Structured Logs for Azure Firewall. You can learn about your application and network rules, see metrics for firewall activities across URLs, ports, and addresses across multiple workspaces.", + "dataTypesDependencies": [ + "AZFWNetworkRule", + "AZFWApplicationRule", + "AZFWDnsQuery", + "AZFWThreatIntel" + ], + "dataConnectorsDependencies": [ + "AzureFirewall" + ], + "previewImagesFileNames": [ + "AzureFirewallWorkbookWhite1.PNG", + "AzureFirewallWorkbookBlack1.PNG", + "AzureFirewallWorkbookWhite2.PNG", + "AzureFirewallWorkbookBlack2.PNG", + "AzureFirewallWorkbookWhite3.PNG", + "AzureFirewallWorkbookBlack3.PNG", + "AzureFirewallWorkbookWhite4.PNG", + "AzureFirewallWorkbookBlack4.PNG", + "AzureFirewallWorkbookWhite5.PNG", + "AzureFirewallWorkbookBlack5.PNG" + ], + "version": "1.0.0", + "title": "Azure Firewall Structured Logs", + "templateRelativePath": "AzureFirewallWorkbook-StructuredLogs.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "AzureDDoSStandardProtection", + "logoFileName": "AzDDoS.svg", + "description": "This workbook visualizes security-relevant Azure DDoS events across several filterable panels. Offering a summary tab, metrics and a investigate tabs across multiple workspaces.", + "dataTypesDependencies": [ + "AzureDiagnostics" + ], + "dataConnectorsDependencies": [ + "DDOS" + ], + "previewImagesFileNames": [ + "AzureDDoSWhite1.PNG", + "AzureDDoSBlack1.PNG", + "AzureDDoSWhite2.PNG", + "AzureDDoSBlack2.PNG", + "AzureDDoSWhite2.PNG", + "AzureDDoSBlack2.PNG" + ], + "version": "1.0.2", + "title": "Azure DDoS Protection Workbook", + "templateRelativePath": "AzDDoSStandardWorkbook.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "MicrosoftCloudAppSecurityWorkbook", + "logoFileName": "Microsoft_logo.svg", + "description": "Using this workbook, you can identify which cloud apps are being used in your organization, gain insights from usage trends and drill down to a specific user and application.", + "dataTypesDependencies": [ + "McasShadowItReporting" + ], + "dataConnectorsDependencies": [ + "MicrosoftCloudAppSecurity" + ], + "previewImagesFileNames": [ + "McasDiscoveryBlack.png", + "McasDiscoveryWhite.png" + ], + "version": "1.2.0", + "title": "Microsoft Cloud App Security - discovery logs", + "templateRelativePath": "MicrosoftCloudAppSecurity.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "F5BIGIPSytemMetricsWorkbook", + "logoFileName": "f5_logo.svg", + "description": "Gain insight into F5 BIG-IP health and performance. This workbook provides visibility of various metrics including CPU, memory, connectivity, throughput and disk utilization.", + "dataTypesDependencies": [ + "F5Telemetry_system_CL", + "F5Telemetry_AVR_CL" + ], + "dataConnectorsDependencies": [ + "F5BigIp" + ], + "previewImagesFileNames": [ + "F5SMBlack.png", + "F5SMWhite.png" + ], + "version": "1.1.0", + "title": "F5 BIG-IP System Metrics", + "templateRelativePath": "F5BIGIPSystemMetrics.json", + "subtitle": "", + "provider": "F5 Networks" + }, + { + "workbookKey": "F5NetworksWorkbook", + "logoFileName": "f5_logo.svg", + "description": "Gain insights into F5 BIG-IP Application Security Manager (ASM), by analyzing traffic and activities.\nThis workbook provides insight into F5's web application firewall events and identifies attack traffic patterns across multiple ASM instances as well as overall BIG-IP health.", + "dataTypesDependencies": [ + "F5Telemetry_LTM_CL", + "F5Telemetry_system_CL", + "F5Telemetry_ASM_CL" + ], + "dataConnectorsDependencies": [ + "F5BigIp" + ], + "previewImagesFileNames": [ + "F5White.png", + "F5Black.png" + ], + "version": "1.1.0", + "title": "F5 BIG-IP ASM", + "templateRelativePath": "F5Networks.json", + "subtitle": "", + "provider": "F5 Networks" + }, + { + "workbookKey": "AzureNetworkWatcherWorkbook", + "logoFileName": "networkwatcher_logo.svg", + "description": "Gain deeper understanding of your organization's Azure network traffic by analyzing, and correlating Network Security Group flow logs. \nYou can trace malicious traffic flows, and drill down into their protocols, source and destination IP addresses, machines, countries, and subnets. \nThis workbook also helps you protect your network by identifying weak NSG rules.", + "dataTypesDependencies": [ + "AzureNetworkAnalytics_CL" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "AzureNetworkWatcherWhite.png", + "AzureNetworkWatcherBlack.png" + ], + "version": "1.1.0", + "title": "Azure Network Watcher", + "templateRelativePath": "AzureNetworkWatcher.json", + "subtitle": "", + "provider": "Microsoft", + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Microsoft Corporation" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Network" + ] + } + }, + { + "workbookKey": "ZscalerFirewallWorkbook", + "logoFileName": "zscaler_logo.svg", + "description": "Gain insights into your ZIA cloud firewall logs by connecting to Microsoft Sentinel.\nThe Zscaler firewall overview workbook provides an overview and ability to drill down into all cloud firewall activity in your Zscaler instance including non-web related networking events, security events, firewall rules, and bandwidth consumption", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "Zscaler", + "CefAma" + ], + "previewImagesFileNames": [ + "ZscalerFirewallWhite1.png", + "ZscalerFirewallBlack1.png", + "ZscalerFirewallWhite2.png", + "ZscalerFirewallBlack2.png" + ], + "version": "1.1.0", + "title": "Zscaler Firewall", + "templateRelativePath": "ZscalerFirewall.json", + "subtitle": "", + "provider": "Zscaler" + }, + { + "workbookKey": "ZscalerWebOverviewWorkbook", + "logoFileName": "zscaler_logo.svg", + "description": "Gain insights into your ZIA web logs by connecting to Microsoft Sentinel.\nThe Zscaler web overview workbook provides a bird's eye view and ability to drill down into all the security and networking events related to web transactions, types of devices, and bandwidth consumption.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "Zscaler", + "CefAma" + ], + "previewImagesFileNames": [ + "ZscalerWebOverviewWhite.png", + "ZscalerWebOverviewBlack.png" + ], + "version": "1.1.0", + "title": "Zscaler Web Overview", + "templateRelativePath": "ZscalerWebOverview.json", + "subtitle": "", + "provider": "Zscaler" + }, + { + "workbookKey": "ZscalerThreatsOverviewWorkbook", + "logoFileName": "zscaler_logo.svg", + "description": "Gain insights into threats blocked by Zscaler Internet access on your network.\nThe Zscaler threat overview workbook shows your entire threat landscape including blocked malware, IPS/AV rules, and blocked cloud apps. Threats are displayed by threat categories, filetypes, inbound vs outbound threats, usernames, user location, and more.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "Zscaler", + "CefAma" + ], + "previewImagesFileNames": [ + "ZscalerThreatsWhite.png", + "ZscalerThreatsBlack.png" + ], + "version": "1.2.0", + "title": "Zscaler Threats", + "templateRelativePath": "ZscalerThreats.json", + "subtitle": "", + "provider": "Zscaler" + }, + { + "workbookKey": "ZscalerOffice365AppsWorkbook", + "logoFileName": "zscaler_logo.svg", + "description": "Gain insights into Office 365 use on your network.\nThe Zscaler Office 365 overview workbook shows you the Microsoft apps running on your network and their individual bandwidth consumption. It also helps identify phishing attempts in which attackers disguised themselves as Microsoft services.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "Zscaler", + "CefAma" + ], + "previewImagesFileNames": [ + "ZscalerOffice365White.png", + "ZscalerOffice365Black.png" + ], + "version": "1.1.0", + "title": "Zscaler Office365 Apps", + "templateRelativePath": "ZscalerOffice365Apps.json", + "subtitle": "", + "provider": "Zscaler" + }, + { + "workbookKey": "InsecureProtocolsWorkbook", + "logoFileName": "Microsoft_logo.svg", + "description": "Gain insights into insecure protocol traffic by collecting and analyzing security events from Microsoft products.\nYou can view analytics and quickly identify use of weak authentication as well as sources of legacy protocol traffic, like NTLM and SMBv1.\nYou will also have the ability to monitor use of weak ciphers, allowing you to find weak spots in your organization's security.", + "dataTypesDependencies": [ + "SecurityEvent", + "Event", + "SigninLogs" + ], + "dataConnectorsDependencies": [ + "SecurityEvents", + "AzureActiveDirectory", + "WindowsSecurityEvents" + ], + "previewImagesFileNames": [ + "InsecureProtocolsWhite1.png", + "InsecureProtocolsBlack1.png", + "InsecureProtocolsWhite2.png", + "InsecureProtocolsBlack2.png" + ], + "version": "2.1.0", + "title": "Insecure Protocols", + "templateRelativePath": "InsecureProtocols.json", + "subtitle": "", + "provider": "Microsoft", + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Microsoft Corporation" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Others" + ] + } + }, + { + "workbookKey": "usecasemapper", + "logoFileName": "ucasemapper.svg", + "description": "A simple tool to map Use Cases to Content Hub relevant Microsoft Sentinel solutions", + "previewImagesFileNames": [ + "useCaseMapperWhite1.png", + "useCaseMapperWhite2.png", + "useCaseMapperWhite3.png", + "useCaseMapperBlack1.png", + "useCaseMapperBlack2.png", + "useCaseMapperBlack3.png" + ], + "version": "1.0.0", + "title": "Use Case Mapper", + "templateRelativePath": "usecasemapper.json", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "subtitle": "", + "provider": "Microsoft Sentinel community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Microsoft Sentinel Community" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Cloud Security" + ] + } + }, + { + "workbookKey": "AzureInformationProtectionWorkbook", + "logoFileName": "informationProtection.svg", + "description": "The Azure Information Protection Usage report workbook provides information on the volume of labeled and protected documents and emails over time, label distribution of files by label type, along with where the label was applied.", + "dataTypesDependencies": [ + "SecurityEvent", + "Event", + "SigninLogs" + ], + "dataConnectorsDependencies": [ + "SecurityEvents", + "AzureActiveDirectory", + "WindowsSecurityEvents" + ], + "previewImagesFileNames": [ + "InsecureProtocolsWhite1.png", + "InsecureProtocolsBlack1.png", + "InsecureProtocolsWhite2.png", + "InsecureProtocolsBlack2.png" + ], + "version": "2.1.0", + "title": "Insecure Protocols", + "templateRelativePath": "InsecureProtocols.json", + "subtitle": "", + "provider": "Microsoft", + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Amit Bergman" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Others" + ] + } + }, + { + "workbookKey": "AmazonWebServicesNetworkActivitiesWorkbook", + "logoFileName": "amazon_web_services_Logo.svg", + "description": "Gain insights into AWS network related resource activities, including the creation, update, and deletions of security groups, network ACLs and routes, gateways, elastic load balancers, VPCs, subnets, and network interfaces.", + "dataTypesDependencies": [ + "AWSCloudTrail" + ], + "dataConnectorsDependencies": [ + "AWS" + ], + "previewImagesFileNames": [ + "AwsNetworkActivitiesWhite.png", + "AwsNetworkActivitiesBlack.png" + ], + "version": "1.0.0", + "title": "AWS Network Activities", + "templateRelativePath": "AmazonWebServicesNetworkActivities.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "AmazonWebServicesUserActivitiesWorkbook", + "logoFileName": "amazon_web_services_Logo.svg", + "description": "Gain insights into AWS user activities, including failed sign-in attempts, IP addresses, regions, user agents, and identity types, as well as potential malicious user activities with assumed roles.", + "dataTypesDependencies": [ + "AWSCloudTrail" + ], + "dataConnectorsDependencies": [ + "AWS" + ], + "previewImagesFileNames": [ + "AwsUserActivitiesWhite.png", + "AwsUserActivitiesBlack.png" + ], + "version": "1.0.0", + "title": "AWS User Activities", + "templateRelativePath": "AmazonWebServicesUserActivities.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "TrendMicroDeepSecurityAttackActivityWorkbook", + "logoFileName": "trendmicro_logo.svg", + "description": "Visualize and gain insights into the MITRE ATT&CK related activity detected by Trend Micro Deep Security.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "TrendMicro", + "CefAma" + ], + "previewImagesFileNames": [ + "TrendMicroDeepSecurityAttackActivityWhite.png", + "TrendMicroDeepSecurityAttackActivityBlack.png" + ], + "version": "1.0.0", + "title": "Trend Micro Deep Security ATT&CK Related Activity", + "templateRelativePath": "TrendMicroDeepSecurityAttackActivity.json", + "subtitle": "", + "provider": "Trend Micro" + }, + { + "workbookKey": "TrendMicroDeepSecurityOverviewWorkbook", + "logoFileName": "trendmicro_logo.svg", + "description": "Gain insights into your Trend Micro Deep Security security event data by visualizing your Deep Security Anti-Malware, Firewall, Integrity Monitoring, Intrusion Prevention, Log Inspection, and Web Reputation event data.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "TrendMicro", + "CefAma" + ], + "previewImagesFileNames": [ + "TrendMicroDeepSecurityOverviewWhite1.png", + "TrendMicroDeepSecurityOverviewBlack1.png", + "TrendMicroDeepSecurityOverviewWhite2.png", + "TrendMicroDeepSecurityOverviewBlack2.png" + ], + "version": "1.0.0", + "title": "Trend Micro Deep Security Events", + "templateRelativePath": "TrendMicroDeepSecurityOverview.json", + "subtitle": "", + "provider": "Trend Micro" + }, + { + "workbookKey": "ExtraHopDetectionSummaryWorkbook", + "logoFileName": "extrahop_logo.svg", + "description": "Gain insights into ExtraHop Reveal(x) detections by analyzing traffic and activities.\nThis workbook provides an overview of security detections in your organization's network, including high-risk detections and top participants.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "ExtraHopNetworks", + "ExtraHopNetworksAma", + "CefAma" + ], + "previewImagesFileNames": [ + "ExtrahopWhite.png", + "ExtrahopBlack.png" + ], + "version": "1.0.0", + "title": "ExtraHop", + "templateRelativePath": "ExtraHopDetectionSummary.json", + "subtitle": "", + "provider": "ExtraHop Networks" + }, + { + "workbookKey": "BarracudaCloudFirewallWorkbook", + "logoFileName": "barracuda_logo.svg", + "description": "Gain insights into your Barracuda CloudGen Firewall by analyzing firewall operations and events.\nThis workbook provides insights into rule enforcement, network activities, including number of connections, top users, and helps you identify applications that are popular on your network.", + "dataTypesDependencies": [ + "CommonSecurityLog", + "Syslog" + ], + "dataConnectorsDependencies": [ + "BarracudaCloudFirewall", + "SyslogAma" + ], + "previewImagesFileNames": [ + "BarracudaWhite1.png", + "BarracudaBlack1.png", + "BarracudaWhite2.png", + "BarracudaBlack2.png" + ], + "version": "1.0.0", + "title": "Barracuda CloudGen FW", + "templateRelativePath": "Barracuda.json", + "subtitle": "", + "provider": "Barracuda" + }, + { + "workbookKey": "CitrixWorkbook", + "logoFileName": "citrix_logo.svg", + "description": "Citrix Analytics for Security aggregates and correlates information across network traffic, users, files and endpoints in Citrix environments. This generates actionable insights that enable Citrix administrators and security teams to remediate user security threats through automation while optimizing IT operations. Machine learning and artificial intelligence empowers Citrix Analytics for Security to identify and take automated action to prevent data exfiltration. While delivered as a cloud service, Citrix Analytics for Security can generate insights from resources located on-premises, in the cloud, or in hybrid architectures. The Citrix Analytics Workbook further enhances the value of both your Citrix Analytics for Security and Microsoft Sentinel. The Workbook enables you to integrate data sources together, helping you gain even richer insights. It also gives Security Operations (SOC) teams the ability to correlate data from disparate logs, helping you identify and proactively remediate security risk quickly. Additionally, valuable dashboards that were unique to the Citrix Analytics for Security can now be implemented in Sentinel. You can also create new custom Workbooks that were not previously available, helping extend the value of both investments.", + "dataTypesDependencies": [ + "CitrixAnalytics_userProfile_CL", + "CitrixAnalytics_riskScoreChange_CL", + "CitrixAnalytics_indicatorSummary_CL", + "CitrixAnalytics_indicatorEventDetails_CL" + ], + "dataConnectorsDependencies": [ + "Citrix" + ], + "previewImagesFileNames": [ + "CitrixWhite.png", + "CitrixBlack.png" + ], + "version": "2.1.0", + "title": "Citrix Analytics", + "templateRelativePath": "Citrix.json", + "subtitle": "", + "provider": "Citrix Systems Inc." + }, + { + "workbookKey": "OneIdentityWorkbook", + "logoFileName": "oneIdentity_logo.svg", + "description": "This simple workbook gives an overview of sessions going through your SafeGuard for Privileged Sessions device.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "OneIdentity" + ], + "previewImagesFileNames": [ + "OneIdentityWhite.png", + "OneIdentityBlack.png" + ], + "version": "1.0.0", + "title": "One Identity", + "templateRelativePath": "OneIdentity.json", + "subtitle": "", + "provider": "One Identity LLC.", + "support": { + "tier": "Community" + }, + "author": { + "name": "Amit Bergman" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Identity" + ] + } + }, + { + "workbookKey": "SecurityStatusWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "This workbook gives an overview of Security Settings for VMs and Azure Arc.", + "dataTypesDependencies": [ + "CommonSecurityLog", + "SecurityEvent", + "Syslog" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "AzureSentinelSecurityStatusBlack.png", + "AzureSentinelSecurityStatusWhite.png" + ], + "version": "1.3.0", + "title": "Security Status", + "templateRelativePath": "SecurityStatus.json", + "subtitle": "", + "provider": "Microsoft", + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft" + }, + "categories": { + "verticals": [], + "domains": [ + "IT Operations", + "Security - Others", + "Compliance" + ] + } + }, + { + "workbookKey": "AzureSentinelSecurityAlertsWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Security Alerts dashboard for alerts in your Microsoft Sentinel environment.", + "dataTypesDependencies": [ + "SecurityAlert" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "AzureSentinelSecurityAlertsWhite.png", + "AzureSentinelSecurityAlertsBlack.png" + ], + "version": "1.1.0", + "title": "Security Alerts", + "templateRelativePath": "AzureSentinelSecurityAlerts.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "SquadraTechnologiesSecRMMWorkbook", + "logoFileName": "SquadraTechnologiesLogo.svg", + "description": "This workbook gives an overview of security data for removable storage activity such as USB thumb drives and USB connected mobile devices.", + "dataTypesDependencies": [ + "secRMM_CL" + ], + "dataConnectorsDependencies": [ + "SquadraTechnologiesSecRmm" + ], + "previewImagesFileNames": [ + "SquadraTechnologiesSecRMMWhite.PNG", + "SquadraTechnologiesSecRMMBlack.PNG" + ], + "version": "1.0.0", + "title": "Squadra Technologies SecRMM - USB removable storage security", + "templateRelativePath": "SquadraTechnologiesSecRMM.json", + "subtitle": "", + "provider": "Squadra Technologies" + }, + { + "workbookKey": "IoT-Alerts", + "logoFileName": "IoTIcon.svg", + "description": "Gain insights into your IoT data workloads from Azure IoT Hub managed deployments, monitor alerts across all your IoT Hub deployments, detect devices at risk and act upon potential threats.", + "dataTypesDependencies": [ + "SecurityAlert" + ], + "dataConnectorsDependencies": [ + "IoT" + ], + "previewImagesFileNames": [ + "IOTBlack1.png", + "IOTWhite1.png" + ], + "version": "1.2.0", + "title": "Azure Defender for IoT Alerts", + "templateRelativePath": "IOT_Alerts.json", + "subtitle": "", + "provider": "Microsoft", + "support": { + "tier": "Community" + }, + "author": { + "name": "morshabi" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Internet of Things (IoT)" + ] + } + }, + { + "workbookKey": "IoTAssetDiscovery", + "logoFileName": "IoTIcon.svg", + "description": "IoT Devices asset discovery from Firewall logs By Azure Defender for IoT", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "Fortinet" + ], + "previewImagesFileNames": [ + "workbook-iotassetdiscovery-screenshot-Black.PNG", + "workbook-iotassetdiscovery-screenshot-White.PNG" + ], + "version": "1.0.0", + "title": "IoT Asset Discovery", + "templateRelativePath": "IoTAssetDiscovery.json", + "subtitle": "", + "provider": "Microsoft", + "support": { + "tier": "Community" + }, + "author": { + "name": "jomeczyk" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Internet of Things (IoT)" + ] + } + }, + { + "workbookKey": "ForcepointCASBWorkbook", + "logoFileName": "FP_Green_Emblem_RGB-01.svg", + "description": "Get insights on user risk with the Forcepoint CASB (Cloud Access Security Broker) workbook.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "ForcepointCasb", + "ForcepointCasbAma", + "CefAma" + ], + "previewImagesFileNames": [ + "ForcepointCASBWhite.png", + "ForcepointCASBBlack.png" + ], + "version": "1.0.0", + "title": "Forcepoint Cloud Access Security Broker (CASB)", + "templateRelativePath": "ForcepointCASB.json", + "subtitle": "", + "provider": "Forcepoint" + }, + { + "workbookKey": "ForcepointNGFWWorkbook", + "logoFileName": "FP_Green_Emblem_RGB-01.svg", + "description": "Get insights on firewall activities with the Forcepoint NGFW (Next Generation Firewall) workbook.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "ForcepointNgfw", + "ForcepointNgfwAma", + "CefAma" + ], + "previewImagesFileNames": [ + "ForcepointNGFWWhite.png", + "ForcepointNGFWBlack.png" + ], + "version": "1.0.0", + "title": "Forcepoint Next Generation Firewall (NGFW)", + "templateRelativePath": "ForcepointNGFW.json", + "subtitle": "", + "provider": "Forcepoint" + }, + { + "workbookKey": "ForcepointDLPWorkbook", + "logoFileName": "FP_Green_Emblem_RGB-01.svg", + "description": "Get insights on DLP incidents with the Forcepoint DLP (Data Loss Prevention) workbook.", + "dataTypesDependencies": [ + "ForcepointDLPEvents_CL" + ], + "dataConnectorsDependencies": [ + "ForcepointDlp" + ], + "previewImagesFileNames": [ + "ForcepointDLPWhite.png", + "ForcepointDLPBlack.png" + ], + "version": "1.0.0", + "title": "Forcepoint Data Loss Prevention (DLP)", + "templateRelativePath": "ForcepointDLP.json", + "subtitle": "", + "provider": "Forcepoint" + }, + { + "workbookKey": "ZimperiumMTDWorkbook", + "logoFileName": "ZIMPERIUM-logo_square2.svg", + "description": "This workbook provides insights on Zimperium Mobile Threat Defense (MTD) threats and mitigations.", + "dataTypesDependencies": [ + "ZimperiumThreatLog_CL", + "ZimperiumMitigationLog_CL" + ], + "dataConnectorsDependencies": [ + "ZimperiumMtdAlerts" + ], + "previewImagesFileNames": [ + "ZimperiumWhite.png", + "ZimperiumBlack.png" + ], + "version": "1.0.0", + "title": "Zimperium Mobile Threat Defense (MTD)", + "templateRelativePath": "ZimperiumWorkbooks.json", + "subtitle": "", + "provider": "Zimperium" + }, + { + "workbookKey": "AzureAuditActivityAndSigninWorkbook", + "logoFileName": "azureactivedirectory_logo.svg", + "description": "Gain insights into Microsoft Entra ID Audit, Activity and Signins with one workbook. This workbook can be used by Security and Azure administrators.", + "dataTypesDependencies": [ + "AzureActivity", + "AuditLogs", + "SigninLogs" + ], + "dataConnectorsDependencies": [ + "AzureActiveDirectory" + ], + "previewImagesFileNames": [ + "AzureAuditActivityAndSigninWhite1.png", + "AzureAuditActivityAndSigninWhite2.png", + "AzureAuditActivityAndSigninBlack1.png", + "AzureAuditActivityAndSigninBlack2.png" + ], + "version": "1.3.0", + "title": "Azure AD Audit, Activity and Sign-in logs", + "templateRelativePath": "AzureAuditActivityAndSignin.json", + "subtitle": "", + "provider": "Microsoft Sentinel community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Sem Tijsseling" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Identity" + ] + } + }, + { + "workbookKey": "WindowsFirewall", + "logoFileName": "Microsoft_logo.svg", + "description": "Gain insights into Windows Firewall logs in combination with security and Azure signin logs", + "dataTypesDependencies": [ + "WindowsFirewall", + "SecurityEvent", + "SigninLogs" + ], + "dataConnectorsDependencies": [ + "SecurityEvents", + "WindowsFirewall", + "WindowsSecurityEvents" + ], + "previewImagesFileNames": [ + "WindowsFirewallWhite1.png", + "WindowsFirewallWhite2.png", + "WindowsFirewallBlack1.png", + "WindowsFirewallBlack2.png" + ], + "version": "1.0.0", + "title": "Windows Firewall", + "templateRelativePath": "WindowsFirewall.json", + "subtitle": "", + "provider": "Microsoft Sentinel community" + }, + { + "workbookKey": "EventAnalyzerwWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "The Event Analyzer workbook allows to explore, audit and speed up analysis of Windows Event Logs, including all event details and attributes, such as security, application, system, setup, directory service, DNS and others.", + "dataTypesDependencies": [ + "SecurityEvent" + ], + "dataConnectorsDependencies": [ + "SecurityEvents", + "WindowsSecurityEvents" + ], + "previewImagesFileNames": [ + "EventAnalyzer-Workbook-White.png", + "EventAnalyzer-Workbook-Black.png" + ], + "version": "1.0.0", + "title": "Event Analyzer", + "templateRelativePath": "EventAnalyzer.json", + "subtitle": "", + "provider": "Microsoft Sentinel community" + }, + { + "workbookKey": "ASC-ComplianceandProtection", + "logoFileName": "Azure_Sentinel.svg", + "description": "Gain insight into regulatory compliance, alert trends, security posture, and more with this workbook based on Azure Security Center data.", + "dataTypesDependencies": [ + "SecurityAlert", + "ProtectionStatus", + "SecurityRecommendation", + "SecurityBaseline", + "SecurityBaselineSummary", + "Update", + "ConfigurationChange" + ], + "dataConnectorsDependencies": [ + "AzureSecurityCenter" + ], + "previewImagesFileNames": [ + "ASCCaPBlack.png", + "ASCCaPWhite.png" + ], + "version": "1.2.0", + "title": "ASC Compliance and Protection", + "templateRelativePath": "ASC-ComplianceandProtection.json", + "subtitle": "", + "provider": "Microsoft Sentinel community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Matt Lowe" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Cloud Security" + ] + } + }, + { + "workbookKey": "AIVectraDetectWorkbook", + "logoFileName": "AIVectraDetect.svg", + "description": "Start investigating network attacks surfaced by Vectra Detect directly from Sentinel. View critical hosts, accounts, campaigns and detections. Also monitor Vectra system health and audit logs.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "AIVectraDetect", + "CefAma" + ], + "previewImagesFileNames": [ + "AIVectraDetectWhite1.png", + "AIVectraDetectBlack1.png" + ], + "version": "1.1.1", + "title": "Vectra AI Detect", + "templateRelativePath": "AIVectraDetectWorkbook.json", + "subtitle": "", + "provider": "Vectra AI" + }, + { + "workbookKey": "Perimeter81OverviewWorkbook", + "logoFileName": "Perimeter81_Logo.svg", + "description": "Gain insights and comprehensive monitoring into your Perimeter 81 account by analyzing activities.", + "dataTypesDependencies": [ + "Perimeter81_CL" + ], + "dataConnectorsDependencies": [ + "Perimeter81ActivityLogs" + ], + "previewImagesFileNames": [ + "Perimeter81OverviewWhite1.png", + "Perimeter81OverviewBlack1.png", + "Perimeter81OverviewWhite2.png", + "Perimeter81OverviewBlack2.png" + ], + "version": "1.0.0", + "title": "Perimeter 81 Overview", + "templateRelativePath": "Perimeter81OverviewWorkbook.json", + "subtitle": "", + "provider": "Perimeter 81" + }, + { + "workbookKey": "SymantecProxySGWorkbook", + "logoFileName": "symantec_logo.svg", + "description": "Gain insight into Symantec ProxySG by analyzing, collecting and correlating proxy data.\nThis workbook provides visibility into ProxySG Access logs", + "dataTypesDependencies": [ + "Syslog" + ], + "dataConnectorsDependencies": [ + "SymantecProxySG", + "SyslogAma" + ], + "previewImagesFileNames": [ + "SymantecProxySGWhite.png", + "SymantecProxySGBlack.png" + ], + "version": "1.0.0", + "title": "Symantec ProxySG", + "templateRelativePath": "SymantecProxySG.json", + "subtitle": "", + "provider": "Symantec" + }, + { + "workbookKey": "IllusiveASMWorkbook", + "logoFileName": "illusive_logo_workbook.svg", + "description": "Gain insights into your organization's Cyber Hygiene and Attack Surface risk.\nIllusive ASM automates discovery and clean-up of credential violations, allows drill-down inspection of pathways to critical assets, and provides risk insights that inform intelligent decision-making to reduce attacker mobility.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "illusiveAttackManagementSystem", + "illusiveAttackManagementSystemAma", + "CefAma" + ], + "previewImagesFileNames": [ + "IllusiveASMWhite.png", + "IllusiveASMBlack.png" + ], + "version": "1.0.0", + "title": "Illusive ASM Dashboard", + "templateRelativePath": "IllusiveASM.json", + "subtitle": "", + "provider": "Illusive" + }, + { + "workbookKey": "IllusiveADSWorkbook", + "logoFileName": "illusive_logo_workbook.svg", + "description": "Gain insights into unauthorized lateral movement in your organization's network.\nIllusive ADS is designed to paralyzes attackers and eradicates in-network threats by creating a hostile environment for the attackers across all the layers of the attack surface.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "illusiveAttackManagementSystem", + "illusiveAttackManagementSystemAma", + "CefAma" + ], + "previewImagesFileNames": [ + "IllusiveADSWhite.png", + "IllusiveADSBlack.png" + ], + "version": "1.0.0", + "title": "Illusive ADS Dashboard", + "templateRelativePath": "IllusiveADS.json", + "subtitle": "", + "provider": "Illusive" + }, + { + "workbookKey": "PulseConnectSecureWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Gain insight into Pulse Secure VPN by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into user VPN activities", + "dataTypesDependencies": [ + "Syslog" + ], + "dataConnectorsDependencies": [ + "PulseConnectSecure", + "SyslogAma" + ], + "previewImagesFileNames": [ + "PulseConnectSecureWhite.png", + "PulseConnectSecureBlack.png" + ], + "version": "1.0.0", + "title": "Pulse Connect Secure", + "templateRelativePath": "PulseConnectSecure.json", + "subtitle": "", + "provider": "Pulse Secure" + }, + { + "workbookKey": "InfobloxNIOSWorkbook", + "logoFileName": "infoblox_logo.svg", + "description": "Gain insight into Infoblox NIOS by analyzing, collecting and correlating DHCP and DNS data.\nThis workbook provides visibility into DHCP and DNS traffic", + "dataTypesDependencies": [ + "Syslog" + ], + "dataConnectorsDependencies": [ + "InfobloxNIOS", + "SyslogAma" + ], + "previewImagesFileNames": [ + "InfobloxNIOSWhite.png", + "InfobloxNIOSBlack.png" + ], + "version": "1.1.0", + "title": "Infoblox NIOS", + "templateRelativePath": "Infoblox-Workbook-V2.json", + "subtitle": "", + "provider": "Infoblox" + }, + { + "workbookKey": "SymantecVIPWorkbook", + "logoFileName": "symantec_logo.svg", + "description": "Gain insight into Symantec VIP by analyzing, collecting and correlating strong authentication data.\nThis workbook provides visibility into user authentications", + "dataTypesDependencies": [ + "Syslog" + ], + "dataConnectorsDependencies": [ + "SymantecVIP", + "SyslogAma" + ], + "previewImagesFileNames": [ + "SymantecVIPWhite.png", + "SymantecVIPBlack.png" + ], + "version": "1.0.0", + "title": "Symantec VIP", + "templateRelativePath": "SymantecVIP.json", + "subtitle": "", + "provider": "Symantec" + }, + { + "workbookKey": "ProofPointTAPWorkbook", + "logoFileName": "proofpointlogo.svg", + "description": "Gain extensive insight into Proofpoint Targeted Attack Protection (TAP) by analyzing, collecting and correlating TAP log events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked", + "dataTypesDependencies": [ + "ProofPointTAPMessagesBlocked_CL", + "ProofPointTAPMessagesDelivered_CL", + "ProofPointTAPClicksPermitted_CL", + "ProofPointTAPClicksBlocked_CL" + ], + "dataConnectorsDependencies": [ + "ProofpointTAP" + ], + "previewImagesFileNames": [ + "ProofpointTAPWhite.png", + "ProofpointTAPBlack.png" + ], + "version": "1.0.0", + "title": "Proofpoint TAP", + "templateRelativePath": "ProofpointTAP.json", + "subtitle": "", + "provider": "Proofpoint" + }, + { + "workbookKey": "QualysVMWorkbook", + "logoFileName": "qualys_logo.svg", + "description": "Gain insight into Qualys Vulnerability Management by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into vulnerabilities detected from vulnerability scans", + "dataTypesDependencies": [ + "QualysHostDetection_CL" + ], + "dataConnectorsDependencies": [ + "QualysVulnerabilityManagement" + ], + "previewImagesFileNames": [ + "QualysVMWhite.png", + "QualysVMBlack.png" + ], + "version": "1.0.0", + "title": "Qualys Vulnerability Management", + "templateRelativePath": "QualysVM.json", + "subtitle": "", + "provider": "Qualys" + }, + { + "workbookKey": "QualysVMV2Workbook", + "logoFileName": "qualys_logo.svg", + "description": "Gain insight into Qualys Vulnerability Management by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into vulnerabilities detected from vulnerability scans", + "dataTypesDependencies": [ + "QualysHostDetectionV2_CL" + ], + "dataConnectorsDependencies": [ + "QualysVulnerabilityManagement" + ], + "previewImagesFileNames": [ + "QualysVMWhite.png", + "QualysVMBlack.png" + ], + "version": "1.0.0", + "title": "Qualys Vulnerability Management", + "templateRelativePath": "QualysVMv2.json", + "subtitle": "", + "provider": "Qualys" + }, + { + "workbookKey": "GitHubSecurity", + "logoFileName": "GitHub.svg", + "description": "Gain insights to GitHub activities that may be interesting for security.", + "dataTypesDependencies": [ + "Github_CL", + "GitHubRepoLogs_CL" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "GitHubSecurityWhite.png", + "GitHubSecurityBlack.png" + ], + "version": "1.0.0", + "title": "GitHub Security", + "templateRelativePath": "GitHubSecurityWorkbook.json", + "subtitle": "", + "provider": "Microsoft Sentinel community" + }, + { + "workbookKey": "VisualizationDemo", + "logoFileName": "Azure_Sentinel.svg", + "description": "Learn and explore the many ways of displaying information within Microsoft Sentinel workbooks", + "dataTypesDependencies": [ + "SecurityAlert" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "VisualizationDemoBlack.png", + "VisualizationDemoWhite.png" + ], + "version": "1.0.0", + "title": "Visualizations Demo", + "templateRelativePath": "VisualizationDemo.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Matt Lowe" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Platform" + ] + } + }, + { + "workbookKey": "SophosXGFirewallWorkbook", + "logoFileName": "sophos_logo.svg", + "description": "Gain insight into Sophos XG Firewall by analyzing, collecting and correlating firewall data.\nThis workbook provides visibility into network traffic", + "dataTypesDependencies": [ + "Syslog" + ], + "dataConnectorsDependencies": [ + "SophosXGFirewall", + "SyslogAma" + ], + "previewImagesFileNames": [ + "SophosXGFirewallWhite.png", + "SophosXGFirewallBlack.png" + ], + "version": "1.0.0", + "title": "Sophos XG Firewall", + "templateRelativePath": "SophosXGFirewall.json", + "subtitle": "", + "provider": "Sophos" + }, + { + "workbookKey": "SysmonThreatHuntingWorkbook", + "logoFileName": "sysmonthreathunting_logo.svg", + "description": "Simplify your threat hunts using Sysmon data mapped to MITRE ATT&CK data. This workbook gives you the ability to drilldown into system activity based on known ATT&CK techniques as well as other threat hunting entry points such as user activity, network connections or virtual machine Sysmon events.\nPlease note that for this workbook to work you must have deployed Sysmon on your virtual machines in line with the instructions at https://github.com/BlueTeamLabs/sentinel-attack/wiki/Onboarding-sysmon-data-to-Azure-Sentinel", + "dataTypesDependencies": [ + "Event" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "SysmonThreatHuntingWhite1.png", + "SysmonThreatHuntingBlack1.png" + ], + "version": "1.4.0", + "title": "Sysmon Threat Hunting", + "templateRelativePath": "SysmonThreatHunting.json", + "subtitle": "", + "provider": "Microsoft Sentinel community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Edoardo Gerosa" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Threat Protection", + "Application" + ] + } + }, + { + "workbookKey": "WebApplicationFirewallWAFTypeEventsWorkbook", + "logoFileName": "webapplicationfirewall(WAF)_logo.svg", + "description": "Gain insights into your organization's Azure web application firewall (WAF) across various services such as Azure Front Door Service and Application Gateway. You can view event triggers, full messages, attacks over time, among other data. Several aspects of the workbook are interactable to allow users to further understand their data", + "dataTypesDependencies": [ + "AzureDiagnostics" + ], + "dataConnectorsDependencies": [ + "WAF" + ], + "previewImagesFileNames": [ + "WAFFirewallWAFTypeEventsBlack1.PNG", + "WAFFirewallWAFTypeEventsBlack2.PNG", + "WAFFirewallWAFTypeEventsBlack3.PNG", + "WAFFirewallWAFTypeEventsBlack4.PNG", + "WAFFirewallWAFTypeEventsWhite1.png", + "WAFFirewallWAFTypeEventsWhite2.PNG", + "WAFFirewallWAFTypeEventsWhite3.PNG", + "WAFFirewallWAFTypeEventsWhite4.PNG" + ], + "version": "1.1.0", + "title": "Microsoft Web Application Firewall (WAF) - Azure WAF", + "templateRelativePath": "WebApplicationFirewallWAFTypeEvents.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "OrcaAlertsOverviewWorkbook", + "logoFileName": "Orca_logo.svg", + "description": "A visualized overview of Orca security alerts.\nExplore, analize and learn about your security posture using Orca alerts Overview", + "dataTypesDependencies": [ + "OrcaAlerts_CL" + ], + "dataConnectorsDependencies": [ + "OrcaSecurityAlerts" + ], + "previewImagesFileNames": [ + "OrcaAlertsWhite.png", + "OrcaAlertsBlack.png" + ], + "version": "1.1.0", + "title": "Orca alerts overview", + "templateRelativePath": "OrcaAlerts.json", + "subtitle": "", + "provider": "Orca Security" + }, + { + "workbookKey": "CyberArkWorkbook", + "logoFileName": "CyberArk_Logo.svg", + "description": "The CyberArk Syslog connector allows you to easily connect all your CyberArk security solution logs with your Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. Integration between CyberArk and Microsoft Sentinel makes use of the CEF Data Connector to properly parse and display CyberArk Syslog messages.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "CyberArk", + "CyberArkAma", + "CefAma" + ], + "previewImagesFileNames": [ + "CyberArkActivitiesWhite.PNG", + "CyberArkActivitiesBlack.PNG" + ], + "version": "1.1.0", + "title": "CyberArk EPV Events", + "templateRelativePath": "CyberArkEPV.json", + "subtitle": "", + "provider": "CyberArk" + }, + { + "workbookKey": "UserEntityBehaviorAnalyticsWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Identify compromised users and insider threats using User and Entity Behavior Analytics. Gain insights into anomalous user behavior from baselines learned from behavior patterns", + "dataTypesDependencies": [ + "Anomalies" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "UserEntityBehaviorAnalyticsBlack2.png", + "UserEntityBehaviorAnalyticsWhite2.png" + ], + "version": "2.0", + "title": "User And Entity Behavior Analytics", + "templateRelativePath": "UserEntityBehaviorAnalytics.json", + "subtitle": "", + "provider": "Microsoft", + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Microsoft Corporation" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "User Behavior (UEBA)" + ] + } + }, + { + "workbookKey": "CitrixWAF", + "logoFileName": "citrix_logo.svg", + "description": "Gain insight into the Citrix WAF logs", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "CitrixWAF", + "CitrixWAFAma", + "CefAma" + ], + "previewImagesFileNames": [ + "CitrixWAFBlack.png", + "CitrixWAFWhite.png" + ], + "version": "1.0.0", + "title": "Citrix WAF (Web App Firewall)", + "templateRelativePath": "CitrixWAF.json", + "subtitle": "", + "provider": "Citrix Systems Inc." + }, + { + "workbookKey": "UnifiSGWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Gain insights into Unifi Security Gateways analyzing traffic and activities.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "UnifiSGBlack.png", + "UnifiSGWhite.png" + ], + "version": "1.0.0", + "title": "Unifi Security Gateway", + "templateRelativePath": "UnifiSG.json", + "subtitle": "", + "provider": "Microsoft Sentinel community", + "support": { + "tier": "Community" + }, + "author": { + "name": "SecurityJedi" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Network" + ] + } + }, + { + "workbookKey": "UnifiSGNetflowWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Gain insights into Unifi Security Gateways analyzing traffic and activities using Netflow.", + "dataTypesDependencies": [ + "netflow_CL" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "UnifiSGNetflowBlack.png", + "UnifiSGNetflowWhite.png" + ], + "version": "1.0.0", + "title": "Unifi Security Gateway - NetFlow", + "templateRelativePath": "UnifiSGNetflow.json", + "subtitle": "", + "provider": "Microsoft Sentinel community", + "support": { + "tier": "Community" + }, + "author": { + "name": "SecurityJedi" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Network" + ] + } + }, + { + "workbookKey": "NormalizedNetworkEventsWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "See insights on multiple networking appliances and other network sessions, that have been parsed or mapped to the normalized networking sessions table. Note this requires enabling parsers for the different products - to learn more, visit https://aka.ms/sentinelnormalizationdocs", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "NormalizedNetworkEventsWhite.png", + "NormalizedNetworkEventsBlack.png" + ], + "version": "1.0.0", + "title": "Normalized network events", + "templateRelativePath": "NormalizedNetworkEvents.json", + "subtitle": "", + "provider": "Microsoft", + "support": { + "tier": "Community" + }, + "author": { + "name": "yoav fransis" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Networking" + ] + } + }, + { + "workbookKey": "WorkspaceAuditingWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Workspace auditing report\r\nUse this report to understand query runs across your workspace.", + "dataTypesDependencies": [ + "LAQueryLogs" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "WorkspaceAuditingWhite.png", + "WorkspaceAuditingBlack.png" + ], + "version": "1.0.0", + "title": "Workspace audit", + "templateRelativePath": "WorkspaceAuditing.json", + "subtitle": "", + "provider": "Microsoft Sentinel community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Sarah Young" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "IT Operations" + ] + } + }, + { + "workbookKey": "MITREATTACKWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Workbook to showcase MITRE ATT&CK Coverage for Microsoft Sentinel", + "dataTypesDependencies": [ + "SecurityAlert" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "MITREATTACKWhite1.PNG", + "MITREATTACKWhite2.PNG", + "MITREATTACKBlack1.PNG", + "MITREATTACKBlack2.PNG" + ], + "version": "1.0.1", + "title": "MITRE ATT&CK Workbook", + "templateRelativePath": "MITREAttack.json", + "subtitle": "", + "provider": "Microsoft Sentinel community" + }, + { + "workbookKey": "BETTERMTDWorkbook", + "logoFileName": "BETTER_MTD_logo.svg", + "description": "Workbook using the BETTER Mobile Threat Defense (MTD) connector, to give insights into your mobile devices, installed application and overall device security posture.", + "dataTypesDependencies": [ + "BetterMTDDeviceLog_CL", + "BetterMTDAppLog_CL", + "BetterMTDIncidentLog_CL", + "BetterMTDNetflowLog_CL" + ], + "dataConnectorsDependencies": [ + "BetterMTD" + ], + "previewImagesFileNames": [ + "BetterMTDWorkbookPreviewWhite1.png", + "BetterMTDWorkbookPreviewWhite2.png", + "BetterMTDWorkbookPreviewWhite3.png", + "BetterMTDWorkbookPreviewBlack1.png", + "BetterMTDWorkbookPreviewBlack2.png", + "BetterMTDWorkbookPreviewBlack3.png" + ], + "version": "1.1.0", + "title": "BETTER Mobile Threat Defense (MTD)", + "templateRelativePath": "BETTER_MTD_Workbook.json", + "subtitle": "", + "provider": "BETTER Mobile" + }, + { + "workbookKey": "AlsidIoEWorkbook", + "logoFileName": "Alsid.svg", + "description": "Workbook showcasing the state and evolution of your Alsid for AD Indicators of Exposures alerts.", + "dataTypesDependencies": [ + "AlsidForADLog_CL" + ], + "dataConnectorsDependencies": [ + "AlsidForAD" + ], + "previewImagesFileNames": [ + "AlsidIoEBlack1.png", + "AlsidIoEBlack2.png", + "AlsidIoEBlack3.png", + "AlsidIoEWhite1.png", + "AlsidIoEWhite2.png", + "AlsidIoEWhite3.png" + ], + "version": "1.0.0", + "title": "Alsid for AD | Indicators of Exposure", + "templateRelativePath": "AlsidIoE.json", + "subtitle": "", + "provider": "Alsid" + }, + { + "workbookKey": "AlsidIoAWorkbook", + "logoFileName": "Alsid.svg", + "description": "Workbook showcasing the state and evolution of your Alsid for AD Indicators of Attack alerts.", + "dataTypesDependencies": [ + "AlsidForADLog_CL" + ], + "dataConnectorsDependencies": [ + "AlsidForAD" + ], + "previewImagesFileNames": [ + "AlsidIoABlack1.png", + "AlsidIoABlack2.png", + "AlsidIoABlack3.png", + "AlsidIoAWhite1.png", + "AlsidIoAWhite2.png", + "AlsidIoAWhite3.png" + ], + "version": "1.0.0", + "title": "Alsid for AD | Indicators of Attack", + "templateRelativePath": "AlsidIoA.json", + "subtitle": "", + "provider": "Alsid" + }, + { + "workbookKey": "InvestigationInsightsWorkbook", + "logoFileName": "Microsoft_logo.svg", + "description": "Help analysts gain insight into incident, bookmark and entity data through the Investigation Insights Workbook. This workbook provides common queries and detailed visualizations to help an analyst investigate suspicious activities quickly with an easy to use interface. Analysts can start their investigation from a Microsoft Sentinel incident, bookmark, or by simply entering the entity data into the workbook manually.", + "dataTypesDependencies": [ + "AuditLogs", + "AzureActivity", + "CommonSecurityLog", + "OfficeActivity", + "SecurityEvent", + "SigninLogs", + "ThreatIntelligenceIndicator" + ], + "dataConnectorsDependencies": [ + "AzureActivity", + "SecurityEvents", + "Office365", + "AzureActiveDirectory", + "ThreatIntelligence", + "ThreatIntelligenceTaxii", + "WindowsSecurityEvents" + ], + "previewImagesFileNames": [ + "InvestigationInsightsWhite1.png", + "InvestigationInsightsBlack1.png", + "InvestigationInsightsWhite2.png", + "InvestigationInsightsBlack2.png" + ], + "version": "1.4.1", + "title": "Investigation Insights", + "templateRelativePath": "InvestigationInsights.json", + "subtitle": "", + "provider": "Microsoft Sentinel community" + }, + { + "workbookKey": "AksSecurityWorkbook", + "logoFileName": "Kubernetes_services.svg", + "description": "See insights about the security of your AKS clusters. The workbook helps to identify sensitive operations in the clusters and get insights based on Azure Defender alerts.", + "dataTypesDependencies": [ + "SecurityAlert", + "AzureDiagnostics" + ], + "dataConnectorsDependencies": [ + "AzureSecurityCenter", + "AzureKubernetes" + ], + "previewImagesFileNames": [ + "AksSecurityWhite.png", + "AksSecurityBlack.png" + ], + "version": "1.5.0", + "title": "Azure Kubernetes Service (AKS) Security", + "templateRelativePath": "AksSecurity.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "AzureKeyVaultWorkbook", + "logoFileName": "KeyVault.svg", + "description": "See insights about the security of your Azure key vaults. The workbook helps to identify sensitive operations in the key vaults and get insights based on Azure Defender alerts.", + "dataTypesDependencies": [ + "SecurityAlert", + "AzureDiagnostics" + ], + "dataConnectorsDependencies": [ + "AzureSecurityCenter", + "AzureKeyVault" + ], + "previewImagesFileNames": [ + "AkvSecurityWhite.png", + "AkvSecurityBlack.png" + ], + "version": "1.1.0", + "title": "Azure Key Vault Security", + "templateRelativePath": "AzureKeyVaultWorkbook.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "IncidentOverview", + "logoFileName": "Azure_Sentinel.svg", + "description": "The Incident Overview workbook is designed to assist in triaging and investigation by providing in-depth information about the incident, including:\r\n* General information\r\n* Entity data\r\n* Triage time (time between incident creation and first response)\r\n* Mitigation time (time between incident creation and closing)\r\n* Comments\r\n\r\nCustomize this workbook by saving and editing it. \r\nYou can reach this workbook template from the incidents panel as well. Once you have customized it, the link from the incident panel will open the customized workbook instead of the template.\r\n", + "dataTypesDependencies": [ + "SecurityAlert", + "SecurityIncident" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "IncidentOverviewBlack1.png", + "IncidentOverviewWhite1.png", + "IncidentOverviewBlack2.png", + "IncidentOverviewWhite2.png" + ], + "version": "2.1.0", + "title": "Incident overview", + "templateRelativePath": "IncidentOverview.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "SecurityOperationsEfficiency", + "logoFileName": "Azure_Sentinel.svg", + "description": "Security operations center managers can view overall efficiency metrics and measures regarding the performance of their team. They can find operations by multiple indicators over time including severity, MITRE tactics, mean time to triage, mean time to resolve and more. The SOC manager can develop a picture of the performance in both general and specific areas over time and use it to improve efficiency.", + "dataTypesDependencies": [ + "SecurityAlert", + "SecurityIncident" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "SecurityEfficiencyWhite1.png", + "SecurityEfficiencyWhite2.png", + "SecurityEfficiencyBlack1.png", + "SecurityEfficiencyBlack2.png" + ], + "version": "1.5.1", + "title": "Security Operations Efficiency", + "templateRelativePath": "SecurityOperationsEfficiency.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "DataCollectionHealthMonitoring", + "logoFileName": "Azure_Sentinel.svg", + "description": "Gain insights into your workspace's data ingestion status. In this workbook, you can view additional monitors and detect anomalies that will help you determine your workspace's data collection health.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "HealthMonitoringWhite1.png", + "HealthMonitoringWhite2.png", + "HealthMonitoringWhite3.png", + "HealthMonitoringBlack1.png", + "HealthMonitoringBlack2.png", + "HealthMonitoringBlack3.png" + ], + "version": "1.0.0", + "title": "Data collection health monitoring", + "templateRelativePath": "DataCollectionHealthMonitoring.json", + "subtitle": "", + "provider": "Microsoft", + "support": { + "tier": "Community" + }, + "author": { + "name": "morshabi" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "IT Operations", + "Platform" + ] + } + }, + { + "workbookKey": "OnapsisAlarmsWorkbook", + "logoFileName": "onapsis_logo.svg", + "description": "Gain insights into what is going on in your SAP Systems with this overview of the alarms triggered in the Onapsis Platform. Incidents are enriched with context and next steps to help your Security team respond effectively.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "OnapsisPlatform", + "CefAma" + ], + "previewImagesFileNames": [ + "OnapsisWhite1.PNG", + "OnapsisBlack1.PNG", + "OnapsisWhite2.PNG", + "OnapsisBlack2.PNG" + ], + "version": "1.0.0", + "title": "Onapsis Alarms Overview", + "templateRelativePath": "OnapsisAlarmsOverview.json", + "subtitle": "", + "provider": "Onapsis" + }, + { + "workbookKey": "DelineaWorkbook", + "logoFileName": "DelineaLogo.svg", + "description": "The Delinea Secret Server Syslog connector", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "DelineaSecretServer_CEF", + "DelineaSecretServerAma", + "CefAma" + ], + "previewImagesFileNames": [ + "DelineaWorkbookWhite.PNG", + "DelineaWorkbookBlack.PNG" + ], + "version": "1.0.0", + "title": "Delinea Secret Server Workbook", + "templateRelativePath": "DelineaWorkbook.json", + "subtitle": "", + "provider": "Delinea" + }, + { + "workbookKey": "ForcepointCloudSecurityGatewayWorkbook", + "logoFileName": "Forcepoint_new_logo.svg", + "description": "Use this report to understand query runs across your workspace.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "ForcepointCSG", + "ForcepointCSGAma", + "CefAma" + ], + "previewImagesFileNames": [ + "ForcepointCloudSecurityGatewayWhite.png", + "ForcepointCloudSecurityGatewayBlack.png" + ], + "version": "1.0.0", + "title": "Forcepoint Cloud Security Gateway Workbook", + "templateRelativePath": "ForcepointCloudSecuirtyGateway.json", + "subtitle": "", + "provider": "Forcepoint" + }, + { + "workbookKey": "IntsightsIOCWorkbook", + "logoFileName": "IntSights_logo.svg", + "description": "This Microsoft Sentinel workbook provides an overview of Indicators of Compromise (IOCs) and their correlations allowing users to analyze and visualize indicators based on severity, type, and other parameters.", + "dataTypesDependencies": [ + "ThreatIntelligenceIndicator", + "SecurityAlert" + ], + "dataConnectorsDependencies": [ + "ThreatIntelligenceTaxii" + ], + "previewImagesFileNames": [ + "IntsightsIOCWhite.png", + "IntsightsMatchedWhite.png", + "IntsightsMatchedBlack.png", + "IntsightsIOCBlack.png" + ], + "version": "2.0.0", + "title": "IntSights IOC Workbook", + "templateRelativePath": "IntsightsIOCWorkbook.json", + "subtitle": "", + "provider": "IntSights Cyber Intelligence" + }, + { + "workbookKey": "DarktraceSummaryWorkbook", + "logoFileName": "Darktrace.svg", + "description": "A workbook containing relevant KQL queries to help you visualise the data in model breaches from the Darktrace Connector", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "Darktrace", + "DarktraceAma", + "CefAma" + ], + "previewImagesFileNames": [ + "AIA-DarktraceSummaryWhite.png", + "AIA-DarktraceSummaryBlack.png" + ], + "version": "1.1.0", + "title": "AI Analyst Darktrace Model Breach Summary", + "templateRelativePath": "AIA-Darktrace.json", + "subtitle": "", + "provider": "Darktrace" + }, + { + "workbookKey": "TrendMicroXDR", + "logoFileName": "trendmicro_logo.svg", + "description": "Gain insights from Trend Vision One with this overview of the Alerts triggered.", + "dataTypesDependencies": [ + "TrendMicro_XDR_WORKBENCH_CL" + ], + "dataConnectorsDependencies": [ + "TrendMicroXDR" + ], + "previewImagesFileNames": [ + "TrendMicroXDROverviewWhite.png", + "TrendMicroXDROverviewBlack.png" + ], + "version": "1.3.0", + "title": "Trend Vision One Alert Overview", + "templateRelativePath": "TrendMicroXDROverview.json", + "subtitle": "", + "provider": "Trend Micro" + }, + { + "workbookKey": "CyberpionOverviewWorkbook", + "logoFileName": "cyberpion_logo.svg", + "description": "Use Cyberpion's Security Logs and this workbook, to get an overview of your online assets, gain insights into their current state, and find ways to better secure your ecosystem.", + "dataTypesDependencies": [ + "CyberpionActionItems_CL" + ], + "dataConnectorsDependencies": [ + "CyberpionSecurityLogs" + ], + "previewImagesFileNames": [ + "CyberpionActionItemsBlack.png", + "CyberpionActionItemsWhite.png" + ], + "version": "1.0.0", + "title": "Cyberpion Overview", + "templateRelativePath": "CyberpionOverviewWorkbook.json", + "subtitle": "", + "provider": "Cyberpion" + }, + { + "workbookKey": "SolarWindsPostCompromiseHuntingWorkbook", + "logoFileName": "MSTIC-Logo.svg", + "description": "This hunting workbook is intended to help identify activity related to the Solorigate compromise and subsequent attacks discovered in December 2020", + "dataTypesDependencies": [ + "CommonSecurityLog", + "SigninLogs", + "AuditLogs", + "AADServicePrincipalSignInLogs", + "OfficeActivity", + "BehaviorAnalytics", + "SecurityEvent", + "DeviceProcessEvents", + "SecurityAlert", + "DnsEvents" + ], + "dataConnectorsDependencies": [ + "AzureActiveDirectory", + "SecurityEvents", + "Office365", + "MicrosoftThreatProtection", + "DNS", + "WindowsSecurityEvents" + ], + "previewImagesFileNames": [ + "SolarWindsPostCompromiseHuntingWhite.png", + "SolarWindsPostCompromiseHuntingBlack.png" + ], + "version": "1.5.1", + "title": "SolarWinds Post Compromise Hunting", + "templateRelativePath": "SolarWindsPostCompromiseHunting.json", + "subtitle": "", + "provider": "Microsoft", + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Shain" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Others" + ] + } + }, + { + "workbookKey": "ProofpointPODWorkbook", + "logoFileName": "proofpointlogo.svg", + "description": "Gain insights into your Proofpoint on Demand Email Security activities, including maillog and messages data. The Workbook provides users with an executive dashboard showing the reporting capabilities, message traceability and monitoring.", + "dataTypesDependencies": [ + "ProofpointPOD_maillog_CL", + "ProofpointPOD_message_CL" + ], + "dataConnectorsDependencies": [ + "ProofpointPOD" + ], + "previewImagesFileNames": [ + "ProofpointPODMainBlack1.png", + "ProofpointPODMainBlack2.png", + "ProofpointPODMainWhite1.png", + "ProofpointPODMainWhite2.png", + "ProofpointPODMessageSummaryBlack.png", + "ProofpointPODMessageSummaryWhite.png", + "ProofpointPODTLSBlack.png", + "ProofpointPODTLSWhite.png" + ], + "version": "1.0.0", + "title": "Proofpoint On-Demand Email Security", + "templateRelativePath": "ProofpointPOD.json", + "subtitle": "", + "provider": "Proofpoint" + }, + { + "workbookKey": "CiscoUmbrellaWorkbook", + "logoFileName": "cisco_logo.svg", + "description": "Gain insights into Cisco Umbrella activities, including the DNS, Proxy and Cloud Firewall data. Workbook shows general information along with threat landscape including categories, blocked destinations and URLs.", + "dataTypesDependencies": [ + "Cisco_Umbrella_dns_CL", + "Cisco_Umbrella_proxy_CL", + "Cisco_Umbrella_ip_CL", + "Cisco_Umbrella_cloudfirewall_CL" + ], + "dataConnectorsDependencies": [ + "CiscoUmbrellaDataConnector" + ], + "previewImagesFileNames": [ + "CiscoUmbrellaDNSBlack1.png", + "CiscoUmbrellaDNSBlack2.png", + "CiscoUmbrellaDNSWhite1.png", + "CiscoUmbrellaDNSWhite2.png", + "CiscoUmbrellaFirewallBlack.png", + "CiscoUmbrellaFirewallWhite.png", + "CiscoUmbrellaMainBlack1.png", + "CiscoUmbrellaMainBlack2.png", + "CiscoUmbrellaMainWhite1.png", + "CiscoUmbrellaMainWhite2.png", + "CiscoUmbrellaProxyBlack1.png", + "CiscoUmbrellaProxyBlack2.png", + "CiscoUmbrellaProxyWhite1.png", + "CiscoUmbrellaProxyWhite2.png" + ], + "version": "1.0.0", + "title": "Cisco Umbrella", + "templateRelativePath": "CiscoUmbrella.json", + "subtitle": "", + "provider": "Cisco" + }, + { + "workbookKey": "AnalyticsEfficiencyWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Gain insights into the efficacy of your analytics rules. In this workbook you can analyze and monitor the analytics rules found in your workspace to achieve better performance by your SOC.", + "dataTypesDependencies": [ + "SecurityAlert", + "SecurityIncident" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "AnalyticsEfficiencyBlack.png", + "AnalyticsEfficiencyWhite.png" + ], + "version": "1.2.0", + "title": "Analytics Efficiency", + "templateRelativePath": "AnalyticsEfficiency.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "WorkspaceUsage", + "logoFileName": "Azure_Sentinel.svg", + "description": "Gain insights into your workspace's usage. In this workbook, you can view your workspace's data consumption, latency, recommended tasks and Cost and Usage statistics.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "WorkspaceUsageBlack.png", + "WorkspaceUsageWhite.png" + ], + "version": "1.6.0", + "title": "Workspace Usage Report", + "templateRelativePath": "WorkspaceUsage.json", + "subtitle": "", + "provider": "Microsoft Sentinel community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Clive Watson" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "IT Operations" + ] + } + }, + { + "workbookKey": "SentinelCentral", + "logoFileName": "Azure_Sentinel.svg", + "description": "Use this report to view Incident (and Alert data) across many workspaces, this works with Azure Lighthouse and across any subscription you have access to.", + "dataTypesDependencies": [ + "SecurityIncident" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "SentinelCentralBlack.png", + "SentinelCentralWhite.png" + ], + "version": "2.1.1", + "title": "Microsoft Sentinel Central", + "templateRelativePath": "SentinelCentral.json", + "subtitle": "", + "provider": "Microsoft Sentinel community" + }, + { + "workbookKey": "CognniIncidentsWorkbook", + "logoFileName": "cognni-logo.svg", + "description": "Gain intelligent insights into the risks to your important financial, legal, HR, and governance information. This workbook lets you monitor your at-risk information to determine when and why incidents occurred, as well as who was involved. These incidents are broken into high, medium, and low risk incidents for each information category.", + "dataTypesDependencies": [ + "CognniIncidents_CL" + ], + "dataConnectorsDependencies": [ + "CognniSentinelDataConnector" + ], + "previewImagesFileNames": [ + "CognniBlack.PNG", + "CognniWhite.PNG" + ], + "version": "1.0.0", + "title": "Cognni Important Information Incidents", + "templateRelativePath": "CognniIncidentsWorkbook.json", + "subtitle": "", + "provider": "Cognni" + }, + { + "workbookKey": "pfsense", + "logoFileName": "pfsense_logo.svg", + "description": "Gain insights into pfsense logs from both filterlog and nginx.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "pfsenseBlack.png", + "pfsenseWhite.png" + ], + "version": "1.0.0", + "title": "pfsense", + "templateRelativePath": "pfsense.json", + "subtitle": "", + "provider": "Microsoft Sentinel community", + "support": { + "tier": "Community" + }, + "author": { + "name": "dicolanl" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Network" + ] + } + }, + { + "workbookKey": "ExchangeCompromiseHunting", + "logoFileName": "MSTIC-Logo.svg", + "description": "This workbook is intended to help defenders in responding to the Exchange Server vulnerabilities disclosed in March 2021, as well as hunting for potential compromise activity. More details on these vulnearbilities can be found at: https://aka.ms/exchangevulns", + "dataTypesDependencies": [ + "SecurityEvent", + "W3CIISLog" + ], + "dataConnectorsDependencies": [ + "SecurityEvents", + "AzureMonitor(IIS)", + "WindowsSecurityEvents" + ], + "previewImagesFileNames": [ + "ExchangeBlack.png", + "ExchangeWhite.png" + ], + "version": "1.0.0", + "title": "Exchange Compromise Hunting", + "templateRelativePath": "ExchangeCompromiseHunting.json", + "subtitle": "", + "provider": "Microsoft", + "support": { + "tier": "Community" + }, + "author": { + "name": "Pete Bryan" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Threat Protection" + ] + } + }, + { + "workbookKey": "SOCProcessFramework", + "logoFileName": "Azure_Sentinel.svg", + "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "SOCProcessFrameworkCoverImage1White.png", + "SOCProcessFrameworkCoverImage1Black.png", + "SOCProcessFrameworkCoverImage2White.png", + "SOCProcessFrameworkCoverImage2Black.png" + ], + "version": "1.1.0", + "title": "SOC Process Framework", + "templateRelativePath": "SOCProcessFramework.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "Building_a_SOCLargeStaffWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "SOCProcessFrameworkCoverImage1White.png", + "SOCProcessFrameworkCoverImage1Black.png", + "SOCProcessFrameworkCoverImage2White.png", + "SOCProcessFrameworkCoverImage2Black.png" + ], + "version": "1.1.0", + "title": "SOC Large Staff", + "templateRelativePath": "Building_a_SOCLargeStaff.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "Building_a_SOCMediumStaffWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "SOCProcessFrameworkCoverImage1White.png", + "SOCProcessFrameworkCoverImage1Black.png", + "SOCProcessFrameworkCoverImage2White.png", + "SOCProcessFrameworkCoverImage2Black.png" + ], + "version": "1.1.0", + "title": "SOC Medium Staff", + "templateRelativePath": "Building_a_SOCMediumStaff.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "Building_a_SOCPartTimeStaffWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "SOCProcessFrameworkCoverImage1White.png", + "SOCProcessFrameworkCoverImage1Black.png", + "SOCProcessFrameworkCoverImage2White.png", + "SOCProcessFrameworkCoverImage2Black.png" + ], + "version": "1.1.0", + "title": "SOC Part Time Staff", + "templateRelativePath": "Building_a_SOCPartTimeStaff.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "Building_a_SOCSmallStaffWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "SOCProcessFrameworkCoverImage1White.png", + "SOCProcessFrameworkCoverImage1Black.png", + "SOCProcessFrameworkCoverImage2White.png", + "SOCProcessFrameworkCoverImage2Black.png" + ], + "version": "1.1.0", + "title": "SOC Small Staff", + "templateRelativePath": "Building_a_SOCSmallStaff.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "SOCIRPlanningWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "SOCProcessFrameworkCoverImage1White.png", + "SOCProcessFrameworkCoverImage1Black.png", + "SOCProcessFrameworkCoverImage2White.png", + "SOCProcessFrameworkCoverImage2Black.png" + ], + "version": "1.1.0", + "title": "SOC IR Planning", + "templateRelativePath": "SOCIRPlanning.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "UpdateSOCMaturityScoreWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "SOCProcessFrameworkCoverImage1White.png", + "SOCProcessFrameworkCoverImage1Black.png", + "SOCProcessFrameworkCoverImage2White.png", + "SOCProcessFrameworkCoverImage2Black.png" + ], + "version": "1.1.0", + "title": "Update SOC Maturity Score", + "templateRelativePath": "UpdateSOCMaturityScore.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "Microsoft365SecurityPosture", + "logoFileName": "M365securityposturelogo.svg", + "description": "This workbook presents security posture data collected from Azure Security Center, M365 Defender, Defender for Endpoint, and Microsoft Cloud App Security. This workbook relies on the M365 Security Posture Playbook in order to bring the data in.", + "dataTypesDependencies": [ + "M365SecureScore_CL", + "MDfESecureScore_CL", + "MDfEExposureScore_CL", + "MDfERecommendations_CL", + "MDfEVulnerabilitiesList_CL", + "McasShadowItReporting" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "M365securitypostureblack.png", + "M365securityposturewhite.png" + ], + "version": "1.0.0", + "title": "Microsoft 365 Security Posture", + "templateRelativePath": "M365SecurityPosture.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Matt Lowe" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Others" + ] + } + }, + { + "workbookKey": "AzureSentinelCost", + "logoFileName": "Azure_Sentinel.svg", + "description": "This workbook provides an estimated cost across the main billed items in Microsoft Sentinel: ingestion, retention and automation. It also provides insight about the possible impact of the Microsoft 365 E5 offer.", + "dataTypesDependencies": [ + "Usage" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "AzureSentinelCostWhite.png", + "AzureSentinelCostBlack.png" + ], + "version": "1.5.1", + "title": "Microsoft Sentinel Cost", + "templateRelativePath": "AzureSentinelCost.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "ADXvsLA", + "logoFileName": "Azure_Sentinel.svg", + "description": "This workbook shows the tables from Microsoft Sentinel which are backed up in ADX. It also provides a comparison between the entries in the Microsoft Sentinel tables and the ADX tables. Lastly some general information about the queries and ingestion on ADX is shown.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "ADXvsLABlack.PNG", + "ADXvsLAWhite.PNG" + ], + "version": "1.0.0", + "title": "ADXvsLA", + "templateRelativePath": "ADXvsLA.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Naomi" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Platform" + ] + } + }, + { + "workbookKey": "MicrosoftDefenderForOffice365", + "logoFileName": "office365_logo.svg", + "description": "Gain insights into your Microsoft Defender for Office 365 raw data logs. This workbook lets you look at trends in email senders, attachments and embedded URL data to find anomalies. You can also search by, sender, recipient, subject, attachment or embedded URL to find where the related messages have been sent.", + "dataTypesDependencies": [ + "EmailEvents", + "EmailUrlInfo", + "EmailAttachmentInfo" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "MDOWhite1.png", + "MDOBlack1.png", + "MDOWhite2.png", + "MDOBlack2.png" + ], + "version": "1.0.0", + "title": "Microsoft Defender For Office 365", + "templateRelativePath": "MicrosoftDefenderForOffice365.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Brian Delaney" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Others" + ] + } + }, + { + "workbookKey": "ProofPointThreatDashboard", + "logoFileName": "proofpointlogo.svg", + "description": "Provides an overview of email threat activity based on log data provided by ProofPoint", + "dataTypesDependencies": [ + "ProofpointPOD_message_CL", + "ProofpointPOD_maillog_CL", + "ProofPointTAPClicksBlocked_CL", + "ProofPointTAPClicksPermitted_CL", + "ProofPointTAPMessagesBlocked_CL", + "ProofPointTAPMessagesDelivered_CL" + ], + "dataConnectorsDependencies": [ + "ProofpointTAP", + "ProofpointPOD" + ], + "previewImagesFileNames": [ + "ProofPointThreatDashboardBlack1.png", + "ProofPointThreatDashboardWhite1.png" + ], + "version": "1.0.0", + "title": "ProofPoint Threat Dashboard", + "templateRelativePath": "ProofPointThreatDashboard.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Community" + }, + "author": { + "name": "reprise99" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Others" + ] + } + }, + { + "workbookKey": "AMAmigrationTracker", + "logoFileName": "Azure_Sentinel.svg", + "description": "See what Azure and Azure Arc servers have Log Analytics agent or Azure Monitor agent installed. Review what DCR (data collection rules) apply to your machines and whether you are collecting logs from those machines into your selected workspaces.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "AMAtrackingWhite1.png", + "AMAtrackingWhite2.png", + "AMAtrackingWhite3.png", + "AMAtrackingWhite4.png", + "AMAtrackingBlack1.png", + "AMAtrackingBlack2.png", + "AMAtrackingBlack3.png", + "AMAtrackingBlack4.png" + ], + "version": "1.1.0", + "title": "AMA migration tracker", + "templateRelativePath": "AMAmigrationTracker.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Community" + }, + "author": { + "name": "mariavaladas" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Platform", + "Migration" + ] + } + }, + { + "workbookKey": "AdvancedKQL", + "logoFileName": "Azure_Sentinel.svg", + "description": "This interactive Workbook is designed to improve your KQL proficiency by using a use-case driven approach.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "AdvancedKQLWhite.png", + "AdvancedKQLBlack.png" + ], + "version": "1.3.0", + "title": "Advanced KQL for Microsoft Sentinel", + "templateRelativePath": "AdvancedKQL.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "DSTIMWorkbook", + "logoFileName": "DSTIM.svg", + "description": "Identify sensitive data blast radius (i.e., who accessed sensitive data, what kinds of sensitive data, from where and when) in a given data security incident investigation or as part of Threat Hunting. Prioritize your investigation based on insights provided with integrations with Watchlists(VIPUsers, TerminatedEmployees and HighValueAssets), Threat Intelligence feed, UEBA baselines and much more.", + "dataTypesDependencies": [ + "DSMAzureBlobStorageLogs", + "DSMDataClassificationLogs", + "DSMDataLabelingLogs", + "Anomalies", + "ThreatIntelligenceIndicator", + "AADManagedIdentitySignInLogs", + "SecurityAlert", + "SigninLogs" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "DSTIMWorkbookBlack.png", + "DSTIMWorkbookWhite.png" + ], + "version": "1.9.0", + "title": "Data Security - Sensitive Data Impact Assessment", + "templateRelativePath": "DSTIMWorkbook.json", + "subtitle": "", + "provider": "Microsoft", + "featureFlag": "DSTIMWorkbook", + "support": { + "tier": "Community" + }, + "author": { + "name": "avital-m" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Others" + ] + } + }, + { + "workbookKey": "IntrotoKQLWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Learn and practice the Kusto Query Language. This workbook introduces and provides 100 to 200 level content for new and existing users looking to learn KQL. This workbook will be updated with content over time.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "IntrotoKQL-black.png", + "IntrotoKQL-white.png" + ], + "version": "1.0.0", + "title": "Intro to KQL", + "templateRelativePath": "IntrotoKQL.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "Log4jPostCompromiseHuntingWorkbook", + "logoFileName": "Log4j.svg", + "description": "This hunting workbook is intended to help identify activity related to the Log4j compromise discovered in December 2021.", + "dataTypesDependencies": [ + "SecurityNestedRecommendation", + "AzureDiagnostics", + "OfficeActivity", + "W3CIISLog", + "AWSCloudTrail", + "SigninLogs", + "AADNonInteractiveUserSignInLogs", + "imWebSessions", + "imNetworkSession" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "Log4jPostCompromiseHuntingBlack.png", + "Log4jPostCompromiseHuntingWhite.png" + ], + "version": "1.0.0", + "title": "Log4j Post Compromise Hunting", + "templateRelativePath": "Log4jPostCompromiseHunting.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "Log4jImpactAssessmentWorkbook", + "logoFileName": "Log4j.svg", + "description": "This hunting workbook is intended to help identify activity related to the Log4j compromise discovered in December 2021.", + "dataTypesDependencies": [ + "SecurityIncident", + "SecurityAlert", + "AzureSecurityCenter", + "MDfESecureScore_CL", + "MDfEExposureScore_CL", + "MDfERecommendations_CL", + "MDfEVulnerabilitiesList_CL" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "Log4jPostCompromiseHuntingBlack.png", + "Log4jPostCompromiseHuntingWhite.png" + ], + "version": "1.0.0", + "title": "Log4j Impact Assessment", + "templateRelativePath": "Log4jImpactAssessment.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "UserMap", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook shows MaliciousIP, User SigninLog Data (this shows user Signin Locations and distance between as well as order visited) and WAF information.", + "dataTypesDependencies": [ + "SigninLogs", + "AzureDiagnostics", + "WireData", + "VMconnection", + "CommonSecurityLog", + "WindowsFirewall", + "W3CIISLog", + "DnsEvents" + ], + "dataConnectorsDependencies": [ + "AzureActiveDirectory" + ], + "previewImagesFileNames": [ + "UserMapBlack.png", + "UserMapWhite.png" + ], + "version": "1.0.1", + "title": "User Map information", + "templateRelativePath": "UserMap.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Clive Watson" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Threat Protection" + ] + } + }, + { + "workbookKey": "AWSS3", + "logoFileName": "amazon_web_services_Logo.svg", + "description": "This workbook shows quick summary of AWS S3 data (AWSCloudTrail, AWSGuardDuty, AWSVPCFlow). To visulaize the data, make sure you configure AWS S3 connector and data geting ingested into Sentinel", + "dataTypesDependencies": [ + "AWSCloudTrail", + "AWSGuardDuty", + "AWSVPCFlow" + ], + "dataConnectorsDependencies": [ + "AWSS3" + ], + "previewImagesFileNames": [ + "AWSS3Black.png", + "AWSS3White.png", + "AWSS3White1.png" + ], + "version": "1.0.0", + "title": "AWS S3 Workbook", + "templateRelativePath": "AWSS3.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Clive Watson" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Cloud Security" + ] + } + }, + { + "workbookKey": "LogSourcesAndAnalyticRulesCoverageWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "This workbook is intended to show how the different tables in a Log Analytics workspace are being used by the different Microsoft Sentinel features, like analytics, hunting queries, playbooks and queries in general.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "LogSourcesAndAnalyticRulesCoverageBlack.png", + "LogSourcesAndAnalyticRulesCoverageWhite.png" + ], + "version": "1.1.0", + "title": "Log Sources & Analytic Rules Coverage", + "templateRelativePath": "LogSourcesAndAnalyticRulesCoverage.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Eli Forbes" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Others" + ] + } + }, + { + "workbookKey": "CiscoFirepower", + "logoFileName": "cisco-logo-72px.svg", + "description": "Gain insights into your Cisco Firepower firewalls. This workbook analyzes Cisco Firepower device logs.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "CiscoFirepowerBlack.png", + "CiscoFirepowerWhite.png" + ], + "version": "1.0.0", + "title": "Cisco Firepower", + "templateRelativePath": "CiscoFirepower.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Samik Roy" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Network" + ] + } + }, + { + "workbookKey": "MicrorosftTeams", + "logoFileName": "microsoftteams.svg", + "description": "This workbook is intended to identify the activities on Microrsoft Teams.", + "dataTypesDependencies": [ + "OfficeActivity" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "MicrosoftTeamsBlack.png", + "MicrosoftTeamsWhite.png" + ], + "version": "1.0.0", + "title": "Microsoft Teams", + "templateRelativePath": "MicrosoftTeams.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "ArchivingBasicLogsRetention", + "logoFileName": "ArchivingBasicLogsRetention.svg", + "description": "This workbooks shows workspace and table retention periods, basic logs, and search & restore tables. It also allows you to update table retention periods, plans, and delete search or restore tables.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "ArchivingBasicLogsRetentionBlack1.png", + "ArchivingBasicLogsRetentionWhite1.png" + ], + "version": "1.1.0", + "title": "Archiving, Basic Logs, and Retention", + "templateRelativePath": "ArchivingBasicLogsRetention.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Community" + }, + "author": { + "name": "seanstark-ms" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Platform", + "IT Operations" + ] + } + }, + { + "workbookKey": "OktaSingleSignOnWorkbook", + "logoFileName": "okta_logo.svg", + "description": "Gain extensive insight into Okta Single Sign-On (SSO) by analyzing, collecting and correlating Audit and Event events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked.", + "dataTypesDependencies": [ + "Okta_CL", + "OktaSSO" + ], + "dataConnectorsDependencies": [ + "OktaSSO", + "OktaSSOv2" + ], + "previewImagesFileNames": [ + "OktaSingleSignOnWhite.png", + "OktaSingleSignOnBlack.png" + ], + "version": "1.2", + "title": "Okta Single Sign-On", + "templateRelativePath": "OktaSingleSignOn.json", + "subtitle": "", + "provider": "Okta" + }, + { + "workbookKey": "CiscoMerakiWorkbook", + "logoFileName": "cisco-logo-72px.svg", + "description": "Gain insights into the Events from Cisco Meraki Solution and analyzing all the different types of Security Events. This workbook also helps in identifying the Events from affected devices, IPs and the nodes where malware was successfully detected.\nIP data received in Events is correlated with Threat Intelligence to identify if the reported IP address is known bad based on threat intelligence data.", + "dataTypesDependencies": [ + "meraki_CL", + "CiscoMerakiNativePoller", + "ThreatIntelligenceIndicator" + ], + "dataConnectorsDependencies": [ + "CiscoMeraki", + "CiscoMerakiNativePolling", + "ThreatIntelligence" + ], + "previewImagesFileNames": [ + "CiscoMerakiWorkbookWhite.png", + "CiscoMerakiWorkbookBlack.png" + ], + "version": "1.0.0", + "title": "CiscoMerakiWorkbook", + "templateRelativePath": "CiscoMerakiWorkbook.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "SentinelOneWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Sets the time name for analysis.", + "dataTypesDependencies": [ + "SentinelOne_CL" + ], + "dataConnectorsDependencies": [ + "SentinelOne" + ], + "previewImagesFileNames": [ + "SentinelOneBlack.png", + "SentinelOneWhite.png" + ], + "version": "1.0.0", + "title": "SentinelOneWorkbook", + "templateRelativePath": "SentinelOne.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "TrendMicroApexOneWorkbook", + "logoFileName": "trendmicro_logo.svg", + "description": "Sets the time name for analysis.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "TrendMicroApexOne", + "TrendMicroApexOneAma", + "CefAma" + ], + "previewImagesFileNames": [ + "TrendMicroApexOneBlack.png", + "TrendMicroApexOneWhite.png" + ], + "version": "1.0.0", + "title": "Trend Micro Apex One", + "templateRelativePath": "TrendMicroApexOne.json", + "subtitle": "", + "provider": "TrendMicro" + }, + { + "workbookKey": "ContrastProtect", + "logoFileName": "contrastsecurity_logo.svg", + "description": "Select the time range for this Overview.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "ContrastProtect", + "ContrastProtectAma", + "CefAma" + ], + "previewImagesFileNames": [ + "ContrastProtectAllBlack.png", + "ContrastProtectAllWhite.png", + "ContrastProtectEffectiveBlack.png", + "ContrastProtectEffectiveWhite.png", + "ContrastProtectSummaryBlack.png", + "ContrastProtectSummaryWhite.png" + ], + "version": "1.0.0", + "title": "Contrast Protect", + "templateRelativePath": "ContrastProtect.json", + "subtitle": "", + "provider": "contrast security" + }, + { + "workbookKey": "ArmorbloxOverview", + "logoFileName": "armorblox.svg", + "description": "INCIDENTS FROM SELECTED TIME RANGE", + "dataTypesDependencies": [ + "Armorblox_CL" + ], + "dataConnectorsDependencies": [ + "Armorblox" + ], + "previewImagesFileNames": [ + "ArmorbloxOverviewBlack01.png", + "ArmorbloxOverviewBlack02.png", + "ArmorbloxOverviewWhite01.png", + "ArmorbloxOverviewWhite02.png" + ], + "version": "1.0.0", + "title": "Armorblox", + "templateRelativePath": "ArmorbloxOverview.json", + "subtitle": "", + "provider": "Armorblox" + }, + { + "workbookKey": "CiscoETDWorkbook", + "logoFileName": "cisco-logo-72px.svg", + "description": "Analyze email threat data seamlessly with the workbook, correlating information from the Secure Email Threat Defense API to identify and mitigate suspicious activities, providing insights into trends and allowing for precise filtering and analysis", + "dataTypesDependencies": [ + "CiscoETD_CL" + ], + "dataConnectorsDependencies": [ + "CiscoETD" + ], + "previewImagesFileNames": [ + "CiscoETDBlack01.PNG", + "CiscoETDBlack02.PNG", + "CiscoETDWhite01.PNG", + "CiscoETDWhite02.PNG" + ], + "version": "1.0", + "title": "Cisco Email Threat Defense", + "templateRelativePath": "CiscoETD.json", + "subtitle": "", + "provider": "Cisco" + }, + { + "workbookKey": "PaloAltoCDL", + "logoFileName": "paloalto_logo.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "PaloAltoCDL", + "PaloAltoCDLAma", + "CefAma" + ], + "previewImagesFileNames": [ + "PaloAltoBlack.png", + "PaloAltoWhite.png" + ], + "version": "1.0.0", + "title": "Palo Alto Networks Cortex Data Lake", + "templateRelativePath": "PaloAltoCDL.json", + "subtitle": "", + "provider": "Palo Alto Networks" + }, + { + "workbookKey": "VMwareCarbonBlack", + "logoFileName": "Azure_Sentinel.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "CarbonBlackEvents_CL", + "CarbonBlackAuditLogs_CL", + "CarbonBlackNotifications_CL" + ], + "dataConnectorsDependencies": [ + "VMwareCarbonBlack" + ], + "previewImagesFileNames": [ + "VMwareCarbonBlack.png", + "VMwareCarbonWhite.png" + ], + "version": "1.0.0", + "title": "VMware Carbon Black Cloud", + "templateRelativePath": "VMwareCarbonBlack.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "VMwareSDWAN", + "logoFileName": "vmware_sase_logo.svg", + "description": "This workbook is intended to provide an overview on security events on VMware SD-WAN and Cloud Web Security.", + "dataTypesDependencies": [ + "VMware_CWS_Weblogs_CL", + "VMware_VECO_EventLogs_CL" + ], + "dataConnectorsDependencies": [ + "VMwareSDWAN" + ], + "previewImagesFileNames": [ + "vmwaresdwan_sentinel_audit_overview_Black.png", + "vmwaresdwan_sentinel_audit_overview_White.png", + "vmwaresdwan_sentinel_connectivity_overview_Black.png", + "vmwaresdwan_sentinel_connectivity_overview_White.png", + "vmwaresdwan_sentinel_cws_agents_events_Black.png", + "vmwaresdwan_sentinel_cws_agents_events_White.png", + "vmwaresdwan_sentinel_cws_casb_Black.png", + "vmwaresdwan_sentinel_cws_casb_White.png", + "vmwaresdwan_sentinel_cws_cf_users_policy_Black.png", + "vmwaresdwan_sentinel_cws_cf_users_policy_White.png", + "vmwaresdwan_sentinel_cws_overview_Black.png", + "vmwaresdwan_sentinel_cws_overview_White.png", + "vmwaresdwan_sentinel_cws_sasepop_urlf_Black.png", + "vmwaresdwan_sentinel_cws_sasepop_urlf_White.png", + "vmwaresdwan_sentinel_cws_urlf_Black.png", + "vmwaresdwan_sentinel_cws_urlf_White.png", + "vmwaresdwan_sentinel_efs_idps_categories_Black.png", + "vmwaresdwan_sentinel_efs_idps_categories_White.png", + "vmwaresdwan_sentinel_idps_activity_Black.png", + "vmwaresdwan_sentinel_idps_activity_White.png", + "vmwaresdwan_sentinel_nsd_overview_Black.png", + "vmwaresdwan_sentinel_nsd_overview_White.png", + "vmwaresdwan_sentinel_nsd_via_vcg_Black.png", + "vmwaresdwan_sentinel_nsd_via_vcg_White.png", + "vmwaresdwan_sentinel_sdwan_efs_statefulfw_Black.png", + "vmwaresdwan_sentinel_sdwan_efs_statefulfw_White.png" + ], + "version": "1.0.0", + "title": "VMware SD-WAN and SASE", + "templateRelativePath": "VMwareSASESOCDashboard.json", + "subtitle": "", + "provider": "velocloud" + }, + { + "workbookKey": "arista-networks", + "logoFileName": "AristaAwakeSecurity.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "AristaAwakeSecurity", + "CefAma" + ], + "previewImagesFileNames": [ + "AristaAwakeSecurityDevicesBlack.png", + "AristaAwakeSecurityDevicesWhite.png", + "AristaAwakeSecurityModelsBlack.png", + "AristaAwakeSecurityModelsWhite.png", + "AristaAwakeSecurityOverviewBlack.png", + "AristaAwakeSecurityOverviewWhite.png" + ], + "version": "1.0.0", + "title": "Arista Awake", + "templateRelativePath": "AristaAwakeSecurityWorkbook.json", + "subtitle": "", + "provider": "Arista Networks" + }, + { + "workbookKey": "TomcatWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "Tomcat_CL" + ], + "dataConnectorsDependencies": [ + "ApacheTomcat" + ], + "previewImagesFileNames": [ + "TomcatBlack.png", + "TomcatWhite.png" + ], + "version": "1.0.0", + "title": "ApacheTomcat", + "templateRelativePath": "Tomcat.json", + "subtitle": "", + "provider": "Apache" + }, + { + "workbookKey": "ClarotyWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "Claroty", + "ClarotyAma", + "CefAma" + ], + "previewImagesFileNames": [ + "ClarotyBlack.png", + "ClarotyWhite.png" + ], + "version": "1.0.0", + "title": "Claroty", + "templateRelativePath": "ClarotyOverview.json", + "subtitle": "", + "provider": "Claroty" + }, + { + "workbookKey": "ApacheHTTPServerWorkbook", + "logoFileName": "apache.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "ApacheHTTPServer_CL" + ], + "dataConnectorsDependencies": [ + "ApacheHTTPServer" + ], + "previewImagesFileNames": [ + "ApacheHTTPServerOverviewBlack01.png", + "ApacheHTTPServerOverviewBlack02.png", + "ApacheHTTPServerOverviewWhite01.png", + "ApacheHTTPServerOverviewWhite02.png" + ], + "version": "1.0.0", + "title": "Apache HTTP Server", + "templateRelativePath": "ApacheHTTPServer.json", + "subtitle": "", + "provider": "Apache Software Foundation" + }, + { + "workbookKey": "OCIWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "OCI_Logs_CL" + ], + "dataConnectorsDependencies": [ + "OracleCloudInfrastructureLogsConnector" + ], + "previewImagesFileNames": [ + "OCIBlack.png", + "OCIWhite.png" + ], + "version": "1.0.0", + "title": "Oracle Cloud Infrastructure", + "templateRelativePath": "OracleCloudInfrastructureOCI.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "OracleWeblogicServerWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "OracleWebLogicServer_CL" + ], + "dataConnectorsDependencies": [ + "OracleWebLogicServer" + ], + "previewImagesFileNames": [ + "OracleWeblogicServerBlack.png", + "OracleWeblogicServerWhite.png" + ], + "version": "1.0.0", + "title": "Oracle WebLogic Server", + "templateRelativePath": "OracleWorkbook.json", + "subtitle": "", + "provider": "Oracle" + }, + { + "workbookKey": "BitglassWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "BitglassLogs_CL" + ], + "dataConnectorsDependencies": [ + "Bitglass" + ], + "previewImagesFileNames": [ + "BitglassBlack.png", + "BitglassWhite.png" + ], + "version": "1.0.0", + "title": "Bitglass", + "templateRelativePath": "Bitglass.json", + "subtitle": "", + "provider": "Bitglass" + }, + { + "workbookKey": "NGINXWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "NGINX_CL" + ], + "dataConnectorsDependencies": [ + "NGINXHTTPServer" + ], + "previewImagesFileNames": [ + "NGINXOverviewBlack01.png", + "NGINXOverviewBlack02.png", + "NGINXOverviewWhite01.png", + "NGINXOverviewWhite02.png" + ], + "version": "1.0.0", + "title": "NGINX HTTP Server", + "templateRelativePath": "NGINX.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "vArmourAppContollerWorkbook", + "logoFileName": "varmour-logo.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "vArmourAC", + "vArmourACAma", + "CefAma" + ], + "previewImagesFileNames": [ + "vArmourAppControllerAppBlack.png", + "vArmourAppControllerAppBlack-1.png", + "vArmourAppControllerAppBlack-2.png", + "vArmourAppControllerAppBlack-3.png", + "vArmourAppControllerAppBlack-4.png", + "vArmourAppControllerAppBlack-5.png", + "vArmourAppControllerAppBlack-6.png", + "vArmourAppControllerAppBlack-7.png", + "vArmourAppControllerAppWhite.png", + "vArmourAppControllerAppWhite-1.png", + "vArmourAppControllerAppWhite-2.png", + "vArmourAppControllerAppWhite-3.png", + "vArmourAppControllerAppWhite-4.png", + "vArmourAppControllerAppWhite-5.png", + "vArmourAppControllerAppWhite-6.png", + "vArmourAppControllerAppWhite-7.png" + ], + "version": "1.0.0", + "title": "vArmour Application Controller", + "templateRelativePath": "vArmour_AppContoller_Workbook.json", + "subtitle": "", + "provider": "vArmour" + }, + { + "workbookKey": "CorelightWorkbook", + "logoFileName": "corelight.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "Corelight_CL" + ], + "dataConnectorsDependencies": [ + "Corelight" + ], + "previewImagesFileNames": [ + "CorelightConnectionsBlack1.png", + "CorelightConnectionsBlack2.png", + "CorelightConnectionsWhite1.png", + "CorelightConnectionsWhite2.png", + "CorelightDNSBlack1.png", + "CorelightDNSWhite1.png", + "CorelightFileBlack1.png", + "CorelightFileBlack2.png", + "CorelightFileWhite1.png", + "CorelightFileWhite2.png", + "CorelightMainBlack1.png", + "CorelightMainWhite1.png", + "CorelightSoftwareBlack1.png", + "CorelightSoftwareWhite1.png" + ], + "version": "1.0.0", + "title": "Corelight", + "templateRelativePath": "Corelight.json", + "subtitle": "", + "provider": "Corelight" + }, + { + "workbookKey": "LookoutEvents", + "logoFileName": "lookout.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "Lookout_CL" + ], + "dataConnectorsDependencies": [ + "LookoutAPI" + ], + "previewImagesFileNames": [ + "SampleLookoutWorkBookBlack.png", + "SampleLookoutWorkBookWhite.png" + ], + "version": "1.0.0", + "title": "Lookout", + "templateRelativePath": "LookoutEvents.json", + "subtitle": "", + "provider": "Lookout" + }, + { + "workbookKey": "sentinel-MicrosoftPurview", + "logoFileName": "MicrosoftPurview.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "AzureDiagnostics" + ], + "dataConnectorsDependencies": [ + "MicrosoftAzurePurview" + ], + "previewImagesFileNames": [ + "" + ], + "version": "1.0.0", + "title": "Microsoft Purview", + "templateRelativePath": "MicrosoftPurview.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "InfobloxCDCB1TDWorkbook", + "logoFileName": "infoblox_logo.svg", + "description": "Get a closer look at your BloxOne DNS Query/Response logs, DHCP logs and Threat Defense security event data. This workbook is intended to help visualize BloxOne query data as part of the Infoblox Cloud solution. Drilldown your data and visualize events, trends, and anomalous changes over time.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "InfobloxCloudDataConnector", + "InfobloxCloudDataConnectorAma", + "CefAma" + ], + "previewImagesFileNames": [ + "InfobloxCDCB1TDBlack.png", + "InfobloxCDCB1TDWhite.png" + ], + "version": "2.0.0", + "title": "Infoblox CDC BloxOne DDI & Threat Defense DNS Workbook", + "templateRelativePath": "InfobloxCDCB1TDWorkbook.json", + "subtitle": "", + "provider": "Infoblox" + }, + { + "workbookKey": "InfobloxSOCInsightsWorkbook", + "logoFileName": "infoblox_logo.svg", + "description": "Get a closer look at your Infoblox SOC Insights. This workbook is intended to help visualize your BloxOne SOC Insights data as part of the Infoblox SOC Insights Solution. Drilldown your data and visualize events, trends, and anomalous changes over time.", + "dataTypesDependencies": [ + "InfobloxInsight", + "InfobloxInsightAssets", + "InfobloxInsightComments", + "InfobloxInsightIndicators", + "InfobloxInsightEvents" + ], + "dataConnectorsDependencies": [ + "InfobloxSOCInsightsDataConnector_AMA", + "InfobloxSOCInsightsDataConnector_API", + "InfobloxSOCInsightsDataConnector_Legacy", + "CefAma" + ], + "previewImagesFileNames": [ + "InfobloxSOCInsightsBlack.png", + "InfobloxSOCInsightsWhite.png" + ], + "version": "1.0.0", + "title": "Infoblox SOC Insights Workbook", + "templateRelativePath": "InfobloxSOCInsightsWorkbook.json", + "subtitle": "", + "provider": "Infoblox" + }, + { + "workbookKey": "UbiquitiUniFiWorkbook", + "logoFileName": "ubiquiti.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "Ubiquiti_CL" + ], + "dataConnectorsDependencies": [ + "UbiquitiUnifi" + ], + "previewImagesFileNames": [ + "UbiquitiOverviewBlack01.png", + "UbiquitiOverviewBlack02.png", + "UbiquitiOverviewWhite01.png", + "UbiquitiOverviewWhite02.png" + ], + "version": "1.0.0", + "title": "Ubiquiti UniFi", + "templateRelativePath": "Ubiquiti.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "VMwareESXiWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "Syslog" + ], + "dataConnectorsDependencies": [ + "VMwareESXi", + "SyslogAma" + ], + "previewImagesFileNames": [ + "VMWareESXiBlack.png", + "VMWareESXiWhite.png" + ], + "version": "1.0.0", + "title": "VMware ESXi", + "templateRelativePath": "VMWareESXi.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "SnowflakeWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "Snowflake_CL" + ], + "dataConnectorsDependencies": [ + "SnowflakeDataConnector" + ], + "previewImagesFileNames": [ + "SnowflakeBlack.png", + "SnowflakeWhite.png" + ], + "version": "1.0.0", + "title": "Snowflake", + "templateRelativePath": "Snowflake.json", + "subtitle": "", + "provider": "Snowflake" + }, + { + "workbookKey": "LastPassWorkbook", + "logoFileName": "LastPass.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "LastPassNativePoller_CL" + ], + "dataConnectorsDependencies": [ + "LastPassAPIConnector" + ], + "previewImagesFileNames": [ + "LastPassBlack.png", + "LastPassWhite.png" + ], + "version": "1.0.0", + "title": "Lastpass Enterprise Activity Monitoring", + "templateRelativePath": "LastPassWorkbook.json", + "subtitle": "", + "provider": "LastPass" + }, + { + "workbookKey": "SecurityBridgeWorkbook", + "logoFileName": "SecurityBridgeLogo-Vector-TM_75x75.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "SecurityBridgeLogs" + ], + "dataConnectorsDependencies": [ + "SecurityBridgeSAP" + ], + "previewImagesFileNames": [ + "" + ], + "version": "1.0.0", + "title": "SecurityBridge App", + "templateRelativePath": "SecurityBridgeThreatDetectionforSAP.json", + "subtitle": "", + "provider": "SecurityBridge" + }, + { + "workbookKey": "PaloAltoPrismaCloudWorkbook", + "logoFileName": "paloalto_logo.svg", + "description": "Sets the time name for analysis.", + "dataTypesDependencies": [ + "PaloAltoPrismaCloudAlert_CL", + "PaloAltoPrismaCloudAudit_CL" + ], + "dataConnectorsDependencies": [ + "PaloAltoPrismaCloud" + ], + "previewImagesFileNames": [ + "PaloAltoPrismaCloudBlack01.png", + "PaloAltoPrismaCloudBlack02.png", + "PaloAltoPrismaCloudWhite01.png", + "PaloAltoPrismaCloudWhite02.png" + ], + "version": "1.0.0", + "title": "Palo Alto Prisma", + "templateRelativePath": "PaloAltoPrismaCloudOverview.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "PingFederateWorkbook", + "logoFileName": "PingIdentity.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "PingFederateEvent" + ], + "dataConnectorsDependencies": [ + "PingFederate", + "PingFederateAma", + "CefAma" + ], + "previewImagesFileNames": [ + "PingFederateBlack1.png", + "PingFederateWhite1.png" + ], + "version": "1.0.0", + "title": "PingFederate", + "templateRelativePath": "PingFederate.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "McAfeeePOWorkbook", + "logoFileName": "mcafee_logo.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "McAfeeEPOEvent" + ], + "dataConnectorsDependencies": [ + "McAfeeePO", + "SyslogAma" + ], + "previewImagesFileNames": [ + "McAfeeePOBlack1.png", + "McAfeeePOBlack2.png", + "McAfeeePOWhite1.png", + "McAfeeePOWhite2.png" + ], + "version": "1.0.0", + "title": "McAfee ePolicy Orchestrator", + "templateRelativePath": "McAfeeePOOverview.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "OracleDatabaseAudit", + "logoFileName": "oracle_logo.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "Syslog" + ], + "dataConnectorsDependencies": [ + "OracleDatabaseAudit", + "SyslogAma" + ], + "previewImagesFileNames": [ + "OracleDatabaseAuditBlack1.png", + "OracleDatabaseAuditBlack2.png", + "OracleDatabaseAuditWhite1.png", + "OracleDatabaseAuditWhite2.png" + ], + "version": "1.0.0", + "title": "Oracle Database Audit", + "templateRelativePath": "OracleDatabaseAudit.json", + "subtitle": "", + "provider": "Oracle" + }, + { + "workbookKey": "SenservaProAnalyticsWorkbook", + "logoFileName": "SenservaPro_logo.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "SenservaPro_CL" + ], + "dataConnectorsDependencies": [ + "SenservaPro" + ], + "previewImagesFileNames": [ + "SenservaProAnalyticsBlack.png", + "SenservaProAnalyticsWhite.png" + ], + "version": "1.0.0", + "title": "SenservaProAnalytics", + "templateRelativePath": "SenservaProAnalyticsWorkbook.json", + "subtitle": "", + "provider": "Senserva Pro" + }, + { + "workbookKey": "SenservaProMultipleWorkspaceWorkbook", + "logoFileName": "SenservaPro_logo.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "SenservaPro_CL" + ], + "dataConnectorsDependencies": [ + "SenservaPro" + ], + "previewImagesFileNames": [ + "SenservaProMultipleWorkspaceWorkbookBlack.png", + "SenservaProMultipleWorkspaceWorkbookWhite.png" + ], + "version": "1.0.0", + "title": "SenservaProMultipleWorkspace", + "templateRelativePath": "SenservaProMultipleWorkspaceWorkbook.json", + "subtitle": "", + "provider": "Senserva Pro" + }, + { + "workbookKey": "SenservaProSecureScoreMultiTenantWorkbook", + "logoFileName": "SenservaPro_logo.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "SenservaPro_CL" + ], + "dataConnectorsDependencies": [ + "SenservaPro" + ], + "previewImagesFileNames": [ + "SenservaProSecureScoreMultiTenantBlack.png", + "SenservaProSecureScoreMultiTenantWhite.png" + ], + "version": "1.0.0", + "title": "SenservaProSecureScoreMultiTenant", + "templateRelativePath": "SenservaProSecureScoreMultiTenantWorkbook.json", + "subtitle": "", + "provider": "Senserva Pro" + }, + { + "workbookKey": "CiscoSecureEndpointOverviewWorkbook", + "logoFileName": "cisco-logo-72px.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "CiscoSecureEndpoint" + ], + "dataConnectorsDependencies": [ + "CiscoSecureEndpoint" + ], + "previewImagesFileNames": [ + "CiscoSecureEndpointBlack.png", + "CiscoSecureEndpointWhite.png" + ], + "version": "1.0.0", + "title": "Cisco Secure Endpoint", + "templateRelativePath": "Cisco Secure Endpoint Overview.json", + "subtitle": "", + "provider": "Cisco" + }, + { + "workbookKey": "InfoSecGlobalWorkbook", + "logoFileName": "infosecglobal.svg", + "description": "Sets the time name for analysis.", + "dataTypesDependencies": [ + "InfoSecAnalytics_CL" + ], + "dataConnectorsDependencies": [ + "InfoSecDataConnector" + ], + "previewImagesFileNames": [ + "InfoSecGlobalWorkbookBlack.png", + "InfoSecGlobalWorkbookWhite.png" + ], + "version": "1.0.0", + "title": "AgileSec Analytics Connector", + "templateRelativePath": "InfoSecGlobal.json", + "subtitle": "", + "provider": "InfoSecGlobal" + }, + { + "workbookKey": "CrowdStrikeFalconEndpointProtectionWorkbook", + "logoFileName": "crowdstrike.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "CrowdstrikeReplicatorLogs_CL" + ], + "dataConnectorsDependencies": [ + "CrowdstrikeReplicator" + ], + "previewImagesFileNames": [ + "CrowdStrikeFalconEndpointProtectionBlack.png", + "CrowdStrikeFalconEndpointProtectionWhite.png" + ], + "version": "1.0.0", + "title": "CrowdStrike Falcon Endpoint Protection", + "templateRelativePath": "CrowdStrikeFalconEndpointProtection.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "IronDefenseAlertDashboard", + "logoFileName": "IronNet.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "IronNetIronDefense" + ], + "previewImagesFileNames": [ + "IronDefenseDashboardBlack.png", + "IronDefenseDashboardWhite.png" + ], + "version": "1.0.0", + "title": "IronDefenseAlertDashboard", + "templateRelativePath": "IronDefenseAlertDashboard.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "IronDefenseAlertDetails", + "logoFileName": "IronNet.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "IronNetIronDefense" + ], + "previewImagesFileNames": [ + "IronDefenseAlertsBlack.png", + "IronDefenseAlertsWhite.png" + ], + "version": "1.0.0", + "title": "IronDefenseAlertDetails", + "templateRelativePath": "IronDefenseAlertDetails.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "CiscoSEGWorkbook", + "logoFileName": "cisco-logo-72px.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "CiscoSEG", + "CiscoSEGAma", + "CefAma" + ], + "previewImagesFileNames": [ + "CiscoSEGBlack.png", + "CiscoSEGWhite.png" + ], + "version": "1.0.0", + "title": "Cisco Secure Email Gateway", + "templateRelativePath": "CiscoSEG.json", + "subtitle": "", + "provider": "Cisco" + }, + { + "workbookKey": "EatonForeseerHealthAndAccess", + "logoFileName": "Azure_Sentinel.svg", + "description": "This workbook gives an insight into the health of all the Windows VMs in this subscription running Eaton Foreseer and the unauthorized access into the Eaton Foreseer application running on these VMs.", + "dataTypesDependencies": [ + "SecurityEvent" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "EatonForeseerHealthAndAccessBlack.png", + "EatonForeseerHealthAndAccessWhite.png" + ], + "version": "1.0.0", + "title": "EatonForeseerHealthAndAccess", + "templateRelativePath": "EatonForeseerHealthAndAccess.json", + "subtitle": "", + "provider": "Eaton" + }, + { + "workbookKey": "PCIDSSComplianceWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Choose your subscription and workspace in which PCI assets are deployed", + "dataTypesDependencies": [ + "AzureDaignostics", + "SecurityEvent", + "SecurityAlert", + "OracleDatabaseAuditEvent", + "Syslog", + "Anomalies" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "PCIDSSComplianceBlack01.PNG", + "PCIDSSComplianceBlack02.PNG", + "PCIDSSComplianceWhite01.PNG", + "PCIDSSComplianceWhite02.PNG" + ], + "version": "1.0.0", + "title": "PCI DSS Compliance", + "templateRelativePath": "PCIDSSCompliance.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "SonraiSecurityWorkbook", + "logoFileName": "Sonrai.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "Sonrai_Tickets_CL" + ], + "dataConnectorsDependencies": [ + "SonraiDataConnector" + ], + "previewImagesFileNames": [ + "SonraiWorkbookBlack.png", + "SonraiWorkbookWhite.png" + ], + "version": "1.0.0", + "title": "Sonrai", + "templateRelativePath": "Sonrai.json", + "subtitle": "", + "provider": "Sonrai" + }, + { + "workbookKey": "SemperisDSPWorkbook", + "logoFileName": "Semperis.svg", + "description": "Specify the time range on which to query the data", + "dataTypesDependencies": [ + "dsp_parser" + ], + "dataConnectorsDependencies": [ + "SemperisDSP" + ], + "previewImagesFileNames": [ + "SemperisDSPOverview1Black.png", + "SemperisDSPOverview1White.png", + "SemperisDSPOverview2Black.png", + "SemperisDSPOverview2White.png", + "SemperisDSPOverview3Black.png", + "SemperisDSPOverview3White.png" + ], + "version": "1.0.0", + "title": "Semperis Directory Services Protector", + "templateRelativePath": "SemperisDSPWorkbook.json", + "subtitle": "", + "provider": "Semperis" + }, + { + "workbookKey": "BoxWorkbook", + "logoFileName": "box.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "BoxEvents_CL" + ], + "dataConnectorsDependencies": [ + "BoxDataConnector" + ], + "previewImagesFileNames": [ + "BoxBlack1.png", + "BoxWhite1.png", + "BoxBlack2.png", + "BoxWhite2.png" + ], + "version": "1.0.0", + "title": "Box", + "templateRelativePath": "Box.json", + "subtitle": "", + "provider": "Box" + }, + { + "workbookKey": "SymantecEndpointProtection", + "logoFileName": "symantec_logo.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "SymantecEndpointProtection" + ], + "dataConnectorsDependencies": [ + "SymantecEndpointProtection", + "SyslogAma" + ], + "previewImagesFileNames": [ + "SymantecEndpointProtectionBlack.png", + "SymantecEndpointProtectionWhite.png" + ], + "version": "1.0.0", + "title": "Symantec Endpoint Protection", + "templateRelativePath": "SymantecEndpointProtection.json", + "subtitle": "", + "provider": "Symantec" + }, + { + "workbookKey": "DynamicThreatModeling&Response", + "logoFileName": "Azure_Sentinel.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "SecurityAlert" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "DynamicThreatModeling&ResponseWhite.png", + "DynamicThreatModeling&ResponseBlack.png" + ], + "version": "1.0.0", + "title": "Dynamic Threat Modeling Response", + "templateRelativePath": "DynamicThreatModeling&Response.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "ThreatAnalysis&Response", + "logoFileName": "Azure_Sentinel.svg", + "description": "The Defenders for IoT workbook provide guided investigations for OT entities based on open incidents, alert notifications, and activities for OT assets. They also provide a hunting experience across the MITRE ATT&CK® framework for ICS, and are designed to enable analysts, security engineers, and MSSPs to gain situational awareness of OT security posture.", + "dataTypesDependencies": [ + "SecurityAlert" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "ThreatAnalysis&ResponseWhite1.png", + "ThreatAnalysis&ResponseWhite2.png", + "ThreatAnalysis&ResponseWhite3.png", + "ThreatAnalysis&ResponseWhite4.png", + "ThreatAnalysis&ResponseBlack1.png", + "ThreatAnalysis&ResponseBlack2.png", + "ThreatAnalysis&ResponseBlack3.png", + "ThreatAnalysis&ResponseBlack4.png" + ], + "version": "1.0.1", + "title": "Threat Analysis Response", + "templateRelativePath": "ThreatAnalysis&Response.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "TrendMicroCAS", + "logoFileName": "Trend_Micro_Logo.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "TrendMicroCAS_CL" + ], + "dataConnectorsDependencies": [ + "TrendMicroCAS" + ], + "previewImagesFileNames": [ + "TrendMicroCASBlack.png", + "TrendMicroCASWhite.png" + ], + "version": "1.0.0", + "title": "TrendMicroCAS", + "templateRelativePath": "TrendMicroCAS.json", + "subtitle": "", + "provider": "TrendMicro" + }, + { + "workbookKey": "GitHubSecurityWorkbook", + "logoFileName": "GitHub.svg", + "description": "Gain insights to GitHub activities that may be interesting for security.", + "dataTypesDependencies": [ + "GitHubAuditLogPolling_CL" + ], + "dataConnectorsDependencies": [ + "GitHubEcAuditLogPolling" + ], + "previewImagesFileNames": [ + "GitHubSecurityBlack.png", + "GitHubSecurityWhite.png" + ], + "version": "1.0.0", + "title": "GithubWorkbook", + "templateRelativePath": "GitHub.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "GCPDNSWorkbook", + "logoFileName": "google_logo.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "GCPCloudDNS" + ], + "dataConnectorsDependencies": [ + "GCPDNSDataConnector" + ], + "previewImagesFileNames": [ + "GCPDNSBlack.png", + "GCPDNSWhite.png" + ], + "version": "1.0.0", + "title": "Google Cloud Platform DNS", + "templateRelativePath": "GCPDNS.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "AtlassianJiraAuditWorkbook", + "logoFileName": "atlassian.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "AtlassianJiraNativePoller_CL" + ], + "dataConnectorsDependencies": [ + "AtlassianJira" + ], + "previewImagesFileNames": [ + "AtlassianJiraAuditWhite.png", + "AtlassianJiraAuditBlack.png" + ], + "version": "1.0.0", + "title": "AtlassianJiraAudit", + "templateRelativePath": "AtlassianJiraAudit.json", + "subtitle": "", + "provider": "Atlassian" + }, + { + "workbookKey": "DigitalGuardianWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "DigitalGuardianDLPEvent" + ], + "dataConnectorsDependencies": [ + "DigitalGuardianDLP", + "SyslogAma" + ], + "previewImagesFileNames": [ + "DigitalGuardianBlack.png", + "DigitalGuardianWhite.png" + ], + "version": "1.0.0", + "title": "DigitalGuardianDLP", + "templateRelativePath": "DigitalGuardian.json", + "subtitle": "", + "provider": "Digital Guardian" + }, + { + "workbookKey": "CiscoDuoWorkbook", + "logoFileName": "cisco-logo-72px.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "CiscoDuo_CL" + ], + "dataConnectorsDependencies": [ + "CiscoDuoSecurity" + ], + "previewImagesFileNames": [ + "CiscoDuoWhite.png", + "CiscoDuoBlack.png" + ], + "version": "1.0.0", + "title": "CiscoDuoSecurity", + "templateRelativePath": "CiscoDuo.json", + "subtitle": "", + "provider": "Cisco" + }, + { + "workbookKey": "SlackAudit", + "logoFileName": "slacklogo.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "SlackAudit_CL" + ], + "dataConnectorsDependencies": [ + "SlackAuditAPI" + ], + "previewImagesFileNames": [ + "SlackAuditApplicationActivityBlack1.png", + "SlackAuditApplicationActivityWhite1.png" + ], + "version": "1.0.0", + "title": "SlackAudit", + "templateRelativePath": "SlackAudit.json", + "subtitle": "", + "provider": "Slack" + }, + { + "workbookKey": "CiscoWSAWorkbook", + "logoFileName": "cisco-logo-72px.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "Syslog" + ], + "dataConnectorsDependencies": [ + "CiscoWSA", + "SyslogAma" + ], + "previewImagesFileNames": [ + "CiscoWSAWhite.png", + "CiscoWSABlack.png" + ], + "version": "1.0.0", + "title": "CiscoWSA", + "templateRelativePath": "CiscoWSA.json", + "subtitle": "", + "provider": "Cisco" + }, + { + "workbookKey": "GCP-IAM-Workbook", + "logoFileName": "google_logo.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "GCP_IAM_CL" + ], + "dataConnectorsDependencies": [ + "GCPIAMDataConnector" + ], + "previewImagesFileNames": [ + "GCPIAMBlack01.png", + "GCPIAMBlack02.png", + "GCPIAMWhite01.png", + "GCPIAMWhite02.png" + ], + "version": "1.0.0", + "title": "Google Cloud Platform IAM", + "templateRelativePath": "GCP_IAM.json", + "subtitle": "", + "provider": "Google" + }, + { + "workbookKey": "ImpervaWAFCloudWorkbook", + "logoFileName": "Imperva_DarkGrey_final_75x75.svg", + "description": "Sets the time name for analysis.", + "dataTypesDependencies": [ + "ImpervaWAFCloud_CL" + ], + "dataConnectorsDependencies": [ + "ImpervaWAFCloudAPI" + ], + "previewImagesFileNames": [ + "ImpervaWAFCloudBlack01.png", + "ImpervaWAFCloudBlack02.png", + "ImpervaWAFCloudWhite01.png", + "ImpervaWAFCloudWhite02.png" + ], + "version": "1.0.0", + "title": "Imperva WAF Cloud Overview", + "templateRelativePath": "Imperva WAF Cloud Overview.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "ZscalerZPAWorkbook", + "logoFileName": "ZscalerLogo.svg", + "description": "Select the time range for this Overview.", + "dataTypesDependencies": [ + "ZPA_CL" + ], + "dataConnectorsDependencies": [ + "ZscalerPrivateAccess", + "CustomLogsAma" + ], + "previewImagesFileNames": [ + "ZscalerZPABlack.png", + "ZscalerZPAWhite.png" + ], + "version": "1.0.0", + "title": "Zscaler Private Access (ZPA)", + "templateRelativePath": "ZscalerZPA.json", + "subtitle": "", + "provider": "Zscaler" + }, + { + "workbookKey": "GoogleWorkspaceWorkbook", + "logoFileName": "google_logo.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "GWorkspace_ReportsAPI_admin_CL", + "GWorkspace_ReportsAPI_calendar_CL", + "GWorkspace_ReportsAPI_drive_CL", + "GWorkspace_ReportsAPI_login_CL", + "GWorkspace_ReportsAPI_login_CL", + "GWorkspace_ReportsAPI_mobile_CL" + ], + "dataConnectorsDependencies": [ + "GoogleWorkspaceReportsAPI" + ], + "previewImagesFileNames": [ + "GoogleWorkspaceBlack.png", + "GoogleWorkspaceWhite.png" + ], + "version": "1.0.0", + "title": "GoogleWorkspaceReports", + "templateRelativePath": "GoogleWorkspace.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "NCProtectWorkbook", + "logoFileName": "NCProtectIcon.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "NCProtectUAL_CL" + ], + "dataConnectorsDependencies": [ + "NucleusCyberNCProtect" + ], + "previewImagesFileNames": [ + "" + ], + "version": "1.0.0", + "title": "NucleusCyberProtect", + "templateRelativePath": "NucleusCyber_NCProtect_Workbook.json", + "subtitle": "", + "provider": "archTIS" + }, + { + "workbookKey": "CiscoISEWorkbook", + "logoFileName": "cisco-logo-72px.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "Syslog" + ], + "dataConnectorsDependencies": [ + "CiscoISE", + "SyslogAma" + ], + "previewImagesFileNames": [ + "CiscoISEBlack1.png", + "CiscoISEBlack2.png", + "CiscoISEWhite1.png", + "CiscoISEWhite2.png" + ], + "version": "1.0.0", + "title": "Cisco ISE", + "templateRelativePath": "CiscoISE.json", + "subtitle": "", + "provider": "Cisco" + }, + { + "workbookKey": "IoTOTThreatMonitoringwithDefenderforIoTWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "The OT Threat Monitoring with Defender for IoT Workbook features OT filtering for Security Alerts, Incidents, Vulnerabilities and Asset Inventory. The workbook features a dynamic assessment of the MITRE ATT&CK for ICS matrix across your environment to analyze and respond to OT-based threats. This workbook is designed to enable SecOps Analysts, Security Engineers, and MSSPs to gain situational awareness for IT/OT security posture.", + "dataTypesDependencies": [ + "SecurityAlert", + "SecurityIncident" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "IoTOTThreatMonitoringwithDefenderforIoTBlack.png", + "IoTOTThreatMonitoringwithDefenderforIoTWhite.png" + ], + "version": "1.0.0", + "title": "Microsoft Defender for IoT", + "templateRelativePath": "IoTOTThreatMonitoringwithDefenderforIoT.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "ZeroTrust(TIC3.0)Workbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "SecurityRecommendation" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "ZeroTrust(TIC3.0)Black1.PNG", + "ZeroTrust(TIC3.0)White1.PNG" + ], + "version": "1.0.0", + "title": "ZeroTrust(TIC3.0)", + "templateRelativePath": "ZeroTrustTIC3.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "CybersecurityMaturityModelCertification(CMMC)2.0Workbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Sets the time name for analysis.", + "dataTypesDependencies": [ + "InformationProtectionLogs_CL", + "AuditLogs", + "SecurityIncident", + "SigninLogs", + "AzureActivity" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "CybersecurityMaturityModelCertificationBlack.png", + "CybersecurityMaturityModelCertificationWhite.png" + ], + "version": "1.0.0", + "title": "CybersecurityMaturityModelCertification(CMMC)2.0", + "templateRelativePath": "CybersecurityMaturityModelCertification_CMMCV2.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "NISTSP80053Workbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Sets the time name for analysis.", + "dataTypesDependencies": [ + "SigninLogs", + "AuditLogs", + "AzureActivity", + "OfficeActivity", + "SecurityEvents", + "CommonSecurityLog", + "SecurityIncident", + "SecurityRecommendation" + ], + "dataConnectorsDependencies": [ + "SecurityEvents" + ], + "previewImagesFileNames": [ + "NISTSP80053Black.png", + "NISTSP80053White.png" + ], + "version": "1.0.0", + "title": "NISTSP80053workbook", + "templateRelativePath": "NISTSP80053.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "DarktraceWorkbook", + "logoFileName": "Darktrace.svg", + "description": "The Darktrace Workbook visualises Model Breach and AI Analyst data received by the Darktrace Data Connector and visualises events across the network, SaaS, IaaS and Email.", + "dataTypesDependencies": [ + "darktrace_model_alerts_CL" + ], + "dataConnectorsDependencies": [ + "DarktraceRESTConnector" + ], + "previewImagesFileNames": [ + "DarktraceWorkbookBlack01.png", + "DarktraceWorkbookBlack02.png", + "DarktraceWorkbookWhite01.png", + "DarktraceWorkbookWhite02.png" + ], + "version": "1.0.1", + "title": "Darktrace", + "templateRelativePath": "DarktraceWorkbook.json", + "subtitle": "", + "provider": "Darktrace" + }, + { + "workbookKey": "RecordedFutureAlertOverviewWorkbook", + "logoFileName": "RecordedFuture.svg", + "description": "Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer.", + "dataTypesDependencies": [ + "RecordedFuturePortalAlerts_CL" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "RecordedFutureAlertOverviewWhite.png", + "RecordedFutureAlertOverviewBlack.png" + ], + "version": "1.0.1", + "title": "Recorded Future - Alerts Overview", + "templateRelativePath": "RecordedFutureAlertOverview.json", + "subtitle": "", + "provider": "Recorded Future" + }, + { + "workbookKey": "RecordedFuturePlaybookAlertOverviewWorkbook", + "logoFileName": "RecordedFuture.svg", + "description": "Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer.", + "dataTypesDependencies": [ + "RecordedFuturePlaybookAlerts_CL" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "RecordedFuturePlaybookAlertOverviewWhite1.png", + "RecordedFuturePlaybookAlertOverviewBlack1.png" + ], + "version": "1.0.1", + "title": "Recorded Future - Playbook Alerts Overview", + "templateRelativePath": "RecordedFuturePlaybookAlertOverview.json", + "subtitle": "", + "provider": "Recorded Future" + }, + { + "workbookKey": "RecordedFutureDomainCorrelationWorkbook", + "logoFileName": "RecordedFuture.svg", + "description": "Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.", + "dataTypesDependencies": [ + "ThreatIntelligenceIndicator" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "RecordedFutureDomainCorrelationWhite.png", + "RecordedFutureDomainCorrelationBlack.png" + ], + "version": "1.0.1", + "title": "Recorded Future - Domain Correlation", + "templateRelativePath": "RecordedFutureDomainCorrelation.json", + "subtitle": "", + "provider": "Recorded Future" + }, + { + "workbookKey": "RecordedFutureHashCorrelationWorkbook", + "logoFileName": "RecordedFuture.svg", + "description": "Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.", + "dataTypesDependencies": [ + "ThreatIntelligenceIndicator" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "RecordedFutureHashCorrelationWhite.png", + "RecordedFutureHashCorrelationBlack.png" + ], + "version": "1.0.1", + "title": "Recorded Future - Hash Correlation", + "templateRelativePath": "RecordedFutureHashCorrelation.json", + "subtitle": "", + "provider": "Recorded Future" + }, + { + "workbookKey": "RecordedFutureIPCorrelationWorkbook", + "logoFileName": "RecordedFuture.svg", + "description": "Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.", + "dataTypesDependencies": [ + "ThreatIntelligenceIndicator" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "RecordedFutureIPCorrelationWhite.png", + "RecordedFutureIPCorrelationBlack.png" + ], + "version": "1.0.1", + "title": "Recorded Future - IP Correlation", + "templateRelativePath": "RecordedFutureIPCorrelation.json", + "subtitle": "", + "provider": "Recorded Future" + }, + { + "workbookKey": "RecordedFutureURLCorrelationWorkbook", + "logoFileName": "RecordedFuture.svg", + "description": "Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.", + "dataTypesDependencies": [ + "ThreatIntelligenceIndicator" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "RecordedFutureUrlCorrelationWhite.png", + "RecordedFutureUrlCorrelationBlack.png" + ], + "version": "1.0.1", + "title": "Recorded Future - URL Correlation", + "templateRelativePath": "RecordedFutureURLCorrelation.json", + "subtitle": "", + "provider": "Recorded Future" + }, + { + "workbookKey": "RecordedFutureThreatActorHuntingWorkbook", + "logoFileName": "RecordedFuture.svg", + "description": "Recorded Future Threat Actor Hunting Workbook. This workbook will visualize Recorded Future threat map and hunting indicators ingested in to Microsoft Sentinel.", + "dataTypesDependencies": [ + "ThreatIntelligenceIndicator" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "RecordedFutureThreatActorHuntingWhite.png", + "RecordedFutureThreatActorHuntingBlack.png" + ], + "version": "1.0.1", + "title": "Recorded Future - Threat Actor Hunting", + "templateRelativePath": "RecordedFutureThreatActorHunting.json", + "subtitle": "", + "provider": "Recorded Future" + }, + { + "workbookKey": "RecordedFutureMalwareThreatHuntingWorkbook", + "logoFileName": "RecordedFuture.svg", + "description": "Recorded Future Malware Threat Hunting Workbook. This workbook will visualize Recorded Future malware threat map and hunting indicators ingested in to Microsoft Sentinel.", + "dataTypesDependencies": [ + "ThreatIntelligenceIndicator" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "RecordedFutureMalwareThreatHuntingWhite.png", + "RecordedFutureMalwareThreatHuntingBlack.png" + ], + "version": "1.0.0", + "title": "Recorded Future - Malware Threat Hunting", + "templateRelativePath": "RecordedFutureMalwareThreatHunting.json", + "subtitle": "", + "provider": "Recorded Future" + }, + { + "workbookKey": "MaturityModelForEventLogManagement_M2131", + "logoFileName": "contrastsecurity_logo.svg", + "description": "Select the time range for this Overview.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "MaturityModelForEventLogManagement_M2131Black.png", + "MaturityModelForEventLogManagement_M2131White.png" + ], + "version": "1.0.0", + "title": "MaturityModelForEventLogManagementM2131", + "templateRelativePath": "MaturityModelForEventLogManagement_M2131.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "AzureSQLSecurityWorkbook", + "logoFileName": "AzureSQL.svg", + "description": "Sets the time window in days to search around the alert", + "dataTypesDependencies": [ + "AzureDiagnostics", + "SecurityAlert", + "SecurityIncident" + ], + "dataConnectorsDependencies": [ + "AzureSql" + ], + "previewImagesFileNames": [ + "" + ], + "version": "1.0.0", + "title": "Azure SQL Database Workbook", + "templateRelativePath": "Workbook-AzureSQLSecurity.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "ContinuousDiagnostics&Mitigation", + "logoFileName": "Azure_Sentinel.svg", + "description": "Select the time range for this Overview.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "ContinuousDiagnostics&MitigationBlack.png", + "ContinuousDiagnostics&MitigationWhite.png" + ], + "version": "1.0.0", + "title": "ContinuousDiagnostics&Mitigation", + "templateRelativePath": "ContinuousDiagnostics&Mitigation.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "AtlasianJiraAuditWorkbook", + "logoFileName": "atlassian.svg", + "description": "Select the time range for this Overview.", + "dataTypesDependencies": [ + "AtlassianJiraNativePoller_CL" + ], + "dataConnectorsDependencies": [ + "AtlassianJira" + ], + "previewImagesFileNames": [ + "AtlassianJiraAuditBlack.png", + "AtlassianJiraAuditWhite.png" + ], + "version": "1.0.0", + "title": "AtlasianJiraAuditWorkbook", + "templateRelativePath": "AtlasianJiraAuditWorkbook.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "AzureSecurityBenchmark", + "logoFileName": "Azure_Sentinel.svg", + "description": "Azure Security Benchmark v3 Workbook provides a mechanism for viewing log queries, azure resource graph, and policies aligned to ASB controls across Microsoft security offerings, Azure, Microsoft 365, 3rd Party, On-Premises, and Multi-cloud workloads. This workbook enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective ASB requirements and practices.", + "dataTypesDependencies": [ + "SecurityRegulatoryCompliance", + "AzureDiagnostics", + "SecurityIncident", + "SigninLogs", + "SecurityAlert" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "AzureSecurityBenchmarkBlack.png", + "AzureSecurityBenchmarkWhite.png" + ], + "version": "1.0.0", + "title": "Azure Security Benchmark", + "templateRelativePath": "AzureSecurityBenchmark.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "ZNAccessOrchestratorAudit", + "logoFileName": "ZeroNetworks.svg", + "description": "This workbook provides a summary of ZeroNetworks data.", + "dataTypesDependencies": [ + "ZNAccessOrchestratorAudit_CL", + "ZNAccessOrchestratorAuditNativePoller_CL" + ], + "dataConnectorsDependencies": [ + "ZeroNetworksAccessOrchestratorAuditFunction", + "ZeroNetworksAccessOrchestratorAuditNativePoller" + ], + "previewImagesFileNames": [ + "" + ], + "version": "1.0.0", + "title": "Zero NetWork", + "templateRelativePath": "ZNSegmentAudit.json", + "subtitle": "", + "provider": "Zero Networks" + }, + { + "workbookKey": "FireworkWorkbook", + "logoFileName": "Flare.svg", + "description": "Select the time range for this Overview.", + "dataTypesDependencies": [ + "Firework_CL" + ], + "dataConnectorsDependencies": [ + "FlareSystemsFirework" + ], + "previewImagesFileNames": [ + "FireworkOverviewBlack01.png", + "FireworkOverviewBlack02.png", + "FireworkOverviewWhite01.png", + "FireworkOverviewWhite02.png" + ], + "version": "1.0.0", + "title": "FlareSystemsFirework", + "templateRelativePath": "FlareSystemsFireworkOverview.json", + "subtitle": "", + "provider": "Flare Systems" + }, + { + "workbookKey": "TaniumWorkbook", + "logoFileName": "Tanium.svg", + "description": "Visualize Tanium endpoint and module data", + "dataTypesDependencies": [ + "TaniumComplyCompliance_CL", + "TaniumComplyVulnerabilities_CL", + "TaniumDefenderHealth_CL", + "TaniumDiscoverUnmanagedAssets_CL", + "TaniumHighUptime_CL", + "TaniumMainAsset_CL", + "TaniumPatchListApplicability_CL", + "TaniumPatchListCompliance_CL", + "TaniumSCCMClientHealth_CL", + "TaniumThreatResponse_CL" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "TaniumComplyBlack.png", + "TaniumComplyWhite.png", + "TaniumDiscoverBlack.png", + "TaniumDiscoverWhite.png", + "TaniumMSToolingHealthBlack.png", + "TaniumMSToolingHealthWhite.png", + "TaniumPatchBlack.png", + "TaniumPatchWhite.png", + "TaniumThreatResponseAlertsBlack.png", + "TaniumThreatResponseAlertsWhite.png", + "TaniumThreatResponseBlack.png", + "TaniumThreatResponseWhite.png" + ], + "version": "1.0", + "title": "Tanium Workbook", + "templateRelativePath": "TaniumWorkbook.json", + "subtitle": "", + "provider": "Tanium" + }, + { + "workbookKey": "ActionableAlertsDashboard", + "logoFileName": "Cybersixgill.svg", + "description": "None.", + "dataTypesDependencies": [ + "CyberSixgill_Alerts_CL" + ], + "dataConnectorsDependencies": [ + "CybersixgillActionableAlerts" + ], + "previewImagesFileNames": [ + "ActionableAlertsDashboardWhite.PNG", + "ActionableAlertsDashboardBlack.PNG" + ], + "version": "1.0.0", + "title": "Cybersixgill Actionable Alerts Dashboard", + "templateRelativePath": "ActionableAlertsDashboard.json", + "subtitle": "", + "provider": "Cybersixgill" + }, + { + "workbookKey": "ActionableAlertsList", + "logoFileName": "Cybersixgill.svg", + "description": "None.", + "dataTypesDependencies": [ + "CyberSixgill_Alerts_CL" + ], + "dataConnectorsDependencies": [ + "CybersixgillActionableAlerts" + ], + "previewImagesFileNames": [ + "ActionableAlertsListBlack.PNG", + "ActionableAlertsListWhite.PNG" + ], + "version": "1.0.0", + "title": "Cybersixgill Actionable Alerts List", + "templateRelativePath": "ActionableAlertsList.json", + "subtitle": "", + "provider": "Cybersixgill" + }, + { + "workbookKey": "ArgosCloudSecurityWorkbook", + "logoFileName": "argos-logo.svg", + "description": "The ARGOS Cloud Security integration for Microsoft Sentinel allows you to have all your important cloud security events in one place.", + "dataTypesDependencies": [ + "ARGOS_CL" + ], + "dataConnectorsDependencies": [ + "ARGOSCloudSecurity" + ], + "previewImagesFileNames": [ + "ARGOSCloudSecurityWorkbookBlack.png", + "ARGOSCloudSecurityWorkbookWhite.png" + ], + "version": "1.0.0", + "title": "ARGOS Cloud Security", + "templateRelativePath": "ARGOSCloudSecurityWorkbook.json", + "subtitle": "", + "provider": "ARGOS Cloud Security" + }, + { + "workbookKey": "JamfProtectWorkbook", + "logoFileName": "jamf_logo.svg", + "description": "This Jamf Protect Workbook for Microsoft Sentinel enables you to ingest Jamf Protect events forwarded into Microsoft Sentinel.\n Providing reports into all alerts, device controls and Unfied Logs.", + "dataTypesDependencies": [ + "jamfprotect_CL" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "JamfProtectDashboardBlack.png", + "JamfProtectDashboardWhite.png" + ], + "version": "2.0.0", + "title": "Jamf Protect Workbook", + "templateRelativePath": "JamfProtectDashboard.json", + "subtitle": "", + "provider": "Jamf Software, LLC" + }, + { + "workbookKey": "AIVectraStream", + "logoFileName": "AIVectraDetect.svg", + "description": "", + "dataTypesDependencies": [ + "VectraStream_CL" + ], + "dataConnectorsDependencies": [ + "AIVectraStream" + ], + "previewImagesFileNames": [ + "AIVectraDetectBlack1.png", + "AIVectraDetectWhite1.png" + ], + "version": "1.0.0", + "title": "AIVectraStreamWorkbook", + "templateRelativePath": "AIVectraStreamWorkbook.json", + "subtitle": "", + "provider": "Vectra AI" + }, + { + "workbookKey": "SecurityScorecardWorkbook", + "logoFileName": "SecurityScorecard-Cybersecurity-Ratings.svg", + "description": "This Workbook provides immediate insight into the data coming from SecurityScorecard's three Sentinel data connectors: SecurityScorecard Cybersecurity Ratings, SecurityScorecard Cybersecurity Ratings - Factors, and SecurityScorecard Cybersecurity Ratings - Issues.", + "dataTypesDependencies": [ + "SecurityScorecardFactor_CL", + "SecurityScorecardIssues_CL", + "SecurityScorecardRatings_CL" + ], + "dataConnectorsDependencies": [ + "SecurityScorecardFactorAzureFunctions", + "SecurityScorecardIssueAzureFunctions", + "SecurityScorecardRatingsAzureFunctions" + ], + "previewImagesFileNames": [ + "SecurityScorecardBlack1.png", + "SecurityScorecardBlack2.png", + "SecurityScorecardBlack3.png", + "SecurityScorecardBlack4.png", + "SecurityScorecardBlack5.png", + "SecurityScorecardBlack6.png", + "SecurityScorecardWhite1.png", + "SecurityScorecardWhite2.png", + "SecurityScorecardWhite3.png", + "SecurityScorecardWhite4.png", + "SecurityScorecardWhite5.png", + "SecurityScorecardWhite6.png" + ], + "version": "1.0.0", + "title": "SecurityScorecard", + "templateRelativePath": "SecurityScorecardWorkbook.json", + "subtitle": "", + "provider": "SecurityScorecard" + }, + { + "workbookKey": "DigitalShadowsWorkbook", + "logoFileName": "DigitalShadowsLogo.svg", + "description": "For gaining insights into Digital Shadows logs.", + "dataTypesDependencies": [ + "DigitalShadows_CL" + ], + "dataConnectorsDependencies": [ + "DigitalShadowsSearchlightAzureFunctions" + ], + "previewImagesFileNames": [ + "DigitalShadowsBlack1.png", + "DigitalShadowsBlack2.png", + "DigitalShadowsBlack3.png", + "DigitalShadowsWhite1.png", + "DigitalShadowsWhite2.png", + "DigitalShadowsWhite3.png" + ], + "version": "1.0.0", + "title": "Digital Shadows", + "templateRelativePath": "DigitalShadows.json", + "subtitle": "", + "provider": "Digital Shadows" + }, + { + "workbookKey": "SalesforceServiceCloudWorkbook", + "logoFileName": "salesforce_logo.svg", + "description": "Sets the time name for analysis.", + "dataTypesDependencies": [ + "SalesforceServiceCloud" + ], + "dataConnectorsDependencies": [ + "SalesforceServiceCloud_CL" + ], + "previewImagesFileNames": [ + "" + ], + "version": "1.0.0", + "title": "Salesforce Service Cloud", + "templateRelativePath": "SalesforceServiceCloud.json", + "subtitle": "", + "provider": "Salesforce" + }, + { + "workbookKey": "NetworkSessionSolution", + "logoFileName": "Azure_Sentinel.svg", + "description": "This workbook is included as part of Network Session Essentials solution and gives a summary of analyzed traffic, helps with threat analysis and investigating suspicious IP's and traffic analysis. Network Session Essentials Solution also includes playbooks to periodically summarize the logs thus enhancing user experience and improving data search. For the effective usage of workbook, we highly recommend to enable the summarization playbooks that are provided with this solution.", + "dataTypesDependencies": [ + "AWSVPCFlow", + "DeviceNetworkEvents", + "SecurityEvent", + "WindowsEvent", + "CommonSecurityLog", + "Syslog", + "CommonSecurityLog", + "VMConnection", + "AzureDiagnostics", + "AzureDiagnostics", + "CommonSecurityLog", + "Corelight_CL", + "VectraStream", + "CommonSecurityLog", + "CommonSecurityLog", + "Syslog", + "CiscoMerakiNativePoller" + ], + "dataConnectorsDependencies": [ + "AWSS3", + "MicrosoftThreatProtection", + "SecurityEvents", + "WindowsForwardedEvents", + "Zscaler", + "MicrosoftSysmonForLinux", + "PaloAltoNetworks", + "AzureMonitor(VMInsights)", + "AzureFirewall", + "AzureNSG", + "CiscoASA", + "Corelight", + "AIVectraStream", + "CheckPoint", + "Fortinet", + "CiscoMeraki", + "CefAma" + ], + "previewImagesFileNames": [ + "" + ], + "version": "1.0.0", + "title": "Network Session Essentials", + "templateRelativePath": "NetworkSessionEssentials.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "SAPSODAnalysis", + "logoFileName": "SAPVMIcon.svg", + "description": "SAP SOD Analysis", + "dataTypesDependencies": [ + "SAPAuditLog" + ], + "dataConnectorsDependencies": [ + "SAP" + ], + "previewImagesFileNames": [ + "" + ], + "version": "2.0.0", + "title": "SAP SOD Analysis", + "templateRelativePath": "SAP - Segregation of Duties v2.0 (by Aliter Consulting).json", + "subtitle": "", + "provider": "Aliter Consulting" + }, + { + "workbookKey": "TheomWorkbook", + "logoFileName": "theom-logo.svg", + "description": "Theom Alert Statistics", + "dataTypesDependencies": [ + "TheomAlerts_CL" + ], + "dataConnectorsDependencies": [ + "Theom" + ], + "previewImagesFileNames": [ + "TheomWorkbook-black.png", + "TheomWorkbook-white.png" + ], + "version": "1.0.0", + "title": "Theom", + "templateRelativePath": "Theom.json", + "subtitle": "", + "provider": "Theom" + }, + { + "workbookKey": "DynatraceWorkbooks", + "logoFileName": "dynatrace.svg", + "description": "This workbook brings together queries and visualizations to assist you in identifying potential threats surfaced by Dynatrace.", + "dataTypesDependencies": [ + "DynatraceAttacks", + "DynatraceAuditLogs", + "DynatraceProblems", + "DynatraceRuntimeVulnerabilities" + ], + "dataConnectorsDependencies": [ + "DynatraceAttacks", + "DynatraceAuditLogs", + "DynatraceProblems", + "DynatraceRuntimeVulnerabilities" + ], + "previewImagesFileNames": [ + "DynatraceWorkbookBlack.png", + "DynatraceWorkbookWhite.png" + ], + "version": "3.0.1", + "title": "Dynatrace", + "templateRelativePath": "Dynatrace.json", + "subtitle": "", + "provider": "Dynatrace" + }, + { + "workbookKey": "MDOWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Gain extensive insight into your organization's Microsoft Defender for Office Activity by analyzing, and correlating events.\nYou can track malware and phishing detection over time.", + "dataTypesDependencies": [ + "SecurityAlert" + ], + "dataConnectorsDependencies": [ + "MicrosoftThreatProtection" + ], + "previewImagesFileNames": [ + "MDOBlack1.png", + "MDOBlack2.png", + "MDOWhite1.png", + "MDOWhite2.png" + ], + "version": "1.0.0", + "title": "Microsoft Defender XDR MDOWorkbook", + "templateRelativePath": "MDO Insights.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "AnomaliesVisualizationWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "A workbook that provides contextual information to a user for better insight on Anomalies and their impact. The workbook will help with investigation of anomalies as well as identify patterns that can lead to a threat.", + "dataTypesDependencies": [ + "Anomalies" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "AnomaliesVisualizationWorkbookWhite.png", + "AnomaliesVisualizationWorkbookBlack.png" + ], + "version": "1.0.0", + "title": "AnomaliesVisulization", + "templateRelativePath": "AnomaliesVisualization.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "AnomalyDataWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "A workbook providing details, related Incident, and related Hunting Workbook for a specific Anomaly.", + "dataTypesDependencies": [ + "Anomalies" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "AnomalyDataWorkbookWhite.png", + "AnomalyDataWorkbookBlack.png" + ], + "version": "1.0.0", + "title": "AnomalyData", + "templateRelativePath": "AnomalyData.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC-Online", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook, dedicated to Exchange Online environments is built to have a simple view of non-standard RBAC delegations on an Exchange Online tenant. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment.", "dataTypesDependencies": [ - "Cisco_Umbrella_dns_CL", - "Cisco_Umbrella_proxy_CL", - "Cisco_Umbrella_ip_CL", - "Cisco_Umbrella_cloudfirewall_CL" + "ESIExchangeOnlineConfig_CL" ], "dataConnectorsDependencies": [ - "CiscoUmbrellaDataConnector" - ], - "previewImagesFileNames": [ - "CiscoUmbrellaDNSBlack1.png", - "CiscoUmbrellaDNSBlack2.png", - "CiscoUmbrellaDNSWhite1.png", - "CiscoUmbrellaDNSWhite2.png", - "CiscoUmbrellaFirewallBlack.png", - "CiscoUmbrellaFirewallWhite.png", - "CiscoUmbrellaMainBlack1.png", - "CiscoUmbrellaMainBlack2.png", - "CiscoUmbrellaMainWhite1.png", - "CiscoUmbrellaMainWhite2.png", - "CiscoUmbrellaProxyBlack1.png", - "CiscoUmbrellaProxyBlack2.png", - "CiscoUmbrellaProxyWhite1.png", - "CiscoUmbrellaProxyWhite2.png" + "ESI-ExchangeOnlineCollector" ], - "version": "1.0.0", - "title": "Cisco Umbrella", - "templateRelativePath": "CiscoUmbrella.json", - "subtitle": "", - "provider": "Cisco" - }, - { - "workbookKey": "AnalyticsEfficiencyWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Gain insights into the efficacy of your analytics rules. In this workbook you can analyze and monitor the analytics rules found in your workspace to achieve better performance by your SOC.", - "dataTypesDependencies": [ - "SecurityAlert", - "SecurityIncident" - ], - "dataConnectorsDependencies": [], "previewImagesFileNames": [ - "AnalyticsEfficiencyBlack.png", - "AnalyticsEfficiencyWhite.png" + "MicrosoftExchangeLeastPrivilegewithRBAC-OnlineBlack.png", + "MicrosoftExchangeLeastPrivilegewithRBAC-OnlineWhite.png" ], - "version": "1.2.0", - "title": "Analytics Efficiency", - "templateRelativePath": "AnalyticsEfficiency.json", + "version": "1.1.0", + "title": "Microsoft Exchange Least Privilege with RBAC - Online", + "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC - Online.json", "subtitle": "", "provider": "Microsoft" }, { - "workbookKey": "WorkspaceUsage", + "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC", "logoFileName": "Azure_Sentinel.svg", - "description": "Gain insights into your workspace's usage. In this workbook, you can view your workspace's data consumption, latency, recommended tasks and Cost and Usage statistics.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "WorkspaceUsageBlack.png", - "WorkspaceUsageWhite.png" - ], - "version": "1.6.0", - "title": "Workspace Usage Report", - "templateRelativePath": "WorkspaceUsage.json", - "subtitle": "", - "provider": "Microsoft Sentinel community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Clive Watson" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "IT Operations" - ] - } - }, - { - "workbookKey": "SentinelCentral", - "logoFileName": "Azure_Sentinel.svg", - "description": "Use this report to view Incident (and Alert data) across many workspaces, this works with Azure Lighthouse and across any subscription you have access to.", - "dataTypesDependencies": [ - "SecurityIncident" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "SentinelCentralBlack.png", - "SentinelCentralWhite.png" - ], - "version": "2.1.1", - "title": "Microsoft Sentinel Central", - "templateRelativePath": "SentinelCentral.json", - "subtitle": "", - "provider": "Microsoft Sentinel community" - }, - { - "workbookKey": "CognniIncidentsWorkbook", - "logoFileName": "cognni-logo.svg", - "description": "Gain intelligent insights into the risks to your important financial, legal, HR, and governance information. This workbook lets you monitor your at-risk information to determine when and why incidents occurred, as well as who was involved. These incidents are broken into high, medium, and low risk incidents for each information category.", - "dataTypesDependencies": [ - "CognniIncidents_CL" - ], - "dataConnectorsDependencies": [ - "CognniSentinelDataConnector" - ], - "previewImagesFileNames": [ - "CognniBlack.PNG", - "CognniWhite.PNG" - ], - "version": "1.0.0", - "title": "Cognni Important Information Incidents", - "templateRelativePath": "CognniIncidentsWorkbook.json", - "subtitle": "", - "provider": "Cognni" - }, - { - "workbookKey": "pfsense", - "logoFileName": "pfsense_logo.svg", - "description": "Gain insights into pfsense logs from both filterlog and nginx.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "pfsenseBlack.png", - "pfsenseWhite.png" - ], - "version": "1.0.0", - "title": "pfsense", - "templateRelativePath": "pfsense.json", - "subtitle": "", - "provider": "Microsoft Sentinel community", - "support": { - "tier": "Community" - }, - "author": { - "name": "dicolanl" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security - Network" - ] - } - }, - { - "workbookKey": "ExchangeCompromiseHunting", - "logoFileName": "MSTIC-Logo.svg", - "description": "This workbook is intended to help defenders in responding to the Exchange Server vulnerabilities disclosed in March 2021, as well as hunting for potential compromise activity. More details on these vulnearbilities can be found at: https://aka.ms/exchangevulns", + "description": "This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment. Required Data Connector: Exchange Security Insights On-Premises Collector.", "dataTypesDependencies": [ - "SecurityEvent", - "W3CIISLog" + "ESIExchangeConfig_CL" ], "dataConnectorsDependencies": [ - "SecurityEvents", - "AzureMonitor(IIS)", - "WindowsSecurityEvents" - ], - "previewImagesFileNames": [ - "ExchangeBlack.png", - "ExchangeWhite.png" + "ESI-ExchangeOnPremisesCollector", + "ESI-ExchangeAdminAuditLogEvents" ], - "version": "1.0.0", - "title": "Exchange Compromise Hunting", - "templateRelativePath": "ExchangeCompromiseHunting.json", - "subtitle": "", - "provider": "Microsoft", - "support": { - "tier": "Community" - }, - "author": { - "name": "Pete Bryan" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security - Threat Protection" - ] - } - }, - { - "workbookKey": "SOCProcessFramework", - "logoFileName": "Azure_Sentinel.svg", - "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "SOCProcessFrameworkCoverImage1White.png", - "SOCProcessFrameworkCoverImage1Black.png", - "SOCProcessFrameworkCoverImage2White.png", - "SOCProcessFrameworkCoverImage2Black.png" - ], - "version": "1.1.0", - "title": "SOC Process Framework", - "templateRelativePath": "SOCProcessFramework.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" - }, - { - "workbookKey": "Building_a_SOCLargeStaffWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "SOCProcessFrameworkCoverImage1White.png", - "SOCProcessFrameworkCoverImage1Black.png", - "SOCProcessFrameworkCoverImage2White.png", - "SOCProcessFrameworkCoverImage2Black.png" - ], - "version": "1.1.0", - "title": "SOC Large Staff", - "templateRelativePath": "Building_a_SOCLargeStaff.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" -}, -{ - "workbookKey": "Building_a_SOCMediumStaffWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "SOCProcessFrameworkCoverImage1White.png", - "SOCProcessFrameworkCoverImage1Black.png", - "SOCProcessFrameworkCoverImage2White.png", - "SOCProcessFrameworkCoverImage2Black.png" - ], - "version": "1.1.0", - "title": "SOC Medium Staff", - "templateRelativePath": "Building_a_SOCMediumStaff.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" -}, -{ - "workbookKey": "Building_a_SOCPartTimeStaffWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "SOCProcessFrameworkCoverImage1White.png", - "SOCProcessFrameworkCoverImage1Black.png", - "SOCProcessFrameworkCoverImage2White.png", - "SOCProcessFrameworkCoverImage2Black.png" - ], - "version": "1.1.0", - "title": "SOC Part Time Staff", - "templateRelativePath": "Building_a_SOCPartTimeStaff.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" -}, -{ - "workbookKey": "Building_a_SOCSmallStaffWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "SOCProcessFrameworkCoverImage1White.png", - "SOCProcessFrameworkCoverImage1Black.png", - "SOCProcessFrameworkCoverImage2White.png", - "SOCProcessFrameworkCoverImage2Black.png" - ], - "version": "1.1.0", - "title": "SOC Small Staff", - "templateRelativePath": "Building_a_SOCSmallStaff.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" -}, -{ - "workbookKey": "SOCIRPlanningWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], "previewImagesFileNames": [ - "SOCProcessFrameworkCoverImage1White.png", - "SOCProcessFrameworkCoverImage1Black.png", - "SOCProcessFrameworkCoverImage2White.png", - "SOCProcessFrameworkCoverImage2Black.png" + "MicrosoftExchangeLeastPrivilegewithRBACBlack.png", + "MicrosoftExchangeLeastPrivilegewithRBACWhite.png" ], - "version": "1.1.0", - "title": "SOC IR Planning", - "templateRelativePath": "SOCIRPlanning.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" -}, -{ - "workbookKey": "UpdateSOCMaturityScoreWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "SOCProcessFrameworkCoverImage1White.png", - "SOCProcessFrameworkCoverImage1Black.png", - "SOCProcessFrameworkCoverImage2White.png", - "SOCProcessFrameworkCoverImage2Black.png" - ], - "version": "1.1.0", - "title": "Update SOC Maturity Score", - "templateRelativePath": "UpdateSOCMaturityScore.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" -}, - { - "workbookKey": "Microsoft365SecurityPosture", - "logoFileName": "M365securityposturelogo.svg", - "description": "This workbook presents security posture data collected from Azure Security Center, M365 Defender, Defender for Endpoint, and Microsoft Cloud App Security. This workbook relies on the M365 Security Posture Playbook in order to bring the data in.", - "dataTypesDependencies": [ - "M365SecureScore_CL", - "MDfESecureScore_CL", - "MDfEExposureScore_CL", - "MDfERecommendations_CL", - "MDfEVulnerabilitiesList_CL", - "McasShadowItReporting" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "M365securitypostureblack.png", - "M365securityposturewhite.png" - ], - "version": "1.0.0", - "title": "Microsoft 365 Security Posture", - "templateRelativePath": "M365SecurityPosture.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Matt Lowe" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security - Others" - ] - } - }, - { - "workbookKey": "AzureSentinelCost", - "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook provides an estimated cost across the main billed items in Microsoft Sentinel: ingestion, retention and automation. It also provides insight about the possible impact of the Microsoft 365 E5 offer.", - "dataTypesDependencies": [ - "Usage" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "AzureSentinelCostWhite.png", - "AzureSentinelCostBlack.png" - ], - "version": "1.5.1", - "title": "Microsoft Sentinel Cost", - "templateRelativePath": "AzureSentinelCost.json", + "version": "1.0.1", + "title": "Microsoft Exchange Least Privilege with RBAC", + "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC.json", "subtitle": "", - "provider": "Microsoft Sentinel Community" + "provider": "Microsoft" }, { - "workbookKey": "ADXvsLA", + "workbookKey": "MicrosoftExchangeSearchAdminAuditLog", "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook shows the tables from Microsoft Sentinel which are backed up in ADX. It also provides a comparison between the entries in the Microsoft Sentinel tables and the ADX tables. Lastly some general information about the queries and ingestion on ADX is shown.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "ADXvsLABlack.PNG", - "ADXvsLAWhite.PNG" - ], - "version": "1.0.0", - "title": "ADXvsLA", - "templateRelativePath": "ADXvsLA.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Naomi" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Platform" - ] - } - }, - { - "workbookKey": "MicrosoftDefenderForOffice365", - "logoFileName": "office365_logo.svg", - "description": "Gain insights into your Microsoft Defender for Office 365 raw data logs. This workbook lets you look at trends in email senders, attachments and embedded URL data to find anomalies. You can also search by, sender, recipient, subject, attachment or embedded URL to find where the related messages have been sent.", - "dataTypesDependencies": [ - "EmailEvents", - "EmailUrlInfo", - "EmailAttachmentInfo" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "MDOWhite1.png", - "MDOBlack1.png", - "MDOWhite2.png", - "MDOBlack2.png" - ], - "version": "1.0.0", - "title": "Microsoft Defender For Office 365", - "templateRelativePath": "MicrosoftDefenderForOffice365.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Brian Delaney" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ "Security - Others" ] - } - }, - { - "workbookKey": "ProofPointThreatDashboard", - "logoFileName": "proofpointlogo.svg", - "description": "Provides an overview of email threat activity based on log data provided by ProofPoint", + "description": "This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Exchange Audit Event logs via Legacy Agent.", "dataTypesDependencies": [ - "ProofpointPOD_message_CL", - "ProofpointPOD_maillog_CL", - "ProofPointTAPClicksBlocked_CL", - "ProofPointTAPClicksPermitted_CL", - "ProofPointTAPMessagesBlocked_CL", - "ProofPointTAPMessagesDelivered_CL" + "ESIExchangeConfig_CL" ], "dataConnectorsDependencies": [ - "ProofpointTAP", - "ProofpointPOD" - ], - "previewImagesFileNames": [ - "ProofPointThreatDashboardBlack1.png", - "ProofPointThreatDashboardWhite1.png" + "ESI-ExchangeOnPremisesCollector", + "ESI-ExchangeAdminAuditLogEvents" ], - "version": "1.0.0", - "title": "ProofPoint Threat Dashboard", - "templateRelativePath": "ProofPointThreatDashboard.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Community" - }, - "author": { - "name": "reprise99" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security - Others" - ] - } - }, - { - "workbookKey": "AMAmigrationTracker", - "logoFileName": "Azure_Sentinel.svg", - "description": "See what Azure and Azure Arc servers have Log Analytics agent or Azure Monitor agent installed. Review what DCR (data collection rules) apply to your machines and whether you are collecting logs from those machines into your selected workspaces.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], "previewImagesFileNames": [ - "AMAtrackingWhite1.png", - "AMAtrackingWhite2.png", - "AMAtrackingWhite3.png", - "AMAtrackingWhite4.png", - "AMAtrackingBlack1.png", - "AMAtrackingBlack2.png", - "AMAtrackingBlack3.png", - "AMAtrackingBlack4.png" + "MicrosoftExchangeSearchAdminAuditLogBlack.png", + "MicrosoftExchangeSearchAdminAuditLogWhite.png" ], - "version": "1.1.0", - "title": "AMA migration tracker", - "templateRelativePath": "AMAmigrationTracker.json", + "version": "1.0.1", + "title": "Microsoft Exchange Search AdminAuditLog", + "templateRelativePath": "Microsoft Exchange Search AdminAuditLog.json", "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Community" - }, - "author": { - "name": "mariavaladas" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Platform", - "Migration" - ] - } + "provider": "Microsoft" }, { - "workbookKey": "AdvancedKQL", + "workbookKey": "MicrosoftExchangeSearchAdminAuditLog-Online", "logoFileName": "Azure_Sentinel.svg", - "description": "This interactive Workbook is designed to improve your KQL proficiency by using a use-case driven approach.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "AdvancedKQLWhite.png", - "AdvancedKQLBlack.png" - ], - "version": "1.3.0", - "title": "Advanced KQL for Microsoft Sentinel", - "templateRelativePath": "AdvancedKQL.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" - }, - { - "workbookKey": "DSTIMWorkbook", - "logoFileName": "DSTIM.svg", - "description": "Identify sensitive data blast radius (i.e., who accessed sensitive data, what kinds of sensitive data, from where and when) in a given data security incident investigation or as part of Threat Hunting. Prioritize your investigation based on insights provided with integrations with Watchlists(VIPUsers, TerminatedEmployees and HighValueAssets), Threat Intelligence feed, UEBA baselines and much more.", + "description": "This workbook is dedicated to Online Exchange organizations. It uses the Office Activity logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Microsoft 365 (Exchange).", "dataTypesDependencies": [ - "DSMAzureBlobStorageLogs", - "DSMDataClassificationLogs", - "DSMDataLabelingLogs", - "Anomalies", - "ThreatIntelligenceIndicator", - "AADManagedIdentitySignInLogs", - "SecurityAlert", - "SigninLogs" + "OfficeActivity" ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "DSTIMWorkbookBlack.png", - "DSTIMWorkbookWhite.png" + "dataConnectorsDependencies": [ + "Office365" ], - "version": "1.9.0", - "title": "Data Security - Sensitive Data Impact Assessment", - "templateRelativePath": "DSTIMWorkbook.json", - "subtitle": "", - "provider": "Microsoft", - "featureFlag": "DSTIMWorkbook", - "support": { - "tier": "Community" - }, - "author": { - "name": "avital-m" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security - Others" - ] - } - }, - { - "workbookKey": "IntrotoKQLWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Learn and practice the Kusto Query Language. This workbook introduces and provides 100 to 200 level content for new and existing users looking to learn KQL. This workbook will be updated with content over time.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], "previewImagesFileNames": [ - "IntrotoKQL-black.png", - "IntrotoKQL-white.png" + "MicrosoftExchangeOnlineSearchAdminAuditLogBlack.png", + "MicrosoftExchangeOnlineSearchAdminAuditLogWhite.png" ], "version": "1.0.0", - "title": "Intro to KQL", - "templateRelativePath": "IntrotoKQL.json", + "title": "Microsoft Exchange Search AdminAuditLog - Online", + "templateRelativePath": "Microsoft Exchange Search AdminAuditLog - Online.json", "subtitle": "", - "provider": "Microsoft Sentinel Community" + "provider": "Microsoft" }, { - "workbookKey": "Log4jPostCompromiseHuntingWorkbook", - "logoFileName": "Log4j.svg", - "description": "This hunting workbook is intended to help identify activity related to the Log4j compromise discovered in December 2021.", - "dataTypesDependencies": [ - "SecurityNestedRecommendation", - "AzureDiagnostics", - "OfficeActivity", - "W3CIISLog", - "AWSCloudTrail", - "SigninLogs", - "AADNonInteractiveUserSignInLogs", - "imWebSessions", - "imNetworkSession" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "Log4jPostCompromiseHuntingBlack.png", - "Log4jPostCompromiseHuntingWhite.png" - ], - "version": "1.0.0", - "title": "Log4j Post Compromise Hunting", - "templateRelativePath": "Log4jPostCompromiseHunting.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" - }, -{ - "workbookKey": "Log4jImpactAssessmentWorkbook", - "logoFileName": "Log4j.svg", - "description": "This hunting workbook is intended to help identify activity related to the Log4j compromise discovered in December 2021.", - "dataTypesDependencies": [ - "SecurityIncident", - "SecurityAlert", - "AzureSecurityCenter", - "MDfESecureScore_CL", - "MDfEExposureScore_CL", - "MDfERecommendations_CL", - "MDfEVulnerabilitiesList_CL" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "Log4jPostCompromiseHuntingBlack.png", - "Log4jPostCompromiseHuntingWhite.png" - ], - "version": "1.0.0", - "title": "Log4j Impact Assessment", - "templateRelativePath": "Log4jImpactAssessment.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" -}, - { - "workbookKey": "UserMap", + "workbookKey": "MicrosoftExchangeSecurityMonitoring", "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook shows MaliciousIP, User SigninLog Data (this shows user Signin Locations and distance between as well as order visited) and WAF information.", + "description": "This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers. Required Data Connector: Exchange Audit Event logs via Legacy Agent.", "dataTypesDependencies": [ - "SigninLogs", - "AzureDiagnostics", - "WireData", - "VMconnection", - "CommonSecurityLog", - "WindowsFirewall", - "W3CIISLog", - "DnsEvents" + "ESIExchangeConfig_CL" ], "dataConnectorsDependencies": [ - "AzureActiveDirectory" + "ESI-ExchangeOnPremisesCollector", + "ESI-ExchangeAdminAuditLogEvents" ], "previewImagesFileNames": [ - "UserMapBlack.png", - "UserMapWhite.png" + "MicrosoftExchangeSecurityMonitoringBlack.png", + "MicrosoftExchangeSecurityMonitoringWhite.png" ], "version": "1.0.1", - "title": "User Map information", - "templateRelativePath": "UserMap.json", + "title": "Microsoft Exchange Admin Activity", + "templateRelativePath": "Microsoft Exchange Admin Activity.json", "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Clive Watson" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security - Threat Protection" - ] - } + "provider": "Microsoft" }, { - "workbookKey": "AWSS3", - "logoFileName": "amazon_web_services_Logo.svg", - "description": "This workbook shows quick summary of AWS S3 data (AWSCloudTrail, AWSGuardDuty, AWSVPCFlow). To visulaize the data, make sure you configure AWS S3 connector and data geting ingested into Sentinel", + "workbookKey": "MicrosoftExchangeAdminActivity-Online", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook is dedicated to Online Exchange organizations. It uses Office Activity logs. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. Required Data Connector: Microsoft 365 (Exchange).", "dataTypesDependencies": [ - "AWSCloudTrail", - "AWSGuardDuty", - "AWSVPCFlow" + "OfficeActivity" ], "dataConnectorsDependencies": [ - "AWSS3" + "Office365" ], "previewImagesFileNames": [ - "AWSS3Black.png", - "AWSS3White.png", - "AWSS3White1.png" + "MicrosoftExchangeAdminActivity-OnlineBlack.png", + "MicrosoftExchangeAdminActivity-OnlineWhite.png" ], - "version": "1.0.0", - "title": "AWS S3 Workbook", - "templateRelativePath": "AWSS3.json", + "version": "1.0.1", + "title": "Microsoft Exchange Admin Activity - Online", + "templateRelativePath": "Microsoft Exchange Admin Activity - Online.json", "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Clive Watson" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security - Cloud Security" - ] - } + "provider": "Microsoft" }, { - "workbookKey": "LogSourcesAndAnalyticRulesCoverageWorkbook", + "workbookKey": "MicrosoftExchangeSecurityReview-Online", "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook is intended to show how the different tables in a Log Analytics workspace are being used by the different Microsoft Sentinel features, like analytics, hunting queries, playbooks and queries in general.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "LogSourcesAndAnalyticRulesCoverageBlack.png", - "LogSourcesAndAnalyticRulesCoverageWhite.png" - ], - "version": "1.1.0", - "title": "Log Sources & Analytic Rules Coverage", - "templateRelativePath": "LogSourcesAndAnalyticRulesCoverage.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Eli Forbes" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security - Others" - ] - } - }, - { - "workbookKey": "CiscoFirepower", - "logoFileName": "cisco-logo-72px.svg", - "description": "Gain insights into your Cisco Firepower firewalls. This workbook analyzes Cisco Firepower device logs.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "CiscoFirepowerBlack.png", - "CiscoFirepowerWhite.png" - ], - "version": "1.0.0", - "title": "Cisco Firepower", - "templateRelativePath": "CiscoFirepower.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Samik Roy" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security - Network" - ] - } - }, - { - "workbookKey": "MicrorosftTeams", - "logoFileName": "microsoftteams.svg", - "description": "This workbook is intended to identify the activities on Microrsoft Teams.", + "description": "This Workbook is dedicated to Exchange Online tenants. It displays and highlights current Security configuration on various Exchange components specific to Online including delegations, the transport configuration and the linked security risks, and risky protocols.", "dataTypesDependencies": [ - "OfficeActivity" + "ESIExchangeOnlineConfig_CL" ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "MicrosoftTeamsBlack.png", - "MicrosoftTeamsWhite.png" + "dataConnectorsDependencies": [ + "ESI-ExchangeOnlineCollector" ], - "version": "1.0.0", - "title": "Microsoft Teams", - "templateRelativePath": "MicrosoftTeams.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" - }, - { - "workbookKey": "ArchivingBasicLogsRetention", - "logoFileName": "ArchivingBasicLogsRetention.svg", - "description": "This workbooks shows workspace and table retention periods, basic logs, and search & restore tables. It also allows you to update table retention periods, plans, and delete search or restore tables.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], "previewImagesFileNames": [ - "ArchivingBasicLogsRetentionBlack1.png", - "ArchivingBasicLogsRetentionWhite1.png" + "MicrosoftExchangeSecurityReview-OnlineBlack.png", + "MicrosoftExchangeSecurityReview-OnlineWhite.png" ], "version": "1.1.0", - "title": "Archiving, Basic Logs, and Retention", - "templateRelativePath": "ArchivingBasicLogsRetention.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Community" - }, - "author": { - "name": "seanstark-ms" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Platform", - "IT Operations" - ] - } - }, -{ - "workbookKey": "OktaSingleSignOnWorkbook", - "logoFileName": "okta_logo.svg", - "description": "Gain extensive insight into Okta Single Sign-On (SSO) by analyzing, collecting and correlating Audit and Event events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked.", - "dataTypesDependencies": [ - "Okta_CL", - "OktaSSO" - ], - "dataConnectorsDependencies": [ - "OktaSSO", - "OktaSSOv2" - ], - "previewImagesFileNames": [ - "OktaSingleSignOnWhite.png", - "OktaSingleSignOnBlack.png" - ], - "version": "1.2", - "title": "Okta Single Sign-On", - "templateRelativePath": "OktaSingleSignOn.json", - "subtitle": "", - "provider": "Okta" -}, -{ - "workbookKey": "CiscoMerakiWorkbook", - "logoFileName": "cisco-logo-72px.svg", - "description": "Gain insights into the Events from Cisco Meraki Solution and analyzing all the different types of Security Events. This workbook also helps in identifying the Events from affected devices, IPs and the nodes where malware was successfully detected.\nIP data received in Events is correlated with Threat Intelligence to identify if the reported IP address is known bad based on threat intelligence data.", - "dataTypesDependencies": [ - "meraki_CL", - "CiscoMerakiNativePoller", - "ThreatIntelligenceIndicator" - ], - "dataConnectorsDependencies": [ - "CiscoMeraki", - "CiscoMerakiNativePolling", - "ThreatIntelligence" - ], - "previewImagesFileNames": [ - "CiscoMerakiWorkbookWhite.png", - "CiscoMerakiWorkbookBlack.png" - ], - "version": "1.0.0", - "title": "CiscoMerakiWorkbook", - "templateRelativePath": "CiscoMerakiWorkbook.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "SentinelOneWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Sets the time name for analysis.", - "dataTypesDependencies": [ - "SentinelOne_CL" - ], - "dataConnectorsDependencies": [ - "SentinelOne" - ], - "previewImagesFileNames": [ - "SentinelOneBlack.png", - "SentinelOneWhite.png" - ], - "version": "1.0.0", - "title": "SentinelOneWorkbook", - "templateRelativePath": "SentinelOne.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "TrendMicroApexOneWorkbook", - "logoFileName": "trendmicro_logo.svg", - "description": "Sets the time name for analysis.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "TrendMicroApexOne", - "TrendMicroApexOneAma", - "CefAma" - ], - "previewImagesFileNames": [ - "TrendMicroApexOneBlack.png", - "TrendMicroApexOneWhite.png" - ], - "version": "1.0.0", - "title": "Trend Micro Apex One", - "templateRelativePath": "TrendMicroApexOne.json", - "subtitle": "", - "provider": "TrendMicro" -}, -{ - "workbookKey": "ContrastProtect", - "logoFileName": "contrastsecurity_logo.svg", - "description": "Select the time range for this Overview.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "ContrastProtect", - "ContrastProtectAma", - "CefAma" - ], - "previewImagesFileNames": [ - "ContrastProtectAllBlack.png", - "ContrastProtectAllWhite.png", - "ContrastProtectEffectiveBlack.png", - "ContrastProtectEffectiveWhite.png", - "ContrastProtectSummaryBlack.png", - "ContrastProtectSummaryWhite.png" - ], - "version": "1.0.0", - "title": "Contrast Protect", - "templateRelativePath": "ContrastProtect.json", - "subtitle": "", - "provider": "contrast security" -}, -{ - "workbookKey": "ArmorbloxOverview", - "logoFileName": "armorblox.svg", - "description": "INCIDENTS FROM SELECTED TIME RANGE", - "dataTypesDependencies": [ - "Armorblox_CL" - ], - "dataConnectorsDependencies": [ - "Armorblox" - ], - "previewImagesFileNames": [ - "ArmorbloxOverviewBlack01.png", - "ArmorbloxOverviewBlack02.png", - "ArmorbloxOverviewWhite01.png", - "ArmorbloxOverviewWhite02.png" - ], - "version": "1.0.0", - "title": "Armorblox", - "templateRelativePath": "ArmorbloxOverview.json", - "subtitle": "", - "provider": "Armorblox" -}, -{ - "workbookKey": "CiscoETDWorkbook", - "logoFileName": "cisco-logo-72px.svg", - "description": "Analyze email threat data seamlessly with the workbook, correlating information from the Secure Email Threat Defense API to identify and mitigate suspicious activities, providing insights into trends and allowing for precise filtering and analysis", - "dataTypesDependencies": [ - "CiscoETD_CL" - ], - "dataConnectorsDependencies": [ - "CiscoETD" - ], - "previewImagesFileNames": [ - "CiscoETDBlack01.PNG", - "CiscoETDBlack02.PNG", - "CiscoETDWhite01.PNG", - "CiscoETDWhite02.PNG" - ], - "version": "1.0", - "title": "Cisco Email Threat Defense", - "templateRelativePath": "CiscoETD.json", - "subtitle": "", - "provider": "Cisco" -}, -{ - "workbookKey": "PaloAltoCDL", - "logoFileName": "paloalto_logo.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "PaloAltoCDL", - "PaloAltoCDLAma", - "CefAma" - ], - "previewImagesFileNames": [ - "PaloAltoBlack.png", - "PaloAltoWhite.png" - ], - "version": "1.0.0", - "title": "Palo Alto Networks Cortex Data Lake", - "templateRelativePath": "PaloAltoCDL.json", - "subtitle": "", - "provider": "Palo Alto Networks" -}, -{ - "workbookKey": "VMwareCarbonBlack", - "logoFileName": "Azure_Sentinel.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "CarbonBlackEvents_CL", - "CarbonBlackAuditLogs_CL", - "CarbonBlackNotifications_CL" - ], - "dataConnectorsDependencies": [ - "VMwareCarbonBlack" - ], - "previewImagesFileNames": [ - "VMwareCarbonBlack.png", - "VMwareCarbonWhite.png" - ], - "version": "1.0.0", - "title": "VMware Carbon Black Cloud", - "templateRelativePath": "VMwareCarbonBlack.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "VMwareSDWAN", - "logoFileName": "vmware_sase_logo.svg", - "description": "This workbook is intended to provide an overview on security events on VMware SD-WAN and Cloud Web Security.", - "dataTypesDependencies": [ - "VMware_CWS_Weblogs_CL", - "VMware_VECO_EventLogs_CL" - ], - "dataConnectorsDependencies": [ - "VMwareSDWAN" - ], - "previewImagesFileNames": [ - "vmwaresdwan_sentinel_audit_overview_Black.png", - "vmwaresdwan_sentinel_audit_overview_White.png", - "vmwaresdwan_sentinel_connectivity_overview_Black.png", - "vmwaresdwan_sentinel_connectivity_overview_White.png", - "vmwaresdwan_sentinel_cws_agents_events_Black.png", - "vmwaresdwan_sentinel_cws_agents_events_White.png", - "vmwaresdwan_sentinel_cws_casb_Black.png", - "vmwaresdwan_sentinel_cws_casb_White.png", - "vmwaresdwan_sentinel_cws_cf_users_policy_Black.png", - "vmwaresdwan_sentinel_cws_cf_users_policy_White.png", - "vmwaresdwan_sentinel_cws_overview_Black.png", - "vmwaresdwan_sentinel_cws_overview_White.png", - "vmwaresdwan_sentinel_cws_sasepop_urlf_Black.png", - "vmwaresdwan_sentinel_cws_sasepop_urlf_White.png", - "vmwaresdwan_sentinel_cws_urlf_Black.png", - "vmwaresdwan_sentinel_cws_urlf_White.png", - "vmwaresdwan_sentinel_efs_idps_categories_Black.png", - "vmwaresdwan_sentinel_efs_idps_categories_White.png", - "vmwaresdwan_sentinel_idps_activity_Black.png", - "vmwaresdwan_sentinel_idps_activity_White.png", - "vmwaresdwan_sentinel_nsd_overview_Black.png", - "vmwaresdwan_sentinel_nsd_overview_White.png", - "vmwaresdwan_sentinel_nsd_via_vcg_Black.png", - "vmwaresdwan_sentinel_nsd_via_vcg_White.png", - "vmwaresdwan_sentinel_sdwan_efs_statefulfw_Black.png", - "vmwaresdwan_sentinel_sdwan_efs_statefulfw_White.png" - ], - "version": "1.0.0", - "title": "VMware SD-WAN and SASE", - "templateRelativePath": "VMwareSASESOCDashboard.json", - "subtitle": "", - "provider": "velocloud" -}, -{ - "workbookKey": "arista-networks", - "logoFileName": "AristaAwakeSecurity.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "AristaAwakeSecurity", - "CefAma" - ], - "previewImagesFileNames": [ - "AristaAwakeSecurityDevicesBlack.png", - "AristaAwakeSecurityDevicesWhite.png", - "AristaAwakeSecurityModelsBlack.png", - "AristaAwakeSecurityModelsWhite.png", - "AristaAwakeSecurityOverviewBlack.png", - "AristaAwakeSecurityOverviewWhite.png" - ], - "version": "1.0.0", - "title": "Arista Awake", - "templateRelativePath": "AristaAwakeSecurityWorkbook.json", - "subtitle": "", - "provider": "Arista Networks" -}, -{ - "workbookKey": "TomcatWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "Tomcat_CL" - ], - "dataConnectorsDependencies": [ - "ApacheTomcat" - ], - "previewImagesFileNames": [ - "TomcatBlack.png", - "TomcatWhite.png" - ], - "version": "1.0.0", - "title": "ApacheTomcat", - "templateRelativePath": "Tomcat.json", - "subtitle": "", - "provider": "Apache" -}, -{ - "workbookKey": "ClarotyWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "Claroty", - "ClarotyAma", - "CefAma" - ], - "previewImagesFileNames": [ - "ClarotyBlack.png", - "ClarotyWhite.png" - ], - "version": "1.0.0", - "title": "Claroty", - "templateRelativePath": "ClarotyOverview.json", - "subtitle": "", - "provider": "Claroty" -}, -{ - "workbookKey": "ApacheHTTPServerWorkbook", - "logoFileName": "apache.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "ApacheHTTPServer_CL" - ], - "dataConnectorsDependencies": [ - "ApacheHTTPServer" - ], - "previewImagesFileNames": [ - "ApacheHTTPServerOverviewBlack01.png", - "ApacheHTTPServerOverviewBlack02.png", - "ApacheHTTPServerOverviewWhite01.png", - "ApacheHTTPServerOverviewWhite02.png" - ], - "version": "1.0.0", - "title": "Apache HTTP Server", - "templateRelativePath": "ApacheHTTPServer.json", - "subtitle": "", - "provider": "Apache Software Foundation" -}, -{ - "workbookKey": "OCIWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "OCI_Logs_CL" - ], - "dataConnectorsDependencies": [ - "OracleCloudInfrastructureLogsConnector" - ], - "previewImagesFileNames": [ - "OCIBlack.png", - "OCIWhite.png" - ], - "version": "1.0.0", - "title": "Oracle Cloud Infrastructure", - "templateRelativePath": "OracleCloudInfrastructureOCI.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "OracleWeblogicServerWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "OracleWebLogicServer_CL" - ], - "dataConnectorsDependencies": [ - "OracleWebLogicServer" - ], - "previewImagesFileNames": [ - "OracleWeblogicServerBlack.png", - "OracleWeblogicServerWhite.png" - ], - "version": "1.0.0", - "title": "Oracle WebLogic Server", - "templateRelativePath": "OracleWorkbook.json", - "subtitle": "", - "provider": "Oracle" -}, -{ - "workbookKey": "BitglassWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "BitglassLogs_CL" - ], - "dataConnectorsDependencies": [ - "Bitglass" - ], - "previewImagesFileNames": [ - "BitglassBlack.png", - "BitglassWhite.png" - ], - "version": "1.0.0", - "title": "Bitglass", - "templateRelativePath": "Bitglass.json", - "subtitle": "", - "provider": "Bitglass" -}, -{ - "workbookKey": "NGINXWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "NGINX_CL" - ], - "dataConnectorsDependencies": [ - "NGINXHTTPServer" - ], - "previewImagesFileNames": [ - "NGINXOverviewBlack01.png", - "NGINXOverviewBlack02.png", - "NGINXOverviewWhite01.png", - "NGINXOverviewWhite02.png" - ], - "version": "1.0.0", - "title": "NGINX HTTP Server", - "templateRelativePath": "NGINX.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "vArmourAppContollerWorkbook", - "logoFileName": "varmour-logo.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "vArmourAC", - "vArmourACAma", - "CefAma" - ], - "previewImagesFileNames": [ - "vArmourAppControllerAppBlack.png", - "vArmourAppControllerAppBlack-1.png", - "vArmourAppControllerAppBlack-2.png", - "vArmourAppControllerAppBlack-3.png", - "vArmourAppControllerAppBlack-4.png", - "vArmourAppControllerAppBlack-5.png", - "vArmourAppControllerAppBlack-6.png", - "vArmourAppControllerAppBlack-7.png", - "vArmourAppControllerAppWhite.png", - "vArmourAppControllerAppWhite-1.png", - "vArmourAppControllerAppWhite-2.png", - "vArmourAppControllerAppWhite-3.png", - "vArmourAppControllerAppWhite-4.png", - "vArmourAppControllerAppWhite-5.png", - "vArmourAppControllerAppWhite-6.png", - "vArmourAppControllerAppWhite-7.png" - ], - "version": "1.0.0", - "title": "vArmour Application Controller", - "templateRelativePath": "vArmour_AppContoller_Workbook.json", - "subtitle": "", - "provider": "vArmour" -}, -{ - "workbookKey": "CorelightWorkbook", - "logoFileName": "corelight.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "Corelight_CL" - ], - "dataConnectorsDependencies": [ - "Corelight" - ], - "previewImagesFileNames": [ - "CorelightConnectionsBlack1.png", - "CorelightConnectionsBlack2.png", - "CorelightConnectionsWhite1.png", - "CorelightConnectionsWhite2.png", - "CorelightDNSBlack1.png", - "CorelightDNSWhite1.png", - "CorelightFileBlack1.png", - "CorelightFileBlack2.png", - "CorelightFileWhite1.png", - "CorelightFileWhite2.png", - "CorelightMainBlack1.png", - "CorelightMainWhite1.png", - "CorelightSoftwareBlack1.png", - "CorelightSoftwareWhite1.png" - ], - "version": "1.0.0", - "title": "Corelight", - "templateRelativePath": "Corelight.json", - "subtitle": "", - "provider": "Corelight" -}, -{ - "workbookKey": "LookoutEvents", - "logoFileName": "lookout.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "Lookout_CL" - ], - "dataConnectorsDependencies": [ - "LookoutAPI" - ], - "previewImagesFileNames": [ - "SampleLookoutWorkBookBlack.png", - "SampleLookoutWorkBookWhite.png" - ], - "version": "1.0.0", - "title": "Lookout", - "templateRelativePath": "LookoutEvents.json", - "subtitle": "", - "provider": "Lookout" -}, -{ - "workbookKey": "sentinel-MicrosoftPurview", - "logoFileName": "MicrosoftPurview.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "AzureDiagnostics" - ], - "dataConnectorsDependencies": [ - "MicrosoftAzurePurview" - ], - "previewImagesFileNames": [ - "" - ], - "version": "1.0.0", - "title": "Microsoft Purview", - "templateRelativePath": "MicrosoftPurview.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "InfobloxCDCB1TDWorkbook", - "logoFileName": "infoblox_logo.svg", - "description": "Get a closer look at your BloxOne DNS Query/Response logs, DHCP logs and Threat Defense security event data. This workbook is intended to help visualize BloxOne query data as part of the Infoblox Cloud solution. Drilldown your data and visualize events, trends, and anomalous changes over time.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "InfobloxCloudDataConnector", - "InfobloxCloudDataConnectorAma", - "CefAma" - ], - "previewImagesFileNames": [ - "InfobloxCDCB1TDBlack.png", - "InfobloxCDCB1TDWhite.png" - ], - "version": "2.0.0", - "title": "Infoblox CDC BloxOne DDI & Threat Defense DNS Workbook", - "templateRelativePath": "InfobloxCDCB1TDWorkbook.json", - "subtitle": "", - "provider": "Infoblox" -}, -{ - "workbookKey": "InfobloxSOCInsightsWorkbook", - "logoFileName": "infoblox_logo.svg", - "description": "Get a closer look at your Infoblox SOC Insights. This workbook is intended to help visualize your BloxOne SOC Insights data as part of the Infoblox SOC Insights Solution. Drilldown your data and visualize events, trends, and anomalous changes over time.", - "dataTypesDependencies": [ - "InfobloxInsight", - "InfobloxInsightAssets", - "InfobloxInsightComments", - "InfobloxInsightIndicators", - "InfobloxInsightEvents" - ], - "dataConnectorsDependencies": [ - "InfobloxSOCInsightsDataConnector_AMA", - "InfobloxSOCInsightsDataConnector_API", - "InfobloxSOCInsightsDataConnector_Legacy", - "CefAma" - ], - "previewImagesFileNames": [ - "InfobloxSOCInsightsBlack.png", - "InfobloxSOCInsightsWhite.png" - ], - "version": "1.0.0", - "title": "Infoblox SOC Insights Workbook", - "templateRelativePath": "InfobloxSOCInsightsWorkbook.json", - "subtitle": "", - "provider": "Infoblox" -}, -{ - "workbookKey": "UbiquitiUniFiWorkbook", - "logoFileName": "ubiquiti.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "Ubiquiti_CL" - ], - "dataConnectorsDependencies": [ - "UbiquitiUnifi" - ], - "previewImagesFileNames": [ - "UbiquitiOverviewBlack01.png", - "UbiquitiOverviewBlack02.png", - "UbiquitiOverviewWhite01.png", - "UbiquitiOverviewWhite02.png" - ], - "version": "1.0.0", - "title": "Ubiquiti UniFi", - "templateRelativePath": "Ubiquiti.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "VMwareESXiWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "Syslog" - ], - "dataConnectorsDependencies": [ - "VMwareESXi", - "SyslogAma" - ], - "previewImagesFileNames": [ - "VMWareESXiBlack.png", - "VMWareESXiWhite.png" - ], - "version": "1.0.0", - "title": "VMware ESXi", - "templateRelativePath": "VMWareESXi.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "SnowflakeWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "Snowflake_CL" - ], - "dataConnectorsDependencies": [ - "SnowflakeDataConnector" - ], - "previewImagesFileNames": [ - "SnowflakeBlack.png", - "SnowflakeWhite.png" - ], - "version": "1.0.0", - "title": "Snowflake", - "templateRelativePath": "Snowflake.json", - "subtitle": "", - "provider": "Snowflake" -}, -{ - "workbookKey": "LastPassWorkbook", - "logoFileName": "LastPass.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "LastPassNativePoller_CL" - ], - "dataConnectorsDependencies": [ - "LastPassAPIConnector" - ], - "previewImagesFileNames": [ - "LastPassBlack.png", - "LastPassWhite.png" - ], - "version": "1.0.0", - "title": "Lastpass Enterprise Activity Monitoring", - "templateRelativePath": "LastPassWorkbook.json", - "subtitle": "", - "provider": "LastPass" -}, -{ - "workbookKey": "SecurityBridgeWorkbook", - "logoFileName": "SecurityBridgeLogo-Vector-TM_75x75.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "SecurityBridgeLogs" - ], - "dataConnectorsDependencies": [ - "SecurityBridgeSAP" - ], - "previewImagesFileNames": [""], - "version": "1.0.0", - "title": "SecurityBridge App", - "templateRelativePath": "SecurityBridgeThreatDetectionforSAP.json", - "subtitle": "", - "provider": "SecurityBridge" -}, -{ - "workbookKey": "PaloAltoPrismaCloudWorkbook", - "logoFileName": "paloalto_logo.svg", - "description": "Sets the time name for analysis.", - "dataTypesDependencies": [ - "PaloAltoPrismaCloudAlert_CL", - "PaloAltoPrismaCloudAudit_CL" - ], - "dataConnectorsDependencies": [ - "PaloAltoPrismaCloud" - ], - "previewImagesFileNames": [ - "PaloAltoPrismaCloudBlack01.png", - "PaloAltoPrismaCloudBlack02.png", - "PaloAltoPrismaCloudWhite01.png", - "PaloAltoPrismaCloudWhite02.png" - ], - "version": "1.0.0", - "title": "Palo Alto Prisma", - "templateRelativePath": "PaloAltoPrismaCloudOverview.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "PingFederateWorkbook", - "logoFileName": "PingIdentity.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "PingFederateEvent" - ], - "dataConnectorsDependencies": [ - "PingFederate", - "PingFederateAma", - "CefAma" - ], - "previewImagesFileNames": [ - "PingFederateBlack1.png", - "PingFederateWhite1.png" - ], - "version": "1.0.0", - "title": "PingFederate", - "templateRelativePath": "PingFederate.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "McAfeeePOWorkbook", - "logoFileName": "mcafee_logo.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "McAfeeEPOEvent" - ], - "dataConnectorsDependencies": [ - "McAfeeePO", - "SyslogAma" - ], - "previewImagesFileNames": [ - "McAfeeePOBlack1.png", - "McAfeeePOBlack2.png", - "McAfeeePOWhite1.png", - "McAfeeePOWhite2.png" - ], - "version": "1.0.0", - "title": "McAfee ePolicy Orchestrator", - "templateRelativePath": "McAfeeePOOverview.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "OracleDatabaseAudit", - "logoFileName": "oracle_logo.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "Syslog" - ], - "dataConnectorsDependencies": [ - "OracleDatabaseAudit", - "SyslogAma" - ], - "previewImagesFileNames": [ - "OracleDatabaseAuditBlack1.png", - "OracleDatabaseAuditBlack2.png", - "OracleDatabaseAuditWhite1.png", - "OracleDatabaseAuditWhite2.png" - ], - "version": "1.0.0", - "title": "Oracle Database Audit", - "templateRelativePath": "OracleDatabaseAudit.json", - "subtitle": "", - "provider": "Oracle" -}, -{ - "workbookKey": "SenservaProAnalyticsWorkbook", - "logoFileName": "SenservaPro_logo.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "SenservaPro_CL" - ], - "dataConnectorsDependencies": [ - "SenservaPro" - ], - "previewImagesFileNames": [ - "SenservaProAnalyticsBlack.png", - "SenservaProAnalyticsWhite.png" - ], - "version": "1.0.0", - "title": "SenservaProAnalytics", - "templateRelativePath": "SenservaProAnalyticsWorkbook.json", - "subtitle": "", - "provider": "Senserva Pro" -}, -{ - "workbookKey": "SenservaProMultipleWorkspaceWorkbook", - "logoFileName": "SenservaPro_logo.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "SenservaPro_CL" - ], - "dataConnectorsDependencies": [ - "SenservaPro" - ], - "previewImagesFileNames": [ - "SenservaProMultipleWorkspaceWorkbookBlack.png", - "SenservaProMultipleWorkspaceWorkbookWhite.png" - ], - "version": "1.0.0", - "title": "SenservaProMultipleWorkspace", - "templateRelativePath": "SenservaProMultipleWorkspaceWorkbook.json", - "subtitle": "", - "provider": "Senserva Pro" -}, -{ - "workbookKey": "SenservaProSecureScoreMultiTenantWorkbook", - "logoFileName": "SenservaPro_logo.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "SenservaPro_CL" - ], - "dataConnectorsDependencies": [ - "SenservaPro" - ], - "previewImagesFileNames": [ - "SenservaProSecureScoreMultiTenantBlack.png", - "SenservaProSecureScoreMultiTenantWhite.png" - ], - "version": "1.0.0", - "title": "SenservaProSecureScoreMultiTenant", - "templateRelativePath": "SenservaProSecureScoreMultiTenantWorkbook.json", - "subtitle": "", - "provider": "Senserva Pro" -}, -{ - "workbookKey": "CiscoSecureEndpointOverviewWorkbook", - "logoFileName": "cisco-logo-72px.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "CiscoSecureEndpoint" - ], - "dataConnectorsDependencies": [ - "CiscoSecureEndpoint" - ], - "previewImagesFileNames": [ - "CiscoSecureEndpointBlack.png", - "CiscoSecureEndpointWhite.png" - ], - "version": "1.0.0", - "title": "Cisco Secure Endpoint", - "templateRelativePath": "Cisco Secure Endpoint Overview.json", - "subtitle": "", - "provider": "Cisco" -}, -{ - "workbookKey": "InfoSecGlobalWorkbook", - "logoFileName": "infosecglobal.svg", - "description": "Sets the time name for analysis.", - "dataTypesDependencies": [ - "InfoSecAnalytics_CL" - ], - "dataConnectorsDependencies": [ - "InfoSecDataConnector" - ], - "previewImagesFileNames": [ - "InfoSecGlobalWorkbookBlack.png", - "InfoSecGlobalWorkbookWhite.png" - ], - "version": "1.0.0", - "title": "AgileSec Analytics Connector", - "templateRelativePath": "InfoSecGlobal.json", - "subtitle": "", - "provider": "InfoSecGlobal" -}, -{ - "workbookKey": "CrowdStrikeFalconEndpointProtectionWorkbook", - "logoFileName": "crowdstrike.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "CrowdstrikeReplicatorLogs_CL" - ], - "dataConnectorsDependencies": [ - "CrowdstrikeReplicator" - ], - "previewImagesFileNames": [ - "CrowdStrikeFalconEndpointProtectionBlack.png", - "CrowdStrikeFalconEndpointProtectionWhite.png" - ], - "version": "1.0.0", - "title": "CrowdStrike Falcon Endpoint Protection", - "templateRelativePath": "CrowdStrikeFalconEndpointProtection.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "IronDefenseAlertDashboard", - "logoFileName": "IronNet.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "IronNetIronDefense" - ], - "previewImagesFileNames": [ - "IronDefenseDashboardBlack.png", - "IronDefenseDashboardWhite.png" - ], - "version": "1.0.0", - "title": "IronDefenseAlertDashboard", - "templateRelativePath": "IronDefenseAlertDashboard.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "IronDefenseAlertDetails", - "logoFileName": "IronNet.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "IronNetIronDefense" - ], - "previewImagesFileNames": [ - "IronDefenseAlertsBlack.png", - "IronDefenseAlertsWhite.png" - ], - "version": "1.0.0", - "title": "IronDefenseAlertDetails", - "templateRelativePath": "IronDefenseAlertDetails.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "CiscoSEGWorkbook", - "logoFileName": "cisco-logo-72px.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "CiscoSEG", - "CiscoSEGAma", - "CefAma" - ], - "previewImagesFileNames": [ - "CiscoSEGBlack.png", - "CiscoSEGWhite.png" - ], - "version": "1.0.0", - "title": "Cisco Secure Email Gateway", - "templateRelativePath": "CiscoSEG.json", - "subtitle": "", - "provider": "Cisco" -}, -{ - "workbookKey": "EatonForeseerHealthAndAccess", - "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook gives an insight into the health of all the Windows VMs in this subscription running Eaton Foreseer and the unauthorized access into the Eaton Foreseer application running on these VMs.", - "dataTypesDependencies": [ - "SecurityEvent" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "EatonForeseerHealthAndAccessBlack.png", - "EatonForeseerHealthAndAccessWhite.png" - ], - "version": "1.0.0", - "title": "EatonForeseerHealthAndAccess", - "templateRelativePath": "EatonForeseerHealthAndAccess.json", - "subtitle": "", - "provider": "Eaton" -}, -{ - "workbookKey": "PCIDSSComplianceWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Choose your subscription and workspace in which PCI assets are deployed", - "dataTypesDependencies": [ - "AzureDaignostics", - "SecurityEvent", - "SecurityAlert", - "OracleDatabaseAuditEvent", - "Syslog", - "Anomalies" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "PCIDSSComplianceBlack01.PNG", - "PCIDSSComplianceBlack02.PNG", - "PCIDSSComplianceWhite01.PNG", - "PCIDSSComplianceWhite02.PNG" - ], - "version": "1.0.0", - "title": "PCI DSS Compliance", - "templateRelativePath": "PCIDSSCompliance.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "SonraiSecurityWorkbook", - "logoFileName": "Sonrai.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "Sonrai_Tickets_CL" - ], - "dataConnectorsDependencies": [ - "SonraiDataConnector" - ], - "previewImagesFileNames": [ - "SonraiWorkbookBlack.png", - "SonraiWorkbookWhite.png" - ], - "version": "1.0.0", - "title": "Sonrai", - "templateRelativePath": "Sonrai.json", - "subtitle": "", - "provider": "Sonrai" -}, -{ - "workbookKey": "SemperisDSPWorkbook", - "logoFileName": "Semperis.svg", - "description": "Specify the time range on which to query the data", - "dataTypesDependencies": [ - "dsp_parser" - ], - "dataConnectorsDependencies": [ - "SemperisDSP" - ], - "previewImagesFileNames": [ - "SemperisDSPOverview1Black.png", - "SemperisDSPOverview1White.png", - "SemperisDSPOverview2Black.png", - "SemperisDSPOverview2White.png", - "SemperisDSPOverview3Black.png", - "SemperisDSPOverview3White.png" - ], - "version": "1.0.0", - "title": "Semperis Directory Services Protector", - "templateRelativePath": "SemperisDSPWorkbook.json", - "subtitle": "", - "provider": "Semperis" -}, -{ - "workbookKey": "BoxWorkbook", - "logoFileName": "box.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "BoxEvents_CL" - ], - "dataConnectorsDependencies": [ - "BoxDataConnector" - ], - "previewImagesFileNames": [ - "BoxBlack1.png", - "BoxWhite1.png", - "BoxBlack2.png", - "BoxWhite2.png" - ], - "version": "1.0.0", - "title": "Box", - "templateRelativePath": "Box.json", - "subtitle": "", - "provider": "Box" -}, -{ - "workbookKey": "SymantecEndpointProtection", - "logoFileName": "symantec_logo.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "SymantecEndpointProtection" - ], - "dataConnectorsDependencies": [ - "SymantecEndpointProtection", - "SyslogAma" - ], - "previewImagesFileNames": [ - "SymantecEndpointProtectionBlack.png", - "SymantecEndpointProtectionWhite.png" - ], - "version": "1.0.0", - "title": "Symantec Endpoint Protection", - "templateRelativePath": "SymantecEndpointProtection.json", - "subtitle": "", - "provider": "Symantec" -}, -{ - "workbookKey": "DynamicThreatModeling&Response", - "logoFileName": "Azure_Sentinel.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "SecurityAlert" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "DynamicThreatModeling&ResponseWhite.png", - "DynamicThreatModeling&ResponseBlack.png" - ], - "version": "1.0.0", - "title": "Dynamic Threat Modeling Response", - "templateRelativePath": "DynamicThreatModeling&Response.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "ThreatAnalysis&Response", - "logoFileName": "Azure_Sentinel.svg", - "description": "The Defenders for IoT workbook provide guided investigations for OT entities based on open incidents, alert notifications, and activities for OT assets. They also provide a hunting experience across the MITRE ATT&CK® framework for ICS, and are designed to enable analysts, security engineers, and MSSPs to gain situational awareness of OT security posture.", - "dataTypesDependencies": [ - "SecurityAlert" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "ThreatAnalysis&ResponseWhite1.png", - "ThreatAnalysis&ResponseWhite2.png", - "ThreatAnalysis&ResponseWhite3.png", - "ThreatAnalysis&ResponseWhite4.png", - "ThreatAnalysis&ResponseBlack1.png", - "ThreatAnalysis&ResponseBlack2.png", - "ThreatAnalysis&ResponseBlack3.png", - "ThreatAnalysis&ResponseBlack4.png" - ], - "version": "1.0.1", - "title": "Threat Analysis Response", - "templateRelativePath": "ThreatAnalysis&Response.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "TrendMicroCAS", - "logoFileName": "Trend_Micro_Logo.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "TrendMicroCAS_CL" - ], - "dataConnectorsDependencies": [ - "TrendMicroCAS" - ], - "previewImagesFileNames": [ - "TrendMicroCASBlack.png", - "TrendMicroCASWhite.png" - ], - "version": "1.0.0", - "title": "TrendMicroCAS", - "templateRelativePath": "TrendMicroCAS.json", - "subtitle": "", - "provider": "TrendMicro" -}, -{ - "workbookKey": "GitHubSecurityWorkbook", - "logoFileName": "GitHub.svg", - "description": "Gain insights to GitHub activities that may be interesting for security.", - "dataTypesDependencies": [ - "GitHubAuditLogPolling_CL" - ], - "dataConnectorsDependencies": [ - "GitHubEcAuditLogPolling" - ], - "previewImagesFileNames": [ - "GitHubSecurityBlack.png", - "GitHubSecurityWhite.png" - ], - "version": "1.0.0", - "title": "GithubWorkbook", - "templateRelativePath": "GitHub.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "GCPDNSWorkbook", - "logoFileName": "google_logo.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "GCPCloudDNS" - ], - "dataConnectorsDependencies": [ - "GCPDNSDataConnector" - ], - "previewImagesFileNames": [ - "GCPDNSBlack.png", - "GCPDNSWhite.png" - ], - "version": "1.0.0", - "title": "Google Cloud Platform DNS", - "templateRelativePath": "GCPDNS.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "AtlassianJiraAuditWorkbook", - "logoFileName": "atlassian.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "AtlassianJiraNativePoller_CL" - ], - "dataConnectorsDependencies": [ - "AtlassianJira" - ], - "previewImagesFileNames": [ - "AtlassianJiraAuditWhite.png", - "AtlassianJiraAuditBlack.png" - ], - "version": "1.0.0", - "title": "AtlassianJiraAudit", - "templateRelativePath": "AtlassianJiraAudit.json", - "subtitle": "", - "provider": "Atlassian" -}, -{ - "workbookKey": "DigitalGuardianWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "DigitalGuardianDLPEvent" - ], - "dataConnectorsDependencies": [ - "DigitalGuardianDLP", - "SyslogAma" - ], - "previewImagesFileNames": [ - "DigitalGuardianBlack.png", - "DigitalGuardianWhite.png" - ], - "version": "1.0.0", - "title": "DigitalGuardianDLP", - "templateRelativePath": "DigitalGuardian.json", - "subtitle": "", - "provider": "Digital Guardian" -}, -{ - "workbookKey": "CiscoDuoWorkbook", - "logoFileName": "cisco-logo-72px.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "CiscoDuo_CL" - ], - "dataConnectorsDependencies": [ - "CiscoDuoSecurity" - ], - "previewImagesFileNames": [ - "CiscoDuoWhite.png", - "CiscoDuoBlack.png" - ], - "version": "1.0.0", - "title": "CiscoDuoSecurity", - "templateRelativePath": "CiscoDuo.json", - "subtitle": "", - "provider": "Cisco" -}, -{ - "workbookKey": "SlackAudit", - "logoFileName": "slacklogo.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "SlackAudit_CL" - ], - "dataConnectorsDependencies": [ - "SlackAuditAPI" - ], - "previewImagesFileNames": [ - "SlackAuditApplicationActivityBlack1.png", - "SlackAuditApplicationActivityWhite1.png" - ], - "version": "1.0.0", - "title": "SlackAudit", - "templateRelativePath": "SlackAudit.json", - "subtitle": "", - "provider": "Slack" -}, -{ - "workbookKey": "CiscoWSAWorkbook", - "logoFileName": "cisco-logo-72px.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "Syslog" - ], - "dataConnectorsDependencies": [ - "CiscoWSA", - "SyslogAma" - ], - "previewImagesFileNames": [ - "CiscoWSAWhite.png", - "CiscoWSABlack.png" - ], - "version": "1.0.0", - "title": "CiscoWSA", - "templateRelativePath": "CiscoWSA.json", - "subtitle": "", - "provider": "Cisco" -}, -{ - "workbookKey": "GCP-IAM-Workbook", - "logoFileName": "google_logo.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "GCP_IAM_CL" - ], - "dataConnectorsDependencies": [ - "GCPIAMDataConnector" - ], - "previewImagesFileNames": [ - "GCPIAMBlack01.png", - "GCPIAMBlack02.png", - "GCPIAMWhite01.png", - "GCPIAMWhite02.png" - ], - "version": "1.0.0", - "title": "Google Cloud Platform IAM", - "templateRelativePath": "GCP_IAM.json", - "subtitle": "", - "provider": "Google" -}, -{ - "workbookKey": "ImpervaWAFCloudWorkbook", - "logoFileName": "Imperva_DarkGrey_final_75x75.svg", - "description": "Sets the time name for analysis.", - "dataTypesDependencies": [ - "ImpervaWAFCloud_CL" - ], - "dataConnectorsDependencies": [ - "ImpervaWAFCloudAPI" - ], - "previewImagesFileNames": [ - "ImpervaWAFCloudBlack01.png", - "ImpervaWAFCloudBlack02.png", - "ImpervaWAFCloudWhite01.png", - "ImpervaWAFCloudWhite02.png" - ], - "version": "1.0.0", - "title": "Imperva WAF Cloud Overview", - "templateRelativePath": "Imperva WAF Cloud Overview.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "ZscalerZPAWorkbook", - "logoFileName": "ZscalerLogo.svg", - "description": "Select the time range for this Overview.", - "dataTypesDependencies": [ - "ZPA_CL" - ], - "dataConnectorsDependencies": [ - "ZscalerPrivateAccess" - ], - "previewImagesFileNames": [ - "ZscalerZPABlack.png", - "ZscalerZPAWhite.png" - ], - "version": "1.0.0", - "title": "Zscaler Private Access (ZPA)", - "templateRelativePath": "ZscalerZPA.json", - "subtitle": "", - "provider": "Zscaler" -}, -{ - "workbookKey": "GoogleWorkspaceWorkbook", - "logoFileName": "google_logo.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "GWorkspace_ReportsAPI_admin_CL", - "GWorkspace_ReportsAPI_calendar_CL", - "GWorkspace_ReportsAPI_drive_CL", - "GWorkspace_ReportsAPI_login_CL", - "GWorkspace_ReportsAPI_login_CL", - "GWorkspace_ReportsAPI_mobile_CL" - ], - "dataConnectorsDependencies": [ - "GoogleWorkspaceReportsAPI" - ], - "previewImagesFileNames": [ - "GoogleWorkspaceBlack.png", - "GoogleWorkspaceWhite.png" - ], - "version": "1.0.0", - "title": "GoogleWorkspaceReports", - "templateRelativePath": "GoogleWorkspace.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "NCProtectWorkbook", - "logoFileName": "NCProtectIcon.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "NCProtectUAL_CL" - ], - "dataConnectorsDependencies": [ - "NucleusCyberNCProtect" - ], - "previewImagesFileNames": [""], - "version": "1.0.0", - "title": "NucleusCyberProtect", - "templateRelativePath": "NucleusCyber_NCProtect_Workbook.json", - "subtitle": "", - "provider": "archTIS" -}, -{ - "workbookKey": "CiscoISEWorkbook", - "logoFileName": "cisco-logo-72px.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "Syslog" - ], - "dataConnectorsDependencies": [ - "CiscoISE", - "SyslogAma" - ], - "previewImagesFileNames": [ - "CiscoISEBlack1.png", - "CiscoISEBlack2.png", - "CiscoISEWhite1.png", - "CiscoISEWhite2.png" - ], - "version": "1.0.0", - "title": "Cisco ISE", - "templateRelativePath": "CiscoISE.json", - "subtitle": "", - "provider": "Cisco" -}, -{ - "workbookKey": "IoTOTThreatMonitoringwithDefenderforIoTWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "The OT Threat Monitoring with Defender for IoT Workbook features OT filtering for Security Alerts, Incidents, Vulnerabilities and Asset Inventory. The workbook features a dynamic assessment of the MITRE ATT&CK for ICS matrix across your environment to analyze and respond to OT-based threats. This workbook is designed to enable SecOps Analysts, Security Engineers, and MSSPs to gain situational awareness for IT/OT security posture.", - "dataTypesDependencies": [ - "SecurityAlert", - "SecurityIncident" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "IoTOTThreatMonitoringwithDefenderforIoTBlack.png", - "IoTOTThreatMonitoringwithDefenderforIoTWhite.png" - ], - "version": "1.0.0", - "title": "Microsoft Defender for IoT", - "templateRelativePath": "IoTOTThreatMonitoringwithDefenderforIoT.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "ZeroTrust(TIC3.0)Workbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "SecurityRecommendation" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "ZeroTrust(TIC3.0)Black1.PNG", - "ZeroTrust(TIC3.0)White1.PNG" - ], - "version": "1.0.0", - "title": "ZeroTrust(TIC3.0)", - "templateRelativePath": "ZeroTrustTIC3.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "CybersecurityMaturityModelCertification(CMMC)2.0Workbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Sets the time name for analysis.", - "dataTypesDependencies": [ - "InformationProtectionLogs_CL", - "AuditLogs", - "SecurityIncident", - "SigninLogs", - "AzureActivity" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "CybersecurityMaturityModelCertificationBlack.png", - "CybersecurityMaturityModelCertificationWhite.png" - ], - "version": "1.0.0", - "title": "CybersecurityMaturityModelCertification(CMMC)2.0", - "templateRelativePath": "CybersecurityMaturityModelCertification_CMMCV2.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "NISTSP80053Workbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Sets the time name for analysis.", - "dataTypesDependencies": [ - "SigninLogs", - "AuditLogs", - "AzureActivity", - "OfficeActivity", - "SecurityEvents", - "CommonSecurityLog", - "SecurityIncident", - "SecurityRecommendation" - ], - "dataConnectorsDependencies": [ - "SecurityEvents" - ], - "previewImagesFileNames": [ - "NISTSP80053Black.png", - "NISTSP80053White.png" - ], - "version": "1.0.0", - "title": "NISTSP80053workbook", - "templateRelativePath": "NISTSP80053.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "DarktraceWorkbook", - "logoFileName": "Darktrace.svg", - "description": "The Darktrace Workbook visualises Model Breach and AI Analyst data received by the Darktrace Data Connector and visualises events across the network, SaaS, IaaS and Email.", - "dataTypesDependencies": [ - "darktrace_model_alerts_CL" - ], - "dataConnectorsDependencies": [ - "DarktraceRESTConnector" - ], - "previewImagesFileNames": [ - "DarktraceWorkbookBlack01.png", - "DarktraceWorkbookBlack02.png", - "DarktraceWorkbookWhite01.png", - "DarktraceWorkbookWhite02.png" - ], - "version": "1.0.1", - "title": "Darktrace", - "templateRelativePath": "DarktraceWorkbook.json", - "subtitle": "", - "provider": "Darktrace" -}, -{ - "workbookKey": "RecordedFutureAlertOverviewWorkbook", - "logoFileName": "RecordedFuture.svg", - "description": "Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer.", - "dataTypesDependencies": [ - "RecordedFuturePortalAlerts_CL" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "RecordedFutureAlertOverviewWhite.png", - "RecordedFutureAlertOverviewBlack.png" - ], - "version": "1.0.1", - "title": "Recorded Future - Alerts Overview", - "templateRelativePath": "RecordedFutureAlertOverview.json", - "subtitle": "", - "provider": "Recorded Future" -}, -{ - "workbookKey": "RecordedFuturePlaybookAlertOverviewWorkbook", - "logoFileName": "RecordedFuture.svg", - "description": "Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer.", - "dataTypesDependencies": [ - "RecordedFuturePlaybookAlerts_CL" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "RecordedFuturePlaybookAlertOverviewWhite1.png", - "RecordedFuturePlaybookAlertOverviewBlack1.png" - ], - "version": "1.0.1", - "title": "Recorded Future - Playbook Alerts Overview", - "templateRelativePath": "RecordedFuturePlaybookAlertOverview.json", - "subtitle": "", - "provider": "Recorded Future" -}, -{ - "workbookKey": "RecordedFutureDomainCorrelationWorkbook", - "logoFileName": "RecordedFuture.svg", - "description": "Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.", - "dataTypesDependencies": [ - "ThreatIntelligenceIndicator" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "RecordedFutureDomainCorrelationWhite.png", - "RecordedFutureDomainCorrelationBlack.png" - ], - "version": "1.0.1", - "title": "Recorded Future - Domain Correlation", - "templateRelativePath": "RecordedFutureDomainCorrelation.json", - "subtitle": "", - "provider": "Recorded Future" -}, -{ - "workbookKey": "RecordedFutureHashCorrelationWorkbook", - "logoFileName": "RecordedFuture.svg", - "description": "Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.", - "dataTypesDependencies": [ - "ThreatIntelligenceIndicator" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "RecordedFutureHashCorrelationWhite.png", - "RecordedFutureHashCorrelationBlack.png" - ], - "version": "1.0.1", - "title": "Recorded Future - Hash Correlation", - "templateRelativePath": "RecordedFutureHashCorrelation.json", - "subtitle": "", - "provider": "Recorded Future" -}, -{ - "workbookKey": "RecordedFutureIPCorrelationWorkbook", - "logoFileName": "RecordedFuture.svg", - "description": "Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.", - "dataTypesDependencies": [ - "ThreatIntelligenceIndicator" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "RecordedFutureIPCorrelationWhite.png", - "RecordedFutureIPCorrelationBlack.png" - ], - "version": "1.0.1", - "title": "Recorded Future - IP Correlation", - "templateRelativePath": "RecordedFutureIPCorrelation.json", - "subtitle": "", - "provider": "Recorded Future" -}, -{ - "workbookKey": "RecordedFutureURLCorrelationWorkbook", - "logoFileName": "RecordedFuture.svg", - "description": "Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.", - "dataTypesDependencies": [ - "ThreatIntelligenceIndicator" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "RecordedFutureUrlCorrelationWhite.png", - "RecordedFutureUrlCorrelationBlack.png" - ], - "version": "1.0.1", - "title": "Recorded Future - URL Correlation", - "templateRelativePath": "RecordedFutureURLCorrelation.json", - "subtitle": "", - "provider": "Recorded Future" -}, -{ - "workbookKey": "RecordedFutureThreatActorHuntingWorkbook", - "logoFileName": "RecordedFuture.svg", - "description": "Recorded Future Threat Actor Hunting Workbook. This workbook will visualize Recorded Future threat map and hunting indicators ingested in to Microsoft Sentinel.", - "dataTypesDependencies": [ - "ThreatIntelligenceIndicator" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "RecordedFutureThreatActorHuntingWhite.png", - "RecordedFutureThreatActorHuntingBlack.png" - ], - "version": "1.0.1", - "title": "Recorded Future - Threat Actor Hunting", - "templateRelativePath": "RecordedFutureThreatActorHunting.json", - "subtitle": "", - "provider": "Recorded Future" -}, -{ - "workbookKey": "RecordedFutureMalwareThreatHuntingWorkbook", - "logoFileName": "RecordedFuture.svg", - "description": "Recorded Future Malware Threat Hunting Workbook. This workbook will visualize Recorded Future malware threat map and hunting indicators ingested in to Microsoft Sentinel.", - "dataTypesDependencies": [ - "ThreatIntelligenceIndicator" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "RecordedFutureMalwareThreatHuntingWhite.png", - "RecordedFutureMalwareThreatHuntingBlack.png" - ], - "version": "1.0.0", - "title": "Recorded Future - Malware Threat Hunting", - "templateRelativePath": "RecordedFutureMalwareThreatHunting.json", - "subtitle": "", - "provider": "Recorded Future" -}, -{ - "workbookKey": "MaturityModelForEventLogManagement_M2131", - "logoFileName": "contrastsecurity_logo.svg", - "description": "Select the time range for this Overview.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "MaturityModelForEventLogManagement_M2131Black.png", - "MaturityModelForEventLogManagement_M2131White.png" - ], - "version": "1.0.0", - "title": "MaturityModelForEventLogManagementM2131", - "templateRelativePath": "MaturityModelForEventLogManagement_M2131.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "AzureSQLSecurityWorkbook", - "logoFileName": "AzureSQL.svg", - "description": "Sets the time window in days to search around the alert", - "dataTypesDependencies": [ - "AzureDiagnostics", - "SecurityAlert", - "SecurityIncident" - ], - "dataConnectorsDependencies": [ - "AzureSql" - ], - "previewImagesFileNames": [""], - "version": "1.0.0", - "title": "Azure SQL Database Workbook", - "templateRelativePath": "Workbook-AzureSQLSecurity.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "ContinuousDiagnostics&Mitigation", - "logoFileName": "Azure_Sentinel.svg", - "description": "Select the time range for this Overview.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "ContinuousDiagnostics&MitigationBlack.png", - "ContinuousDiagnostics&MitigationWhite.png" - ], - "version": "1.0.0", - "title": "ContinuousDiagnostics&Mitigation", - "templateRelativePath": "ContinuousDiagnostics&Mitigation.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "AtlasianJiraAuditWorkbook", - "logoFileName": "atlassian.svg", - "description": "Select the time range for this Overview.", - "dataTypesDependencies": [ - "AtlassianJiraNativePoller_CL" - ], - "dataConnectorsDependencies": [ - "AtlassianJira" - ], - "previewImagesFileNames": [ - "AtlassianJiraAuditBlack.png", - "AtlassianJiraAuditWhite.png" - ], - "version": "1.0.0", - "title": "AtlasianJiraAuditWorkbook", - "templateRelativePath": "AtlasianJiraAuditWorkbook.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "AzureSecurityBenchmark", - "logoFileName": "Azure_Sentinel.svg", - "description": "Azure Security Benchmark v3 Workbook provides a mechanism for viewing log queries, azure resource graph, and policies aligned to ASB controls across Microsoft security offerings, Azure, Microsoft 365, 3rd Party, On-Premises, and Multi-cloud workloads. This workbook enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective ASB requirements and practices.", - "dataTypesDependencies": [ - "SecurityRegulatoryCompliance", - "AzureDiagnostics", - "SecurityIncident", - "SigninLogs", - "SecurityAlert" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "AzureSecurityBenchmarkBlack.png", - "AzureSecurityBenchmarkWhite.png" - ], - "version": "1.0.0", - "title": "Azure Security Benchmark", - "templateRelativePath": "AzureSecurityBenchmark.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "ZNAccessOrchestratorAudit", - "logoFileName": "ZeroNetworks.svg", - "description": "This workbook provides a summary of ZeroNetworks data.", - "dataTypesDependencies": [ - "ZNAccessOrchestratorAudit_CL", - "ZNAccessOrchestratorAuditNativePoller_CL" - ], - "dataConnectorsDependencies": [ - "ZeroNetworksAccessOrchestratorAuditFunction", - "ZeroNetworksAccessOrchestratorAuditNativePoller" - ], - "previewImagesFileNames": [""], - "version": "1.0.0", - "title": "Zero NetWork", - "templateRelativePath": "ZNSegmentAudit.json", - "subtitle": "", - "provider": "Zero Networks" -}, -{ - "workbookKey": "FireworkWorkbook", - "logoFileName": "Flare.svg", - "description": "Select the time range for this Overview.", - "dataTypesDependencies": [ - "Firework_CL" - ], - "dataConnectorsDependencies": [ - "FlareSystemsFirework" - ], - "previewImagesFileNames": [ - "FireworkOverviewBlack01.png", - "FireworkOverviewBlack02.png", - "FireworkOverviewWhite01.png", - "FireworkOverviewWhite02.png" - ], - "version": "1.0.0", - "title": "FlareSystemsFirework", - "templateRelativePath": "FlareSystemsFireworkOverview.json", - "subtitle": "", - "provider": "Flare Systems" -}, -{ - "workbookKey": "TaniumWorkbook", - "logoFileName": "Tanium.svg", - "description": "Visualize Tanium endpoint and module data", - "dataTypesDependencies": [ - "TaniumComplyCompliance_CL", - "TaniumComplyVulnerabilities_CL", - "TaniumDefenderHealth_CL", - "TaniumDiscoverUnmanagedAssets_CL", - "TaniumHighUptime_CL", - "TaniumMainAsset_CL", - "TaniumPatchListApplicability_CL", - "TaniumPatchListCompliance_CL", - "TaniumSCCMClientHealth_CL", - "TaniumThreatResponse_CL" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "TaniumComplyBlack.png", - "TaniumComplyWhite.png", - "TaniumDiscoverBlack.png", - "TaniumDiscoverWhite.png", - "TaniumMSToolingHealthBlack.png", - "TaniumMSToolingHealthWhite.png", - "TaniumPatchBlack.png", - "TaniumPatchWhite.png", - "TaniumThreatResponseAlertsBlack.png", - "TaniumThreatResponseAlertsWhite.png", - "TaniumThreatResponseBlack.png", - "TaniumThreatResponseWhite.png" - ], - "version": "1.0", - "title": "Tanium Workbook", - "templateRelativePath": "TaniumWorkbook.json", - "subtitle": "", - "provider": "Tanium" -}, -{ - "workbookKey": "ActionableAlertsDashboard", - "logoFileName": "Cybersixgill.svg", - "description": "None.", - "dataTypesDependencies": [ - "CyberSixgill_Alerts_CL" - ], - "dataConnectorsDependencies": [ - "CybersixgillActionableAlerts" - ], - "previewImagesFileNames": [ - "ActionableAlertsDashboardWhite.PNG", - "ActionableAlertsDashboardBlack.PNG" - ], - "version": "1.0.0", - "title": "Cybersixgill Actionable Alerts Dashboard", - "templateRelativePath": "ActionableAlertsDashboard.json", - "subtitle": "", - "provider": "Cybersixgill" -}, -{ - "workbookKey": "ActionableAlertsList", - "logoFileName": "Cybersixgill.svg", - "description": "None.", - "dataTypesDependencies": [ - "CyberSixgill_Alerts_CL" - ], - "dataConnectorsDependencies": [ - "CybersixgillActionableAlerts" - ], - "previewImagesFileNames": [ - "ActionableAlertsListBlack.PNG", - "ActionableAlertsListWhite.PNG"], - "version": "1.0.0", - "title": "Cybersixgill Actionable Alerts List", - "templateRelativePath": "ActionableAlertsList.json", - "subtitle": "", - "provider": "Cybersixgill" -}, -{ - "workbookKey": "ArgosCloudSecurityWorkbook", - "logoFileName": "argos-logo.svg", - "description": "The ARGOS Cloud Security integration for Microsoft Sentinel allows you to have all your important cloud security events in one place.", - "dataTypesDependencies": [ - "ARGOS_CL" - ], - "dataConnectorsDependencies": [ - "ARGOSCloudSecurity" - ], - "previewImagesFileNames": [ - "ARGOSCloudSecurityWorkbookBlack.png", - "ARGOSCloudSecurityWorkbookWhite.png" - ], - "version": "1.0.0", - "title": "ARGOS Cloud Security", - "templateRelativePath": "ARGOSCloudSecurityWorkbook.json", - "subtitle": "", - "provider": "ARGOS Cloud Security" -}, -{ - "workbookKey": "JamfProtectWorkbook", - "logoFileName": "jamf_logo.svg", - "description": "This Jamf Protect Workbook for Microsoft Sentinel enables you to ingest Jamf Protect events forwarded into Microsoft Sentinel.\n Providing reports into all alerts, device controls and Unfied Logs.", - "dataTypesDependencies": [ - "jamfprotect_CL" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "JamfProtectDashboardBlack.png", - "JamfProtectDashboardWhite.png" - ], - "version": "2.0.0", - "title": "Jamf Protect Workbook", - "templateRelativePath": "JamfProtectDashboard.json", - "subtitle": "", - "provider": "Jamf Software, LLC" -}, -{ - "workbookKey": "AIVectraStream", - "logoFileName": "AIVectraDetect.svg", - "description": "", - "dataTypesDependencies": [ - "VectraStream_CL" - ], - "dataConnectorsDependencies": [ - "AIVectraStream" - ], - "previewImagesFileNames": [ - "AIVectraDetectBlack1.png", - "AIVectraDetectWhite1.png" - ], - "version": "1.0.0", - "title": "AIVectraStreamWorkbook", - "templateRelativePath": "AIVectraStreamWorkbook.json", - "subtitle": "", - "provider": "Vectra AI" -}, -{ - "workbookKey": "SecurityScorecardWorkbook", - "logoFileName": "SecurityScorecard-Cybersecurity-Ratings.svg", - "description": "This Workbook provides immediate insight into the data coming from SecurityScorecard's three Sentinel data connectors: SecurityScorecard Cybersecurity Ratings, SecurityScorecard Cybersecurity Ratings - Factors, and SecurityScorecard Cybersecurity Ratings - Issues.", - "dataTypesDependencies": [ - "SecurityScorecardFactor_CL", - "SecurityScorecardIssues_CL", - "SecurityScorecardRatings_CL" - ], - "dataConnectorsDependencies": [ - "SecurityScorecardFactorAzureFunctions", - "SecurityScorecardIssueAzureFunctions", - "SecurityScorecardRatingsAzureFunctions" - ], - "previewImagesFileNames": [ - "SecurityScorecardBlack1.png", - "SecurityScorecardBlack2.png", - "SecurityScorecardBlack3.png", - "SecurityScorecardBlack4.png", - "SecurityScorecardBlack5.png", - "SecurityScorecardBlack6.png", - "SecurityScorecardWhite1.png", - "SecurityScorecardWhite2.png", - "SecurityScorecardWhite3.png", - "SecurityScorecardWhite4.png", - "SecurityScorecardWhite5.png", - "SecurityScorecardWhite6.png" - ], - "version": "1.0.0", - "title": "SecurityScorecard", - "templateRelativePath": "SecurityScorecardWorkbook.json", - "subtitle": "", - "provider": "SecurityScorecard" -}, -{ - "workbookKey": "DigitalShadowsWorkbook", - "logoFileName": "DigitalShadowsLogo.svg", - "description": "For gaining insights into Digital Shadows logs.", - "dataTypesDependencies": [ - "DigitalShadows_CL" - ], - "dataConnectorsDependencies": [ - "DigitalShadowsSearchlightAzureFunctions" - ], - "previewImagesFileNames": [ - "DigitalShadowsBlack1.png", - "DigitalShadowsBlack2.png", - "DigitalShadowsBlack3.png", - "DigitalShadowsWhite1.png", - "DigitalShadowsWhite2.png", - "DigitalShadowsWhite3.png" - ], - "version": "1.0.0", - "title": "Digital Shadows", - "templateRelativePath": "DigitalShadows.json", - "subtitle": "", - "provider": "Digital Shadows" -}, -{ - "workbookKey": "SalesforceServiceCloudWorkbook", - "logoFileName": "salesforce_logo.svg", - "description": "Sets the time name for analysis.", - "dataTypesDependencies": [ - "SalesforceServiceCloud" - ], - "dataConnectorsDependencies": [ - "SalesforceServiceCloud_CL" - ], - "previewImagesFileNames": [""], - "version": "1.0.0", - "title": "Salesforce Service Cloud", - "templateRelativePath": "SalesforceServiceCloud.json", - "subtitle": "", - "provider": "Salesforce" -}, -{ - "workbookKey": "NetworkSessionSolution", - "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook is included as part of Network Session Essentials solution and gives a summary of analyzed traffic, helps with threat analysis and investigating suspicious IP's and traffic analysis. Network Session Essentials Solution also includes playbooks to periodically summarize the logs thus enhancing user experience and improving data search. For the effective usage of workbook, we highly recommend to enable the summarization playbooks that are provided with this solution.", - "dataTypesDependencies": [ - "AWSVPCFlow", - "DeviceNetworkEvents", - "SecurityEvent", - "WindowsEvent", - "CommonSecurityLog", - "Syslog", - "CommonSecurityLog", - "VMConnection", - "AzureDiagnostics", - "AzureDiagnostics", - "CommonSecurityLog", - "Corelight_CL", - "VectraStream", - "CommonSecurityLog", - "CommonSecurityLog", - "Syslog", - "CiscoMerakiNativePoller" - ], - "dataConnectorsDependencies": [ - "AWSS3", - "MicrosoftThreatProtection", - "SecurityEvents", - "WindowsForwardedEvents", - "Zscaler", - "MicrosoftSysmonForLinux", - "PaloAltoNetworks", - "AzureMonitor(VMInsights)", - "AzureFirewall", - "AzureNSG", - "CiscoASA", - "Corelight", - "AIVectraStream", - "CheckPoint", - "Fortinet", - "CiscoMeraki", - "CefAma" - ], - "previewImagesFileNames": [""], - "version": "1.0.0", - "title": "Network Session Essentials", - "templateRelativePath": "NetworkSessionEssentials.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "SAPSODAnalysis", - "logoFileName": "SAPVMIcon.svg", - "description": "SAP SOD Analysis", - "dataTypesDependencies": [ - "SAPAuditLog" - ], - "dataConnectorsDependencies": [ - "SAP" - ], - "previewImagesFileNames": [""], - "version": "2.0.0", - "title": "SAP SOD Analysis", - "templateRelativePath": "SAP - Segregation of Duties v2.0 (by Aliter Consulting).json", - "subtitle": "", - "provider": "Aliter Consulting" -}, -{ - "workbookKey": "TheomWorkbook", - "logoFileName": "theom-logo.svg", - "description": "Theom Alert Statistics", - "dataTypesDependencies": [ - "TheomAlerts_CL" - ], - "dataConnectorsDependencies": [ - "Theom" - ], - "previewImagesFileNames": [ - "TheomWorkbook-black.png", - "TheomWorkbook-white.png" - ], - "version": "1.0.0", - "title": "Theom", - "templateRelativePath": "Theom.json", - "subtitle": "", - "provider": "Theom" -}, -{ - "workbookKey": "DynatraceWorkbooks", - "logoFileName": "dynatrace.svg", - "description": "This workbook brings together queries and visualizations to assist you in identifying potential threats surfaced by Dynatrace.", - "dataTypesDependencies": [ - "DynatraceAttacks", - "DynatraceAuditLogs", - "DynatraceProblems", - "DynatraceRuntimeVulnerabilities" - ], - "dataConnectorsDependencies": [ - "DynatraceAttacks", - "DynatraceAuditLogs", - "DynatraceProblems", - "DynatraceRuntimeVulnerabilities" - ], - "previewImagesFileNames": [ - "DynatraceWorkbookBlack.png", - "DynatraceWorkbookWhite.png" - ], - "version": "3.0.1", - "title": "Dynatrace", - "templateRelativePath": "Dynatrace.json", - "subtitle": "", - "provider": "Dynatrace" -}, -{ - "workbookKey": "MDOWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Gain extensive insight into your organization's Microsoft Defender for Office Activity by analyzing, and correlating events.\nYou can track malware and phishing detection over time.", - "dataTypesDependencies": [ - "SecurityAlert" - ], - "dataConnectorsDependencies": [ - "MicrosoftThreatProtection" - ], - "previewImagesFileNames": [ - "MDOBlack1.png", - "MDOBlack2.png", - "MDOWhite1.png", - "MDOWhite2.png" - ], - "version": "1.0.0", - "title": "Microsoft Defender XDR MDOWorkbook", - "templateRelativePath": "MDO Insights.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "AnomaliesVisualizationWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "A workbook that provides contextual information to a user for better insight on Anomalies and their impact. The workbook will help with investigation of anomalies as well as identify patterns that can lead to a threat.", - "dataTypesDependencies": [ - "Anomalies" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "AnomaliesVisualizationWorkbookWhite.png", - "AnomaliesVisualizationWorkbookBlack.png" - ], - "version": "1.0.0", - "title": "AnomaliesVisulization", - "templateRelativePath": "AnomaliesVisualization.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" -}, -{ - "workbookKey": "AnomalyDataWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "A workbook providing details, related Incident, and related Hunting Workbook for a specific Anomaly.", - "dataTypesDependencies": [ - "Anomalies" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "AnomalyDataWorkbookWhite.png", - "AnomalyDataWorkbookBlack.png" - ], - "version": "1.0.0", - "title": "AnomalyData", - "templateRelativePath": "AnomalyData.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" -}, -{ - "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC-Online", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook, dedicated to Exchange Online environments is built to have a simple view of non-standard RBAC delegations on an Exchange Online tenant. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment.", - "dataTypesDependencies": [ - "ESIExchangeOnlineConfig_CL" - ], - "dataConnectorsDependencies": [ - "ESI-ExchangeOnlineCollector" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeLeastPrivilegewithRBAC-OnlineBlack.png", - "MicrosoftExchangeLeastPrivilegewithRBAC-OnlineWhite.png" - ], - "version": "1.1.0", - "title": "Microsoft Exchange Least Privilege with RBAC - Online", - "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC - Online.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment. Required Data Connector: Exchange Security Insights On-Premises Collector.", - "dataTypesDependencies": [ - "ESIExchangeConfig_CL" - ], - "dataConnectorsDependencies": [ - "ESI-ExchangeOnPremisesCollector", - "ESI-ExchangeAdminAuditLogEvents" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeLeastPrivilegewithRBACBlack.png", - "MicrosoftExchangeLeastPrivilegewithRBACWhite.png" - ], - "version": "1.0.1", - "title": "Microsoft Exchange Least Privilege with RBAC", - "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "MicrosoftExchangeSearchAdminAuditLog", - "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Exchange Audit Event logs via Legacy Agent.", - "dataTypesDependencies": [ - "ESIExchangeConfig_CL" - ], - "dataConnectorsDependencies": [ - "ESI-ExchangeOnPremisesCollector", - "ESI-ExchangeAdminAuditLogEvents" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeSearchAdminAuditLogBlack.png", - "MicrosoftExchangeSearchAdminAuditLogWhite.png" - ], - "version": "1.0.1", - "title": "Microsoft Exchange Search AdminAuditLog", - "templateRelativePath": "Microsoft Exchange Search AdminAuditLog.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "MicrosoftExchangeSearchAdminAuditLog-Online", - "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook is dedicated to Online Exchange organizations. It uses the Office Activity logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Microsoft 365 (Exchange).", - "dataTypesDependencies": [ - "OfficeActivity" - ], - "dataConnectorsDependencies": [ - "Office365" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeOnlineSearchAdminAuditLogBlack.png", - "MicrosoftExchangeOnlineSearchAdminAuditLogWhite.png" - ], - "version": "1.0.0", - "title": "Microsoft Exchange Search AdminAuditLog - Online", - "templateRelativePath": "Microsoft Exchange Search AdminAuditLog - Online.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "MicrosoftExchangeSecurityMonitoring", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers. Required Data Connector: Exchange Audit Event logs via Legacy Agent.", - "dataTypesDependencies": [ - "ESIExchangeConfig_CL" - ], - "dataConnectorsDependencies": [ - "ESI-ExchangeOnPremisesCollector", - "ESI-ExchangeAdminAuditLogEvents" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeSecurityMonitoringBlack.png", - "MicrosoftExchangeSecurityMonitoringWhite.png" - ], - "version": "1.0.1", - "title": "Microsoft Exchange Admin Activity", - "templateRelativePath": "Microsoft Exchange Admin Activity.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "MicrosoftExchangeAdminActivity-Online", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook is dedicated to Online Exchange organizations. It uses Office Activity logs. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. Required Data Connector: Microsoft 365 (Exchange).", - "dataTypesDependencies": [ - "OfficeActivity" - ], - "dataConnectorsDependencies": [ - "Office365" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeAdminActivity-OnlineBlack.png", - "MicrosoftExchangeAdminActivity-OnlineWhite.png" - ], - "version": "1.0.1", - "title": "Microsoft Exchange Admin Activity - Online", - "templateRelativePath": "Microsoft Exchange Admin Activity - Online.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "MicrosoftExchangeSecurityReview-Online", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook is dedicated to Exchange Online tenants. It displays and highlights current Security configuration on various Exchange components specific to Online including delegations, the transport configuration and the linked security risks, and risky protocols.", - "dataTypesDependencies": [ - "ESIExchangeOnlineConfig_CL" - ], - "dataConnectorsDependencies": [ - "ESI-ExchangeOnlineCollector" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeSecurityReview-OnlineBlack.png", - "MicrosoftExchangeSecurityReview-OnlineWhite.png" - ], - "version": "1.1.0", - "title": "Microsoft Exchange Security Review - Online", - "templateRelativePath": "Microsoft Exchange Security Review - Online.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "MicrosoftExchangeSecurityReview", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector.", - "dataTypesDependencies": [ - "ESIExchangeConfig_CL" - ], - "dataConnectorsDependencies": [ - "ESI-ExchangeOnPremisesCollector", - "ESI-ExchangeAdminAuditLogEvents" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeSecurityReviewBlack.png", - "MicrosoftExchangeSecurityReviewWhite.png" - ], - "version": "2.0.0", - "title": "Microsoft Exchange Security Review", - "templateRelativePath": "Microsoft Exchange Security Review.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "ibossMalwareAndC2Workbook", - "logoFileName": "iboss_logo.svg", - "description": "A workbook providing insights into malware and C2 activity detected by iboss.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [ - "ibossAma", - "CefAma" - ], - "previewImagesFileNames": [""], - "version": "1.0.0", - "title": "iboss Malware and C2", - "templateRelativePath": "ibossMalwareAndC2.json", - "subtitle": "", - "provider": "iboss" -}, -{ - "workbookKey": "ibossWebUsageWorkbook", - "logoFileName": "iboss_logo.svg", - "description": "A workbook providing insights into web usage activity detected by iboss.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [ - "ibossAma", - "CefAma" - ], - "previewImagesFileNames": [""], - "version": "1.0.0", - "title": "iboss Web Usage", - "templateRelativePath": "ibossWebUsage.json", - "subtitle": "", - "provider": "iboss" -}, -{ - "workbookKey": "CynerioOverviewWorkbook", - "logoFileName": "Cynerio.svg", - "description": "An overview of Cynerio Security events", - "dataTypesDependencies": ["CynerioEvent_CL"], - "dataConnectorsDependencies": ["CynerioSecurityEvents"], - "previewImagesFileNames": ["CynerioOverviewBlack.png", "CynerioOverviewWhite.png"], - "version": "1.0.0", - "title": "Cynerio Overview Workbook", - "templateRelativePath": "CynerioOverviewWorkbook.json", - "subtitle": "", - "provider": "Cynerio" -}, -{ - "workbookKey": "ReversingLabs-CapabilitiesOverview", - "logoFileName": "reversinglabs.svg", - "description": "The ReversingLabs-CapabilitiesOverview workbook provides a high level look at your threat intelligence capabilities and how they relate to your operations.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "ReversingLabsTiSummary-White.png", - "ReversingLabsTiSummary-Black.png", - "ReversingLabsOpsSummary-White.png", - "ReversingLabsOpsSummary-Black.png" - ], - "version": "1.1.1", - "title": "ReversingLabs-CapabilitiesOverview", - "templateRelativePath": "ReversingLabs-CapabilitiesOverview.json", - "subtitle": "", - "provider": "ReversingLabs" -}, -{ - "workbookKey": "vCenter", - "logoFileName": "Azure_Sentinel.svg", - "description": "This data connector depends on a parser based on Kusto Function **vCenter** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-vCenter-parser)", - "dataTypesDependencies": [ - "vCenter_CL" - ], - "dataConnectorsDependencies": [ - "VMwarevCenter" - ], - "previewImagesFileNames": [""], - "version": "1.0.0", - "title": "vCenter", - "templateRelativePath": "vCenter.json", - "subtitle": "", - "provider": "VMware" -}, -{ - "workbookKey": "SAP-Monitors-AlertsandPerformance", - "logoFileName": "SAPVMIcon.svg", - "description": "SAP -Monitors- Alerts and Performance", - "dataTypesDependencies": [ - "SAPAuditLog" - ], - "dataConnectorsDependencies": [ - "SAP" - ], - "previewImagesFileNames": [""], - "version": "2.0.1", - "title": "SAP -Monitors- Alerts and Performance", - "templateRelativePath": "SAP -Monitors- Alerts and Performance.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "SAP-SecurityAuditlogandInitialAccess", - "logoFileName": "SAPVMIcon.svg", - "description": "SAP -Security Audit log and Initial Access", - "dataTypesDependencies": [ - "SAPAuditLog" - ], - "dataConnectorsDependencies": [ - "SAP" - ], - "previewImagesFileNames": [""], - "version": "2.0.1", - "title": "SAP -Security Audit log and Initial Access", - "templateRelativePath": "SAP -Security Audit log and Initial Access.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "DNSSolutionWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook is included as part of the DNS Essentials solution and gives a summary of analyzed DNS traffic. It also helps with threat analysis and investigating suspicious Domains, IPs and DNS traffic. DNS Essentials Solution also includes a playbook to periodically summarize the logs, thus enhancing the user experience and improving data search. For effective usage of workbook, we highly recommend enabling the summarization playbook that is provided with this solution.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "DNSDomainWorkbookWhite.png", - "DNSDomainWorkbookBlack.png" - ], - "version": "1.0.0", - "title": "DNS Solution Workbook", - "templateRelativePath": "DNSSolutionWorkbook.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "MicrosoftPowerBIActivityWorkbook", - "logoFileName": "PowerBILogo.svg", - "description": "This workbook provides details on Microsoft PowerBI Activity", - "dataTypesDependencies": [ - "PowerBIActivity" - ], - "dataConnectorsDependencies": [ - "Microsoft PowerBI (Preview)" - ], - "previewImagesFileNames": [ - "MicrosoftPowerBIActivityWorkbookBlack.png", - "MicrosoftPowerBIActivityWorkbookWhite.png" - ], - "version": "1.0.0", - "title": "Microsoft PowerBI Activity Workbook", - "templateRelativePath": "MicrosoftPowerBIActivityWorkbook.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "MicrosoftThreatIntelligenceWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Gain insights into threat indicators ingestion and search for indicators at scale across Microsoft 1st Party, 3rd Party, On-Premises, Hybrid, and Multi-Cloud Workloads. Indicators Search facilitates a simple interface for finding IP, File, Hash, Sender and more across your data. Seamless pivots to correlate indicators with Microsoft Sentinel: Incidents to make your threat intelligence actionable.", - "dataTypesDependencies": [ - "ThreatIntelligenceIndicator", - "SecurityIncident" - ], - "dataConnectorsDependencies": [ - "ThreatIntelligence", - "ThreatIntelligenceTaxii" - ], - "previewImagesFileNames": [ - "ThreatIntelligenceWhite.png", - "ThreatIntelligenceBlack.png" - ], - "version": "1.0.0", - "title": "Threat Intelligence", - "templateRelativePath": "MicrosoftThreatIntelligence.json", - "subtitle": "", - "provider": "Microsoft" -}, - { - "workbookKey": "MicrosoftDefenderForEndPoint", - "logoFileName": "Azure_Sentinel.svg", - "description": "A wokbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through M365 Defender Connector.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "microsoftdefenderforendpointwhite.png", - "microsoftdefenderforendpointblack.png" - ], - "version": "1.0.0", - "title": "Microsoft Defender For EndPoint", - "templateRelativePath": "MicrosoftDefenderForEndPoint.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" - }, - { - "workbookKey": "MicrosoftSentinelDeploymentandMigrationTracker", - "logoFileName": "Azure_Sentinel.svg", - "description": "Use this workbook as a tool to define, track, and complete key deployment/migraiton tasks for Microsoft Sentinel. This workbook serves as a central hub for monitoring and configuring key areas of the product without having to leave the workbook and start over.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "microsoftsentineldeploymentandmigration-black.png", - "microsoftsentineldeploymentandmigration-white.png" - ], - "version": "1.1.2", - "title": "Microsoft Sentinel Deployment and Migration Tracker", - "templateRelativePath": "MicrosoftSentinelDeploymentandMigrationTracker.json", + "title": "Microsoft Exchange Security Review - Online", + "templateRelativePath": "Microsoft Exchange Security Review - Online.json", "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Matt Lowe" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Platform" - ] - } + "provider": "Microsoft" }, { - "workbookKey": "MicrosoftDefenderForIdentity", - "logoFileName": "Azure_Sentinel.svg", - "description": "Use this workbook to analyse the advance hunting data ingested for Defender For Identity.", - "dataTypesDependencies": [ - "IdentityLogonEvents", - "IdentityQueryEvents", - "IdentityDirectoryEvents", - "SecurityAlert" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "microsoftdefenderforidentity-black.png", - "microsoftdefenderforidentity-white.png" - ], - "version": "1.0.0", - "title": "Microsoft Defender For Identity", - "templateRelativePath": "MicrosoftDefenderForIdentity.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" - }, -{ - "workbookKey": "EsetProtect", - "logoFileName": "eset-logo.svg", - "description": "Visualize events and threats from Eset protect.", - "dataTypesDependencies": [ - "ESETPROTECT" - ], - "dataConnectorsDependencies": [ - "ESETPROTECT" - ], - "previewImagesFileNames": [ - "ESETPROTECTBlack.png", - "ESETPROTECTWhite.png" - ], - "version": "1.0.0", - "title": "EsetProtect", - "templateRelativePath": "ESETPROTECT.json", - "subtitle": "", - "provider": "Community" -}, -{ - "workbookKey": "CyberArkEPMWorkbook", - "logoFileName": "CyberArk_Logo.svg", - "description": "Sets the time name for analysis", - "dataTypesDependencies": [ - "CyberArkEPM_CL" - ], - "dataConnectorsDependencies": [ - "CyberArkEPM" - ], - "previewImagesFileNames": [ - "CyberArkEPMBlack.png", - "CyberArkEPMWhite.png" - ], - "version": "1.0.0", - "title": "CyberArk EPM", - "templateRelativePath": "CyberArkEPM.json", - "subtitle": "", - "provider": "CyberArk" -}, -{ - "workbookKey": "IncidentTasksWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "Use this workbook to review and modify existing incidents with tasks. This workbook provides views that higlight incident tasks that are open, closed, or deleted, as well as incidents with tasks that are either owned or unassigned. The workbook also provides SOC metrics around incident task performance, such as percentage of incidents without tasks, average time to close tasks, and more.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "Tasks-Black.png", - "Tasks-White.png" -], - "version": "1.1.0", - "title": "Incident Tasks Workbook", - "templateRelativePath": "IncidentTasksWorkbook.json", - "subtitle": "", - "provider": "Microsoft" -}, - { - "workbookKey": "SentinelWorkspaceReconTools", + "workbookKey": "MicrosoftExchangeSecurityReview", "logoFileName": "Azure_Sentinel.svg", - "description": "A workbook providing investigation tools for key tables. Good for incident response, tuning, and cost optimizaiton. An attempt to bring the Windows EventViewer experience to the cloud.", + "description": "This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector.", "dataTypesDependencies": [ - "AzureActivity", - "AuditLogs", - "SigninLogs", - "SecurityIncident", - "SecurityAlert", - "CommonSecurityLog", - "Events", - "SecurityEvents", - "Syslog", - "WindowsSecurityEvents" + "ESIExchangeConfig_CL" ], "dataConnectorsDependencies": [ - "AzureActivity", - "AzureActiveDirectory", - "SecurityEvents", - "WindowsSecurityEvents" - ], - "previewImagesFileNames": [ - "SentinelWorkspaceReconToolsWhite.png", - "SentinelWorkspaceReconToolsBlack.png" - ], - "version": "1.0.1", - "title": "Sentinel Workspace Recon Tools", - "templateRelativePath": "SentinelWorkspaceReconTools.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Andrew Blumhardt" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security - Others" - ] - } - }, - { - "workbookKey": "SyslogOverview", - "logoFileName": "Azure_Sentinel.svg", - "description": "A workbook designed to show an overview about the data ingested through Syslog.", - "dataTypesDependencies": [ - "Syslog" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "syslogoverview-white.png", - "syslogoverview-black.png" - ], - "version": "1.0.0", - "title": "Syslog Overview", - "templateRelativePath": "syslogoverview.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Samik Roy" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Application" - ] - } - }, - { - "workbookKey": "SentinelHealth", - "logoFileName": "Azure_Sentinel.svg", - "description": "A workbook to show data fo Sentinel Health.", - "dataTypesDependencies": [ - "SentinelHealth" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "SentinelHealthWhite.png", - "SentinelHealthBlack.png" - ], - "version": "1.0.0", - "title": "Sentinel Health", - "templateRelativePath": "SentinelHealth.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Microsoft" - }, - "author": { - "name": "Samik Roy" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ "Platform" ] - } - }, - { - "workbookKey": "MicrosoftSentinelCostGBP", - "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook provides an estimated cost in GBP (£) across the main billed items in Microsoft Sentinel: ingestion, retention and automation. It also provides insight about the possible impact of the Microsoft 365 E5 offer.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ "MicrosoftSentinelCostGBPWhite.png", "MicrosoftSentinelCostGBPBlack.png"], - "version": "1.6.1", - "title": "Microsoft Sentinel Cost (GBP)", - "templateRelativePath": "MicrosoftSentinelCostGBP.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Microsoft" - }, - "author": { - "name": "noodlemctwoodle" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ "Platform" ] - } - }, - { - "workbookKey": "SentinelCosts", - "logoFileName": "Azure_Sentinel.svg", - "description": "A workbook to demonstrate insights into the costs of Sentinel environment.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "SentinelCostsWhite.png", - "SentinelCostsBlack.png" + "ESI-ExchangeOnPremisesCollector", + "ESI-ExchangeAdminAuditLogEvents" ], - "version": "1.5.1", - "title": "Sentinel Costs", - "templateRelativePath": "SentinelCosts.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Microsoft" - }, - "author": { - "name": "Yahya Abulhaj" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ "Platform" ] - } - }, - { - "workbookKey": "AnalyticsHealthAudit", - "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook provides visibility on the health and audit of your analytics rules. You will be able to find out whether an analytics rule is running as expected and get a list of changes made to an analytic rule.", - "dataTypesDependencies": ["SentinelHealth", "SentinelAudit"], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ "AnalyticsHealthAuditWhite.png", "AnalyticsHealthAuditBlack.png" ], - "version": "1.0.0", - "title": "Analytics Health & Audit", - "templateRelativePath": "AnalyticsHealthAudit.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Microsoft" - }, - "author": { - "name": "Microsoft Corporation" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "IT Operations", - "Platform" - ] - } - }, - { - "workbookKey": "AzureLogCoverage", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook pulls the current Azure inventory via Azure Resource Graph explorer and compares it with data written to one or more selected Log Analytics workspaces to determine which resources are sending data and which ones are not. This can be used to expose gaps in your logging coverage and/or identify inactive resources.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], "previewImagesFileNames": [ - "AzureLogCoverageWhite1.png", - "AzureLogCoverageWhite2.png", - "AzureLogCoverageBlack1.png", - "AzureLogCoverageBlack2.png" - ], - "version": "1.1.0", - "title": "Azure Log Coverage", - "templateRelativePath": "AzureLogCoverage.json", + "MicrosoftExchangeSecurityReviewBlack.png", + "MicrosoftExchangeSecurityReviewWhite.png" + ], + "version": "2.0.0", + "title": "Microsoft Exchange Security Review", + "templateRelativePath": "Microsoft Exchange Security Review.json", "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Alex Anders" - }, - "source": { - "kind": "Community" - } + "provider": "Microsoft" }, + { + "workbookKey": "ibossMalwareAndC2Workbook", + "logoFileName": "iboss_logo.svg", + "description": "A workbook providing insights into malware and C2 activity detected by iboss.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [ + "ibossAma", + "CefAma" + ], + "previewImagesFileNames": [ + "" + ], + "version": "1.0.0", + "title": "iboss Malware and C2", + "templateRelativePath": "ibossMalwareAndC2.json", + "subtitle": "", + "provider": "iboss" + }, + { + "workbookKey": "ibossWebUsageWorkbook", + "logoFileName": "iboss_logo.svg", + "description": "A workbook providing insights into web usage activity detected by iboss.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [ + "ibossAma", + "CefAma" + ], + "previewImagesFileNames": [ + "" + ], + "version": "1.0.0", + "title": "iboss Web Usage", + "templateRelativePath": "ibossWebUsage.json", + "subtitle": "", + "provider": "iboss" + }, + { + "workbookKey": "CynerioOverviewWorkbook", + "logoFileName": "Cynerio.svg", + "description": "An overview of Cynerio Security events", + "dataTypesDependencies": [ + "CynerioEvent_CL" + ], + "dataConnectorsDependencies": [ + "CynerioSecurityEvents" + ], + "previewImagesFileNames": [ + "CynerioOverviewBlack.png", + "CynerioOverviewWhite.png" + ], + "version": "1.0.0", + "title": "Cynerio Overview Workbook", + "templateRelativePath": "CynerioOverviewWorkbook.json", + "subtitle": "", + "provider": "Cynerio" + }, + { + "workbookKey": "ReversingLabs-CapabilitiesOverview", + "logoFileName": "reversinglabs.svg", + "description": "The ReversingLabs-CapabilitiesOverview workbook provides a high level look at your threat intelligence capabilities and how they relate to your operations.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "ReversingLabsTiSummary-White.png", + "ReversingLabsTiSummary-Black.png", + "ReversingLabsOpsSummary-White.png", + "ReversingLabsOpsSummary-Black.png" + ], + "version": "1.1.1", + "title": "ReversingLabs-CapabilitiesOverview", + "templateRelativePath": "ReversingLabs-CapabilitiesOverview.json", + "subtitle": "", + "provider": "ReversingLabs" + }, + { + "workbookKey": "vCenter", + "logoFileName": "Azure_Sentinel.svg", + "description": "This data connector depends on a parser based on Kusto Function **vCenter** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-vCenter-parser)", + "dataTypesDependencies": [ + "vCenter_CL" + ], + "dataConnectorsDependencies": [ + "VMwarevCenter" + ], + "previewImagesFileNames": [ + "" + ], + "version": "1.0.0", + "title": "vCenter", + "templateRelativePath": "vCenter.json", + "subtitle": "", + "provider": "VMware" + }, + { + "workbookKey": "SAP-Monitors-AlertsandPerformance", + "logoFileName": "SAPVMIcon.svg", + "description": "SAP -Monitors- Alerts and Performance", + "dataTypesDependencies": [ + "SAPAuditLog" + ], + "dataConnectorsDependencies": [ + "SAP" + ], + "previewImagesFileNames": [ + "" + ], + "version": "2.0.1", + "title": "SAP -Monitors- Alerts and Performance", + "templateRelativePath": "SAP -Monitors- Alerts and Performance.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "SAP-SecurityAuditlogandInitialAccess", + "logoFileName": "SAPVMIcon.svg", + "description": "SAP -Security Audit log and Initial Access", + "dataTypesDependencies": [ + "SAPAuditLog" + ], + "dataConnectorsDependencies": [ + "SAP" + ], + "previewImagesFileNames": [ + "" + ], + "version": "2.0.1", + "title": "SAP -Security Audit log and Initial Access", + "templateRelativePath": "SAP -Security Audit log and Initial Access.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "DNSSolutionWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "This workbook is included as part of the DNS Essentials solution and gives a summary of analyzed DNS traffic. It also helps with threat analysis and investigating suspicious Domains, IPs and DNS traffic. DNS Essentials Solution also includes a playbook to periodically summarize the logs, thus enhancing the user experience and improving data search. For effective usage of workbook, we highly recommend enabling the summarization playbook that is provided with this solution.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "DNSDomainWorkbookWhite.png", + "DNSDomainWorkbookBlack.png" + ], + "version": "1.0.0", + "title": "DNS Solution Workbook", + "templateRelativePath": "DNSSolutionWorkbook.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "MicrosoftPowerBIActivityWorkbook", + "logoFileName": "PowerBILogo.svg", + "description": "This workbook provides details on Microsoft PowerBI Activity", + "dataTypesDependencies": [ + "PowerBIActivity" + ], + "dataConnectorsDependencies": [ + "Microsoft PowerBI (Preview)" + ], + "previewImagesFileNames": [ + "MicrosoftPowerBIActivityWorkbookBlack.png", + "MicrosoftPowerBIActivityWorkbookWhite.png" + ], + "version": "1.0.0", + "title": "Microsoft PowerBI Activity Workbook", + "templateRelativePath": "MicrosoftPowerBIActivityWorkbook.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "MicrosoftThreatIntelligenceWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Gain insights into threat indicators ingestion and search for indicators at scale across Microsoft 1st Party, 3rd Party, On-Premises, Hybrid, and Multi-Cloud Workloads. Indicators Search facilitates a simple interface for finding IP, File, Hash, Sender and more across your data. Seamless pivots to correlate indicators with Microsoft Sentinel: Incidents to make your threat intelligence actionable.", + "dataTypesDependencies": [ + "ThreatIntelligenceIndicator", + "SecurityIncident" + ], + "dataConnectorsDependencies": [ + "ThreatIntelligence", + "ThreatIntelligenceTaxii" + ], + "previewImagesFileNames": [ + "ThreatIntelligenceWhite.png", + "ThreatIntelligenceBlack.png" + ], + "version": "1.0.0", + "title": "Threat Intelligence", + "templateRelativePath": "MicrosoftThreatIntelligence.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "MicrosoftDefenderForEndPoint", + "logoFileName": "Azure_Sentinel.svg", + "description": "A wokbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through M365 Defender Connector.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "microsoftdefenderforendpointwhite.png", + "microsoftdefenderforendpointblack.png" + ], + "version": "1.0.0", + "title": "Microsoft Defender For EndPoint", + "templateRelativePath": "MicrosoftDefenderForEndPoint.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "MicrosoftSentinelDeploymentandMigrationTracker", + "logoFileName": "Azure_Sentinel.svg", + "description": "Use this workbook as a tool to define, track, and complete key deployment/migraiton tasks for Microsoft Sentinel. This workbook serves as a central hub for monitoring and configuring key areas of the product without having to leave the workbook and start over.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "microsoftsentineldeploymentandmigration-black.png", + "microsoftsentineldeploymentandmigration-white.png" + ], + "version": "1.1.2", + "title": "Microsoft Sentinel Deployment and Migration Tracker", + "templateRelativePath": "MicrosoftSentinelDeploymentandMigrationTracker.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Matt Lowe" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Platform" + ] + } + }, + { + "workbookKey": "MicrosoftDefenderForIdentity", + "logoFileName": "Azure_Sentinel.svg", + "description": "Use this workbook to analyse the advance hunting data ingested for Defender For Identity.", + "dataTypesDependencies": [ + "IdentityLogonEvents", + "IdentityQueryEvents", + "IdentityDirectoryEvents", + "SecurityAlert" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "microsoftdefenderforidentity-black.png", + "microsoftdefenderforidentity-white.png" + ], + "version": "1.0.0", + "title": "Microsoft Defender For Identity", + "templateRelativePath": "MicrosoftDefenderForIdentity.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "EsetProtect", + "logoFileName": "eset-logo.svg", + "description": "Visualize events and threats from Eset protect.", + "dataTypesDependencies": [ + "ESETPROTECT" + ], + "dataConnectorsDependencies": [ + "ESETPROTECT" + ], + "previewImagesFileNames": [ + "ESETPROTECTBlack.png", + "ESETPROTECTWhite.png" + ], + "version": "1.0.0", + "title": "EsetProtect", + "templateRelativePath": "ESETPROTECT.json", + "subtitle": "", + "provider": "Community" + }, + { + "workbookKey": "CyberArkEPMWorkbook", + "logoFileName": "CyberArk_Logo.svg", + "description": "Sets the time name for analysis", + "dataTypesDependencies": [ + "CyberArkEPM_CL" + ], + "dataConnectorsDependencies": [ + "CyberArkEPM" + ], + "previewImagesFileNames": [ + "CyberArkEPMBlack.png", + "CyberArkEPMWhite.png" + ], + "version": "1.0.0", + "title": "CyberArk EPM", + "templateRelativePath": "CyberArkEPM.json", + "subtitle": "", + "provider": "CyberArk" + }, + { + "workbookKey": "IncidentTasksWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "Use this workbook to review and modify existing incidents with tasks. This workbook provides views that higlight incident tasks that are open, closed, or deleted, as well as incidents with tasks that are either owned or unassigned. The workbook also provides SOC metrics around incident task performance, such as percentage of incidents without tasks, average time to close tasks, and more.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "Tasks-Black.png", + "Tasks-White.png" + ], + "version": "1.1.0", + "title": "Incident Tasks Workbook", + "templateRelativePath": "IncidentTasksWorkbook.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "SentinelWorkspaceReconTools", + "logoFileName": "Azure_Sentinel.svg", + "description": "A workbook providing investigation tools for key tables. Good for incident response, tuning, and cost optimizaiton. An attempt to bring the Windows EventViewer experience to the cloud.", + "dataTypesDependencies": [ + "AzureActivity", + "AuditLogs", + "SigninLogs", + "SecurityIncident", + "SecurityAlert", + "CommonSecurityLog", + "Events", + "SecurityEvents", + "Syslog", + "WindowsSecurityEvents" + ], + "dataConnectorsDependencies": [ + "AzureActivity", + "AzureActiveDirectory", + "SecurityEvents", + "WindowsSecurityEvents" + ], + "previewImagesFileNames": [ + "SentinelWorkspaceReconToolsWhite.png", + "SentinelWorkspaceReconToolsBlack.png" + ], + "version": "1.0.1", + "title": "Sentinel Workspace Recon Tools", + "templateRelativePath": "SentinelWorkspaceReconTools.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Andrew Blumhardt" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Others" + ] + } + }, + { + "workbookKey": "SyslogOverview", + "logoFileName": "Azure_Sentinel.svg", + "description": "A workbook designed to show an overview about the data ingested through Syslog.", + "dataTypesDependencies": [ + "Syslog" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "syslogoverview-white.png", + "syslogoverview-black.png" + ], + "version": "1.0.0", + "title": "Syslog Overview", + "templateRelativePath": "syslogoverview.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Samik Roy" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Application" + ] + } + }, + { + "workbookKey": "SentinelHealth", + "logoFileName": "Azure_Sentinel.svg", + "description": "A workbook to show data fo Sentinel Health.", + "dataTypesDependencies": [ + "SentinelHealth" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "SentinelHealthWhite.png", + "SentinelHealthBlack.png" + ], + "version": "1.0.0", + "title": "Sentinel Health", + "templateRelativePath": "SentinelHealth.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Samik Roy" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Platform" + ] + } + }, + { + "workbookKey": "MicrosoftSentinelCostGBP", + "logoFileName": "Azure_Sentinel.svg", + "description": "This workbook provides an estimated cost in GBP (£) across the main billed items in Microsoft Sentinel: ingestion, retention and automation. It also provides insight about the possible impact of the Microsoft 365 E5 offer.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "MicrosoftSentinelCostGBPWhite.png", + "MicrosoftSentinelCostGBPBlack.png" + ], + "version": "1.6.1", + "title": "Microsoft Sentinel Cost (GBP)", + "templateRelativePath": "MicrosoftSentinelCostGBP.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "noodlemctwoodle" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Platform" + ] + } + }, + { + "workbookKey": "SentinelCosts", + "logoFileName": "Azure_Sentinel.svg", + "description": "A workbook to demonstrate insights into the costs of Sentinel environment.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "SentinelCostsWhite.png", + "SentinelCostsBlack.png" + ], + "version": "1.5.1", + "title": "Sentinel Costs", + "templateRelativePath": "SentinelCosts.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Yahya Abulhaj" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Platform" + ] + } + }, + { + "workbookKey": "AnalyticsHealthAudit", + "logoFileName": "Azure_Sentinel.svg", + "description": "This workbook provides visibility on the health and audit of your analytics rules. You will be able to find out whether an analytics rule is running as expected and get a list of changes made to an analytic rule.", + "dataTypesDependencies": [ + "SentinelHealth", + "SentinelAudit" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "AnalyticsHealthAuditWhite.png", + "AnalyticsHealthAuditBlack.png" + ], + "version": "1.0.0", + "title": "Analytics Health & Audit", + "templateRelativePath": "AnalyticsHealthAudit.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Microsoft Corporation" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "IT Operations", + "Platform" + ] + } + }, + { + "workbookKey": "AzureLogCoverage", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook pulls the current Azure inventory via Azure Resource Graph explorer and compares it with data written to one or more selected Log Analytics workspaces to determine which resources are sending data and which ones are not. This can be used to expose gaps in your logging coverage and/or identify inactive resources.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "AzureLogCoverageWhite1.png", + "AzureLogCoverageWhite2.png", + "AzureLogCoverageBlack1.png", + "AzureLogCoverageBlack2.png" + ], + "version": "1.1.0", + "title": "Azure Log Coverage", + "templateRelativePath": "AzureLogCoverage.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Alex Anders" + }, + "source": { + "kind": "Community" + } + }, { "workbookKey": "AzureSensitiveOperationsReview", "logoFileName": "Azure_Sentinel.svg", "description": "Monitor Sesnitive Operations in Azure Activity using Azure Threat Research Matrix ", - "dataTypesDependencies": [ "AzureActivity" ], - "dataConnectorsDependencies": [ "AzureActivity" ], - "previewImagesFileNames": [ "SensitiveoperationSecurityBlack.png", "SensitiveoperationSecurityWhite.png" ], + "dataTypesDependencies": [ + "AzureActivity" + ], + "dataConnectorsDependencies": [ + "AzureActivity" + ], + "previewImagesFileNames": [ + "SensitiveoperationSecurityBlack.png", + "SensitiveoperationSecurityWhite.png" + ], "version": "1.0.0", "title": "Azure SensitiveOperations Review Workbook", "templateRelativePath": "SensitiveOperationsinAzureActivityLogReview.json", "subtitle": "", - "provider": "Microsoft Sentinel community", + "provider": "Microsoft Sentinel community", + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Microsoft Corporation" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "IT Operations", + "Platform" + ] + } + }, + { + "workbookKey": "MicrosoftSentinelCostEUR", + "logoFileName": "Azure_Sentinel.svg", + "description": "This workbook provides an estimated cost in EUR (€) across the main billed items in Microsoft Sentinel: ingestion, retention and automation. It also provides insight about the possible impact of the Microsoft 365 E5 offer.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "MicrosoftSentinelCostEURWhite.png", + "MicrosoftSentinelCostEURBlack.png" + ], + "version": "1.2.0", + "title": "Microsoft Sentinel Cost (EUR)", + "templateRelativePath": "MicrosoftSentinelCostEUR.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Marco Passanisi" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Platform" + ] + } + }, + { + "workbookKey": "LogAnalyticsQueryAnalysis", + "logoFileName": "Azure_Sentinel.svg", + "description": "This workbook provides an analysis on Log Analytics Query Logs.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "LogAnalyticsQueryAnalysisBlack.PNG", + "LogAnalyticsQueryAnalysisWhite.PNG" + ], + "version": "1.0.0", + "title": "Log Analytics Query Analysis", + "templateRelativePath": "LogAnalyticsQueryAnalysis.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Samik Roy" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Platform" + ] + } + }, + { + "workbookKey": "AcscEssential8", + "logoFileName": "ACSClogo.svg", + "description": "This workbook provides insights on the health state of Azure resources against requirements by the ACSC Essential 8.", + "dataTypesDependencies": [ + "DeviceTvmSecureConfigurationAssessment" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "AcscEssential8Black1.png", + "AcscEssential8White1.png", + "AcscEssential8Black2.png", + "AcscEssential8White2.png" + ], + "version": "2.0.0", + "title": "ACSC Essential 8", + "templateRelativePath": "AcscEssential8.json", + "subtitle": "", + "provider": "Microsoft", + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Microsoft Corporation" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Compliance", + "IT Operations" + ] + } + }, + { + "workbookKey": "TalonInsights", + "logoFileName": "Talon.svg", + "description": "This workbook provides Talon Security Insights on Log Analytics Query Logs", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "TalonInsightsBlack.png", + "TalonInsightsWhite.png" + ], + "version": "2.0.0", + "title": "Talon Insights", + "templateRelativePath": "TalonInsights.json", + "subtitle": "", + "provider": "Talon Cyber Security" + }, + { + "workbookKey": "manualincident", + "logoFileName": "Azure_Sentinel.svg", + "description": "This workbook gives the ability for efficient incident management by enabling manual creation of Microsoft Sentinel incidents directly from within the workbook.", + "dataTypesDependencies": [ + "" + ], + "dataConnectorsDependencies": [ + "" + ], + "previewImagesFileNames": [ + "ManualincidentWhite.png", + "ManualincidentBlack.png" + ], + "version": "1.0.0", + "title": "Incident Management with Microsoft Sentinel Manual Creation of Incidents Workbook", + "templateRelativePath": "ManualSentinelIncident.json", + "subtitle": "", + "provider": "Microsoft Sentinel community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Microsoft Sentinel Community" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security - Others" + ] + } + }, + { + "workbookKey": "CofenseTriageThreatIndicators", + "logoFileName": "CofenseTriage.svg", + "description": "This workbook provides visualization of Cofense Triage threat indicators which are ingested in the Microsoft Sentinel Threat intelligence.", + "dataTypesDependencies": [ + "ThreatIntelligenceIndicator", + "Report_links_data_CL" + ], + "dataConnectorsDependencies": [ + "CofenseTriageDataConnector" + ], + "previewImagesFileNames": [ + "CofenseTriageThreatIndicatorsWhite1.png", + "CofenseTriageThreatIndicatorsBlack1.png" + ], + "version": "1.0", + "title": "CofenseTriageThreatIndicators", + "templateRelativePath": "CofenseTriageThreatIndicators.json", + "subtitle": "", + "provider": "Cofense" + }, + { + "workbookKey": "OptimizationWorkbook", + "logoFileName": "optimization.svg", + "description": "This workbook aims to help you gain insights into your current Microsoft Sentinel environment, while also providing recommendations for optimizing costs, improving operational effectiveness, and offering a management overview.", + "dataTypesDependencies": [ + "SentinelHealth", + "SentinelAudit" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "OptimizationWorkbookBlack.png", + "OptimizationWorkbookWhite.png" + ], + "version": "1.4.0", + "title": "Microsoft Sentinel Optimization Workbook", + "templateRelativePath": "OptimizationWorkbook.json", + "subtitle": "", + "provider": "Microsoft", + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Jeremy Tan, Matthew Lowe, Margaret Mwaura" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "IT Operations" + ] + } + }, + { + "workbookKey": "DataCollectionRuleToolkit", + "logoFileName": "Azure_Sentinel.svg", + "description": "Use this workbook solution to create, review, and modify data collection rules for Microsoft Sentinel. This workbook provides a click-through experience that centralizes key components from Microsoft Sentinel, Azure Log Analytics, and Azure Monitor to enable users to create new DCRs, modify existing DCRs, and review all DCRs in the environment.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "Dcr-toolkit-Black.png", + "Dcr-toolkit-White.png" + ], + "version": "1.2.0", + "title": "Data Collection Rule Toolkit", + "templateRelativePath": "DCR-Toolkit.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Microsoft Sentinel Community" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Data Collection" + ] + } + }, + { + "workbookKey": "NetskopeWorkbook", + "logoFileName": "Netskope_logo.svg", + "description": "Gain insights and comprehensive monitoring into Netskope events data by analyzing traffic and user activities.\nThis workbook provides insights into various Netskope events types such as Cloud Firewall, Network Private Access, Applications, Security Alerts as well as Web Transactions.\nYou can use this workbook to get visibility in to your Netskope Security Cloud and quickly identify threats, anamolies, traffic patterns, cloud application useage, blocked URL addresses and more.", + "dataTypesDependencies": [ + "Netskope_Events_CL", + "Netskope_Alerts_CL", + "Netskope_WebTX_CL" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "Netskope-ApplicationEvents-Black.png", + "Netskope-ApplicationEvents-White.png", + "Netskope-SecurityAlerts-DLP-Black.png", + "Netskope-SecurityAlerts-DLP-White.png", + "Netskope-NetworkEvents-CFW-Black.png", + "Netskope-NetworkEvents-CFW-White.png", + "Netskope-SecurityAlerts-Malsite-Black.png", + "Netskope-SecurityAlerts-Malsite-White.png", + "Netskope-NetworkEvents-NPA-Black.png", + "Netskope-NetworkEvents-NPA-White.png", + "Netskope-SecurityAlerts-Malware-White.png", + "Netskope-SecurityAlerts-Malware-Black.png", + "Netskope-SecurityAlerts-BehaviorAnalytics-Black.png", + "Netskope-SecurityAlerts-BehaviorAnalytics-White.png", + "Netskope-SecurityAlerts-Overview-Black.png", + "Netskope-SecurityAlerts-Overview-White.png", + "Netskope-SecurityAlerts-CompormisedCredentials-Black.png", + "Netskope-SecurityAlerts-CompromisedCredentials-White.png", + "Netskope-WebTransactions-Black.png", + "Netskope-WebTransactions-White.png" + ], + "version": "1.0", + "title": "Netskope", + "templateRelativePath": "NetskopeEvents.json", + "subtitle": "", + "provider": "Netskope" + }, + { + "workbookKey": "AIShield", + "logoFileName": "AIShield_Logo.svg", + "description": "Visualize events generated by AIShield. This workbook is dependent on a parser AIShield which is a part of the solution deployment.", + "dataTypesDependencies": [ + "AIShield" + ], + "dataConnectorsDependencies": [ + "AIShield" + ], + "previewImagesFileNames": [ + "AIShieldBlack.png", + "AIShieldWhite.png" + ], + "version": "1.0.0", + "title": "AIShield Workbook", + "templateRelativePath": "AIShield.json", + "subtitle": "", + "provider": "Community" + }, + { + "workbookKey": "AdvancedWorkbookConcepts", + "logoFileName": "Azure_Sentinel.svg", + "description": "Use this workbook to view and learn advanced concepts for workbooks in Azure Monitor and Microsoft Sentinel. Examples are provided in order to teach users how the concepts look, work, and are built.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "Advancedworkbookconcepts-Black.png", + "Advancedworkbookconcepts-White.png" + ], + "version": "1.1.0", + "title": "Advanced Workbook Concepts", + "templateRelativePath": "AdvancedWorkbookConcepts.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", "support": { - "tier": "Microsoft" - }, - "author": { - "name": "Microsoft Corporation" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "IT Operations", - "Platform" - ] - } - }, - { - "workbookKey": "MicrosoftSentinelCostEUR", - "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook provides an estimated cost in EUR (€) across the main billed items in Microsoft Sentinel: ingestion, retention and automation. It also provides insight about the possible impact of the Microsoft 365 E5 offer.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ "MicrosoftSentinelCostEURWhite.png", "MicrosoftSentinelCostEURBlack.png"], - "version": "1.2.0", - "title": "Microsoft Sentinel Cost (EUR)", - "templateRelativePath": "MicrosoftSentinelCostEUR.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Microsoft" + "tier": "Microsoft" }, "author": { - "name": "Marco Passanisi" + "name": "Microsoft Sentinel Community" }, "source": { - "kind": "Community" + "kind": "Community" }, "categories": { - "domains": [ "Platform" ] + "domains": [ + "Workbooks", + "Reporting", + "Visualization" + ] } - }, - { - "workbookKey": "LogAnalyticsQueryAnalysis", - "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook provides an analysis on Log Analytics Query Logs.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ "LogAnalyticsQueryAnalysisBlack.PNG", "LogAnalyticsQueryAnalysisWhite.PNG"], - "version": "1.0.0", - "title": "Log Analytics Query Analysis", - "templateRelativePath": "LogAnalyticsQueryAnalysis.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Microsoft" + }, + { + "workbookKey": "NetCleanProActiveWorkbook", + "logoFileName": "NetCleanImpactLogo.svg", + "description": "This workbook provides insights on NetClean ProActive Incidents.", + "dataTypesDependencies": [ + "Netclean_Incidents_CL" + ], + "dataConnectorsDependencies": [ + "Netclean_ProActive_Incidents" + ], + "previewImagesFileNames": [ + "NetCleanProActiveBlack1.png", + "NetCleanProActiveBlack2.png", + "NetCleanProActiveWhite1.png", + "NetCleanProActiveWhite2.png" + ], + "version": "1.0.0", + "title": "NetClean ProActive", + "templateRelativePath": "NetCleanProActiveWorkbook.json", + "subtitle": "", + "provider": "NetClean" + }, + { + "workbookKey": "AutomationHealth", + "logoFileName": "Azure_Sentinel.svg", + "description": "Have a holistic overview of your automation health, gain insights about failures, correlate Microsoft Sentinel health with Logic Apps diagnostics logs and deep dive automation details per incident", + "dataTypesDependencies": [ + "SentinelHealth" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "AutomationHealthBlack.png", + "AutomationHealthWhite.png" + ], + "version": "2.0.0", + "title": "Automation health", + "templateRelativePath": "AutomationHealth.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "PlaybooksHealth", + "logoFileName": "Azure_Sentinel.svg", + "description": "The workbook will provide you with deeper insights regarding the status, activity, and billing of each playbook. You can use the workbook's logic to monitor the general health of the playbooks.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "PlaybookHealthWhite.PNG", + "PlaybookHealthBlack.PNG" + ], + "version": "1.0.0", + "title": "Playbooks health monitoring (preview)", + "templateRelativePath": "PlaybookHealth.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Microsoft" }, "author": { - "name": "Samik Roy" + "name": "Microsoft Corporation" }, "source": { - "kind": "Community" + "kind": "Community" }, "categories": { - "domains": [ "Platform" ] + "domains": [ + "IT Operations", + "Platform" + ] } - }, - { - "workbookKey": "AcscEssential8", - "logoFileName": "ACSClogo.svg", - "description": "This workbook provides insights on the health state of Azure resources against requirements by the ACSC Essential 8.", - "dataTypesDependencies": [ "DeviceTvmSecureConfigurationAssessment" ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ "AcscEssential8Black1.png", "AcscEssential8White1.png", "AcscEssential8Black2.png", "AcscEssential8White2.png" ], - "version": "2.0.0", - "title": "ACSC Essential 8", - "templateRelativePath": "AcscEssential8.json", - "subtitle": "", - "provider": "Microsoft", - "support": { - "tier": "Microsoft" - }, - "author": { - "name": "Microsoft Corporation" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Compliance", - "IT Operations" - ] - } - } , - { - "workbookKey": "TalonInsights", - "logoFileName": "Talon.svg", - "description": "This workbook provides Talon Security Insights on Log Analytics Query Logs", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "TalonInsightsBlack.png", - "TalonInsightsWhite.png" - ], - "version": "2.0.0", - "title": "Talon Insights", - "templateRelativePath": "TalonInsights.json", - "subtitle": "", - "provider": "Talon Cyber Security" - }, - { - "workbookKey": "manualincident", - "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook gives the ability for efficient incident management by enabling manual creation of Microsoft Sentinel incidents directly from within the workbook.", - "dataTypesDependencies": [ "" ], - "dataConnectorsDependencies": [ "" ], - "previewImagesFileNames": [ "ManualincidentWhite.png", "ManualincidentBlack.png" ], - "version": "1.0.0", - "title": "Incident Management with Microsoft Sentinel Manual Creation of Incidents Workbook", - "templateRelativePath": "ManualSentinelIncident.json", - "subtitle": "", - "provider": "Microsoft Sentinel community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Microsoft Sentinel Community" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security - Others" - ] - } - }, - { - "workbookKey": "CofenseTriageThreatIndicators", - "logoFileName": "CofenseTriage.svg", - "description": "This workbook provides visualization of Cofense Triage threat indicators which are ingested in the Microsoft Sentinel Threat intelligence.", - "dataTypesDependencies": [ - "ThreatIntelligenceIndicator", - "Report_links_data_CL" - ], - "dataConnectorsDependencies": [ - "CofenseTriageDataConnector" - ], - "previewImagesFileNames": [ - "CofenseTriageThreatIndicatorsWhite1.png", - "CofenseTriageThreatIndicatorsBlack1.png" - ], - "version": "1.0", - "title": "CofenseTriageThreatIndicators", - "templateRelativePath": "CofenseTriageThreatIndicators.json", - "subtitle": "", - "provider": "Cofense" - }, - { - "workbookKey": "OptimizationWorkbook", - "logoFileName": "optimization.svg", - "description": "This workbook aims to help you gain insights into your current Microsoft Sentinel environment, while also providing recommendations for optimizing costs, improving operational effectiveness, and offering a management overview.", - "dataTypesDependencies": ["SentinelHealth", "SentinelAudit"], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "OptimizationWorkbookBlack.png", - "OptimizationWorkbookWhite.png" - ], - "version": "1.4.0", - "title": "Microsoft Sentinel Optimization Workbook", - "templateRelativePath": "OptimizationWorkbook.json", - "subtitle": "", - "provider": "Microsoft", - "support": { - "tier": "Microsoft" - }, - "author": { - "name": "Jeremy Tan, Matthew Lowe, Margaret Mwaura" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "IT Operations" - ] - } - }, - { - "workbookKey": "DataCollectionRuleToolkit", - "logoFileName": "Azure_Sentinel.svg", - "description": "Use this workbook solution to create, review, and modify data collection rules for Microsoft Sentinel. This workbook provides a click-through experience that centralizes key components from Microsoft Sentinel, Azure Log Analytics, and Azure Monitor to enable users to create new DCRs, modify existing DCRs, and review all DCRs in the environment.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ "Dcr-toolkit-Black.png", "Dcr-toolkit-White.png"], - "version": "1.2.0", - "title": "Data Collection Rule Toolkit", - "templateRelativePath": "DCR-Toolkit.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Microsoft Sentinel Community" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Data Collection" - ] - } - }, - - { - "workbookKey": "NetskopeWorkbook", - "logoFileName": "Netskope_logo.svg", - "description": "Gain insights and comprehensive monitoring into Netskope events data by analyzing traffic and user activities.\nThis workbook provides insights into various Netskope events types such as Cloud Firewall, Network Private Access, Applications, Security Alerts as well as Web Transactions.\nYou can use this workbook to get visibility in to your Netskope Security Cloud and quickly identify threats, anamolies, traffic patterns, cloud application useage, blocked URL addresses and more.", - "dataTypesDependencies": [ - "Netskope_Events_CL", - "Netskope_Alerts_CL", - "Netskope_WebTX_CL" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "Netskope-ApplicationEvents-Black.png", - "Netskope-ApplicationEvents-White.png", - "Netskope-SecurityAlerts-DLP-Black.png", - "Netskope-SecurityAlerts-DLP-White.png", - "Netskope-NetworkEvents-CFW-Black.png", - "Netskope-NetworkEvents-CFW-White.png", - "Netskope-SecurityAlerts-Malsite-Black.png", - "Netskope-SecurityAlerts-Malsite-White.png", - "Netskope-NetworkEvents-NPA-Black.png", - "Netskope-NetworkEvents-NPA-White.png", - "Netskope-SecurityAlerts-Malware-White.png", - "Netskope-SecurityAlerts-Malware-Black.png", - "Netskope-SecurityAlerts-BehaviorAnalytics-Black.png", - "Netskope-SecurityAlerts-BehaviorAnalytics-White.png", - "Netskope-SecurityAlerts-Overview-Black.png", - "Netskope-SecurityAlerts-Overview-White.png", - "Netskope-SecurityAlerts-CompormisedCredentials-Black.png", - "Netskope-SecurityAlerts-CompromisedCredentials-White.png", - "Netskope-WebTransactions-Black.png", - "Netskope-WebTransactions-White.png" - ], - "version": "1.0", - "title": "Netskope", - "templateRelativePath": "NetskopeEvents.json", - "subtitle": "", - "provider": "Netskope" - }, - { - "workbookKey": "AIShield", - "logoFileName": "AIShield_Logo.svg", - "description": "Visualize events generated by AIShield. This workbook is dependent on a parser AIShield which is a part of the solution deployment.", - "dataTypesDependencies": [ - "AIShield" - ], - "dataConnectorsDependencies": [ - "AIShield" - ], - "previewImagesFileNames": [ - "AIShieldBlack.png", - "AIShieldWhite.png" - ], - "version": "1.0.0", - "title": "AIShield Workbook", - "templateRelativePath": "AIShield.json", - "subtitle": "", - "provider": "Community" - }, - { - "workbookKey": "AdvancedWorkbookConcepts", - "logoFileName": "Azure_Sentinel.svg", - "description": "Use this workbook to view and learn advanced concepts for workbooks in Azure Monitor and Microsoft Sentinel. Examples are provided in order to teach users how the concepts look, work, and are built.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ "Advancedworkbookconcepts-Black.png", "Advancedworkbookconcepts-White.png"], - "version": "1.1.0", - "title": "Advanced Workbook Concepts", - "templateRelativePath": "AdvancedWorkbookConcepts.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Microsoft" - }, -"author": { - "name": "Microsoft Sentinel Community" - }, -"source": { - "kind": "Community" - }, -"categories": { - "domains": [ - "Workbooks", - "Reporting", - "Visualization" - ] - } -}, -{ - "workbookKey": "NetCleanProActiveWorkbook", - "logoFileName": "NetCleanImpactLogo.svg", - "description": "This workbook provides insights on NetClean ProActive Incidents.", - "dataTypesDependencies": [ - "Netclean_Incidents_CL" - ], - "dataConnectorsDependencies": [ - "Netclean_ProActive_Incidents" - ], - "previewImagesFileNames": [ - "NetCleanProActiveBlack1.png", - "NetCleanProActiveBlack2.png", - "NetCleanProActiveWhite1.png", - "NetCleanProActiveWhite2.png" - ], - "version": "1.0.0", - "title": "NetClean ProActive", - "templateRelativePath": "NetCleanProActiveWorkbook.json", - "subtitle": "", - "provider": "NetClean" - }, - { - "workbookKey": "AutomationHealth", - "logoFileName": "Azure_Sentinel.svg", - "description": "Have a holistic overview of your automation health, gain insights about failures, correlate Microsoft Sentinel health with Logic Apps diagnostics logs and deep dive automation details per incident", - "dataTypesDependencies": [ - "SentinelHealth" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "AutomationHealthBlack.png", - "AutomationHealthWhite.png" - ], - "version": "2.0.0", - "title": "Automation health", - "templateRelativePath": "AutomationHealth.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" - }, -{ - "workbookKey": "PlaybooksHealth", - "logoFileName": "Azure_Sentinel.svg", - "description": "The workbook will provide you with deeper insights regarding the status, activity, and billing of each playbook. You can use the workbook's logic to monitor the general health of the playbooks.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "PlaybookHealthWhite.PNG", - "PlaybookHealthBlack.PNG" - ], - "version": "1.0.0", - "title": "Playbooks health monitoring (preview)", - "templateRelativePath": "PlaybookHealth.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Microsoft" - }, - "author": { - "name": "Microsoft Corporation" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "IT Operations", - "Platform" - ] - } - }, - { - "workbookKey": "CiscoSDWANWorkbook", - "logoFileName": "cisco-logo-72px.svg", - "description": "Cisco SD-WAN Workbook equips administrators with the necessary tools to implement robust security measures and stay ahead of emerging threats.By leveraging the insights and recommendations provided in the workbook, network administrators can effectively protect their SD-WAN infrastructure from potential vulnerabilities and ensure a secure and reliable network connectivity for their organization.", - "dataTypesDependencies": [ - "Syslog", - "CiscoSDWANNetflow_CL" - ], - "dataConnectorsDependencies": ["CiscoSDWAN"], - "previewImagesFileNames": [ - "CiscoSDWANWhite1.png", - "CiscoSDWANWhite2.png", - "CiscoSDWANWhite3.png", - "CiscoSDWANBlack1.png", - "CiscoSDWANBlack2.png", - "CiscoSDWANBlack3.png" - ], - "version": "1.0.0", - "title": "Cisco SD-WAN", - "templateRelativePath": "CiscoSDWAN.json", - "provider": "Cisco" - }, - { - "workbookKey": "SAP-AuditControls", - "logoFileName": "SAPVMIcon.svg", - "description": "SAP -Audit Controls (Preview)", - "dataTypesDependencies": [ - "SAPAuditLog" - ], - "dataConnectorsDependencies": [ - "SAP" - ], - "previewImagesFileNames": [""], - "version": "1.0.0", - "title": "SAP -Audit Controls (Preview)", - "templateRelativePath": "SAP -Audit Controls (Preview).json", - "subtitle": "", - "provider": "Microsoft" -}, - { - "workbookKey": "ZoomReports", - "logoFileName": "Azure_Sentinel.svg", - "description": "Visualize various details & visuals on Zoom Report data ingested though the solution. This also have a dependency on the parser which is available as a part of Zoom solution named Zoom", - "dataTypesDependencies": [ "Zoom" ], - "dataConnectorsDependencies": ["Zoom Reports"], - "previewImagesFileNames": [ "ZoomReportsBlack.png", "ZoomReportsWhite.png" ], - "version": "1.0.0", - "title": "Zoom Reports", - "templateRelativePath": "ZoomReports.json", - "subtitle": "", - "provider": "Community" - }, - { - "workbookKey": "InsiderRiskManagementWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "The Microsoft Insider Risk Management Workbook integrates telemetry from 25+ Microsoft security products to provide actionable insights into insider risk management. Reporting tools provide \u201cGo to Alert\u201d links to provide deeper integration between products and a simplified user experience for exploring alerts. ", - "dataTypesDependencies": [ - "SigninLogsSigninLogs", - "AuditLogs", - "AzureActivity", - "OfficeActivity", - "InformationProtectionLogs_CL", - "SecurityIncident" - ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "InsiderRiskManagementBlack.png", - "InsiderRiskManagementWhite.png" - ], - "version": "1.0.0", - "title": "Insider Risk Management", - "templateRelativePath": "InsiderRiskManagement.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "Fortiweb-workbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook depends on a parser based on a Kusto Function to work as expected [**Fortiweb**](https://aka.ms/sentinel-FortiwebDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.", - "dataTypesDependencies": [ - "CommonSecurityLog" - ], - "dataConnectorsDependencies": [ - "FortinetFortiWeb" - ], - "previewImagesFileNames": [""], - "version": "1.0.0", - "title": "Fortiweb-workbook", - "templateRelativePath": "Fortiweb-workbook.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "WebSessionEssentialsWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "The 'Web Session Essentials' workbook provides real-time insights into activity and potential threats in your network. This workbook is designed for network teams, security architects, analysts, and consultants to monitor, identify and investigate threats on Web servers, Web Proxies and Web Security Gateways assets. This Workbook gives a summary of analysed web traffic and helps with threat analysis and investigating suspicious http traffic.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "WebSessionEssentialsWorkbookWhite.png", - "WebSessionEssentialsWorkbookBlack.png" - ], - "version": "1.0.0", - "title": "Web Session Essentials Workbook", - "templateRelativePath": "WebSessionEssentials.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "IslandAdminAuditOverview", - "logoFileName": "island.svg", - "description": "This workbook provides a view into the activities of administrators in the Island Management Console.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [""], - "version": "1.0.0", - "title": "Island Admin Audit Overview", - "templateRelativePath": "IslandAdminAuditOverview.json", - "subtitle": "", - "provider": "Island" - }, - { - "workbookKey": "IslandUserActivityOverview", - "logoFileName": "island.svg", - "description": "This workbook provides a view into the activities of users while using the Island Enterprise Browser.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [""], - "version": "1.0.0", - "title": "Island User Activity Overview", - "templateRelativePath": "IslandUserActivityOverview.json", - "subtitle": "", - "provider": "Island" - }, - { - "workbookKey": "BloodHoundEnterpriseAttackPathWorkbook", - "logoFileName": "BHE_Logo.svg", - "description": "Gain insights into BloodHound Enterprise attack paths.", - "dataTypesDependencies": [ "BloodHoundEnterprise" ], - "dataConnectorsDependencies": [ "BloodHoundEnterprise" ], - "previewImagesFileNames": [""], - "version": "1.0", - "title": "BloodHound Enterprise Attack Paths", - "templateRelativePath": "BloodHoundEnterpriseAttackPath.json", - "subtitle": "", - "provider": "SpecterOps" -}, -{ - "workbookKey": "BloodHoundEnterprisePostureWorkbook", - "logoFileName": "BHE_Logo.svg", - "description": "Gain insights into BloodHound Enterprise domain posture.", - "dataTypesDependencies": [ "BloodHoundEnterprise" ], - "dataConnectorsDependencies": [ "BloodHoundEnterprise" ], - "previewImagesFileNames": [""], - "version": "1.0", - "title": "BloodHound Enterprise Posture", - "templateRelativePath": "BloodHoundEnterprisePosture.json", - "subtitle": "", - "provider": "SpecterOps" -}, -{ - "workbookKey": "BitSightWorkbook", - "logoFileName": "BitSight.svg", - "description": "Gain insights into BitSight data.", - "dataTypesDependencies": ["Alerts_data_CL", "BitsightBreaches_data_CL", "BitsightCompany_details_CL", "BitsightCompany_rating_details_CL", "BitsightDiligence_historical_statistics_CL", "BitsightDiligence_statistics_CL", "BitsightFindings_summary_CL", "BitsightFindings_data_CL", "BitsightGraph_data_CL", "BitsightIndustrial_statistics_CL", "BitsightObservation_statistics_CL"], - "dataConnectorsDependencies": ["BitSightDatConnector"], - "previewImagesFileNames": ["BitSightWhite1.png","BitSightBlack1.png"], - "version": "1.0.0", - "title": "BitSight", - "templateRelativePath": "BitSightWorkbook.json", - "subtitle": "", - "provider": "BitSight" -}, - { - "workbookKey": "VectraXDR", - "logoFileName": "AIVectraDetect.svg", - "description": "This workbook provides visualization of Audit, Detections, Entity Scoring, Lockdown and Health data.", - "dataTypesDependencies": [ - "Audits_Data_CL", - "Detections_Data_CL", - "Entity_Scoring_Data_CL", - "Lockdown_Data_CL", - "Health_Data_CL" - ], - "dataConnectorsDependencies": [ - "VectraDataConnector" - ], - "previewImagesFileNames": [ - "VectraXDRWhite1.png", - "VectraXDRWhite2.png", - "VectraXDRWhite3.png", - "VectraXDRWhite4.png", - "VectraXDRWhite5.png", - "VectraXDRBlack1.png", - "VectraXDRBlack2.png", - "VectraXDRBlack3.png", - "VectraXDRBlack4.png", - "VectraXDRBlack5.png" - ], - "version": "1.0.0", - "title": "Vectra XDR", - "templateRelativePath": "VectraXDR.json", - "subtitle": "", - "provider": "Vectra" - }, - { - "workbookKey": "CloudflareWorkbook", - "logoFileName": "cloudflare.svg", - "description": "Gain insights into Cloudflare events. You will get visibility on your Cloudflare web traffic, security, reliability.", - "dataTypesDependencies": [ "Cloudflare_CL" ], - "dataConnectorsDependencies": [ "CloudflareDataConnector" ], - "previewImagesFileNames": ["CloudflareOverviewWhite01.png", "CloudflareOverviewWhite02.png", "CloudflareOverviewBlack01.png", "CloudflareOverviewBlack02.png"], - "version": "1.0", - "title": "Cloudflare", - "templateRelativePath": "Cloudflare.json", - "subtitle": "", - "provider": "Cloudflare" -}, -{ - "workbookKey": "CofenseIntelligenceWorkbook", - "logoFileName": "CofenseTriage.svg", - "description": "This workbook provides visualization of Cofense Intelligence threat indicators which are ingested in the Microsoft Sentinel Threat intelligence.", - "dataTypesDependencies": [ - "ThreatIntelligenceIndicator", - "Malware_Data" - ], - "dataConnectorsDependencies": [ - "CofenseIntelligenceDataConnector" - ], - "previewImagesFileNames": [ - "CofenseIntelligenceWhite1.png", - "CofenseIntelligenceBlack1.png" - ], - "version": "1.0", - "title": "CofenseIntelligenceThreatIndicators", - "templateRelativePath": "CofenseIntelligenceThreatIndicators.json", - "subtitle": "", - "provider": "Cofense" -}, -{ - "workbookKey": "EgressDefendMetricWorkbook", - "logoFileName": "Egress-logo.svg", - "description": "A workbook providing insights into Egress Defend.", - "dataTypesDependencies": ["EgressDefend_CL"], - "previewImagesFileNames": [ "EgressDefendMetricWorkbookBlack01.png", "EgressDefendMetricWorkbookWhite01.png" ], - "version": "1.0.0", - "title": "Egress Defend Insights", - "templateRelativePath": "DefendMetrics.json", - "subtitle": "Defend Metrics", - "provider": "Egress Software Technologies" - }, - { - "workbookKey": "UserWorkbook-alexdemichieli-github-update-1", - "logoFileName": "GitHub.svg", - "description": "Gain insights to GitHub activities that may be interesting for security.", - "dataTypesDependencies": [ - "GitHubAuditLogPolling_CL" - ], - "dataConnectorsDependencies": [ - "GitHubEcAuditLogPolling" - ], - "previewImagesFileNames": [""], - "version": "1.0.0", - "title": "GitHub Security", - "templateRelativePath": "GitHubAdvancedSecurity.json", - "subtitle": "", - "provider": "Microsoft" -}, -{ - "workbookKey": "SalemDashboard", - "logoFileName": "salem_logo.svg", - "description": "Monitor Salem Performance", - "dataTypesDependencies": [ "SalemAlerts_CL" ], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [""], - "version": "1.0.0", - "title": "Salem Alerts Workbook", - "templateRelativePath": "SalemDashboard.json", - "subtitle": "", - "provider": "SalemCyber" -}, -{ - "workbookKey": "MimecastAuditWorkbook", - "logoFileName": "Mimecast.svg", - "description": "A workbook providing insights into Mimecast Audit.", - "dataTypesDependencies": [ - "MimecastAudit_CL" - ], - "previewImagesFileNames": [ - "MimecastAuditBlack1.png", - "MimecastAuditBlack2.png", - "MimecastAuditWhite1.png", - "MimecastAuditWhite2.png" - ], - "version": "1.0.0", - "title": "MimecastAudit", - "templateRelativePath": "MimecastAudit.json", - "subtitle": "Mimecast Audit", - "provider": "Mimecast" -}, -{ - "workbookKey": "MailGuard365Workbook", - "logoFileName": "MailGuard365_logo.svg", - "description": "MailGuard 365 Workbook", - "dataTypesDependencies": [ - "MailGuard365_Threats_CL" - ], - "dataConnectorsDependencies": [ - "MailGuard365" - ], - "previewImagesFileNames": ["MailGuard365WorkbookWhite1.png", - "MailGuard365WorkbookWhite2.png", - "MailGuard365WorkbookBlack1.png", - "MailGuard365WorkbookBlack2.png" -], - "version": "1.0.0", - "title": "MailGuard365", - "templateRelativePath": "MailGuard365Dashboard.json", - "subtitle": "", - "provider": "MailGuard 365" -}, -{ - "workbookKey": "MimecastTIRegionalWorkbook", - "logoFileName": "Mimecast.svg", - "description": "A workbook providing insights into Mimecast Regional Threat indicator.", - "dataTypesDependencies": ["ThreatIntelligenceIndicator"], - "dataConnectorsDependencies": [ - "MimecastTIRegionalConnectorAzureFunctions" - ], - "previewImagesFileNames": [ - "MimecastTIReginalWhite.png", - "MimecastTIRegionalBlack.png" - ], - "version": "1.0.0", - "title": "MimecastTIRegional", - "templateRelativePath": "MimecastTIRegional.json", - "subtitle": "Mimecast TI Regional", - "provider": "Mimecast" -}, -{ - "workbookKey": "DataminrPulseAlerts", - "logoFileName": "DataminrPulse.svg", - "description": "This Workbook provides insight into the data coming from DataminrPulse.", - "dataTypesDependencies": ["DataminrPulse_Alerts_CL"], - "dataConnectorsDependencies": ["DataminrPulseAlerts"], - "previewImagesFileNames": [ "DataminrPulseAlertsBlack1.png", - "DataminrPulseAlertsBlack2.png", - "DataminrPulseAlertsBlack3.png", - "DataminrPulseAlertsBlack4.png", - "DataminrPulseAlertsBlack5.png", - "DataminrPulseAlertsWhite1.png", - "DataminrPulseAlertsWhite2.png", - "DataminrPulseAlertsWhite3.png", - "DataminrPulseAlertsWhite4.png", - "DataminrPulseAlertsWhite5.png" - ], - "version": "1.0.0", - "title": "Dataminr Pulse Alerts", - "templateRelativePath": "DataminrPulseAlerts.json", - "provider": "Dataminr" -}, -{ - "workbookKey": "DoDZeroTrustWorkbook", - "logoFileName": "", - "description": "This workbook solution provides an intuitive, customizable, framework intended to help track/report Zero Trust implementation in accordance with the latest DoD Zero Trust Strategy.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "DoDZeroTrustWorkbook1Black.png", - "DoDZeroTrustWorkbook2Black.png", - "DoDZeroTrustWorkbook3Black.png", - "DoDZeroTrustWorkbook1White.png", - "DoDZeroTrustWorkbook2White.png", - "DoDZeroTrustWorkbook3White.png" - ], - "version": "1.1.0", - "title": "DoD Zero Trust Strategy Workbook", - "templateRelativePath": "DoDZeroTrustWorkbook.json", - "subtitle": "", - "provider": "Microsoft", - "support": { - "tier": "Microsoft" - }, - "author": { - "name": "Lili Davoudian, Chhorn Lim, Jay Pelletier, Michael Crane" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "IT Operations" - ] - } -}, -{ - "workbookKey": "GreyNoiseIntellegenceOverviewWorkbook", - "logoFileName": "greynoise_logomark_black.svg", - "description": "This workbook provides visualization of GreyNoise Intelligence threat indicators which are ingested in the Microsoft Sentinel Threat intelligence.", - "dataTypesDependencies": [ - "ThreatIntelligenceIndicator" - ], - "dataConnectorsDependencies": [ - "GreyNoise2SentinelAPI" - ], - "previewImagesFileNames": [ - "GreyNoiseOverviewWhite.png", - "GreyNoiseOverviewBlack.png" - ], - "version": "1.0", - "title": "GreyNoise Intelligence Threat Indicators", - "templateRelativePath": "GreyNoiseOverview.json", - "subtitle": "", - "provider": "GreyNoise Intelligence, Inc." -}, -{ - "workbookKey": "WizFindingsWorkbook", - "logoFileName": "Wiz_logo.svg", - "description": "A visualized overview of Wiz Findings.\nExplore, analize and learn about your security posture using Wiz Findings Overview", - "dataTypesDependencies": [ - "WizIssues_CL", - "WizVulnerabilities_CL", - "WizAuditLogs_CL", - "WizIssuesV2_CL", - "WizVulnerabilitiesV2_CL", - "WizAuditLogs_CL" - ], - "dataConnectorsDependencies": [ - "Wiz" - ], - "previewImagesFileNames": [ - "WizFindingsBlack1.png", - "WizFindingsBlack2.png", - "WizFindingsBlack3.png", - "WizFindingsWhite1.png", - "WizFindingsWhite2.png", - "WizFindingsWhite3.png" - ], - "version": "2.0.0", - "title": "Wiz Findings overview", - "templateRelativePath": "WizFindings.json", - "subtitle": "", - "provider": "Wiz" -}, -{ - "workbookKey": "ThreatConnectOverviewWorkbook", - "logoFileName": "ThreatConnect.svg", - "description": "This workbook provides visualization of ThreatConnect threat indicators which are ingested in the Microsoft Sentinel Threat intelligence.", - "dataTypesDependencies": [ - "ThreatIntelligenceIndicator" - ], - "dataConnectorsDependencies": [ - "ThreatIntelligence" - ], - "previewImagesFileNames": [ - "ThreatConnectOverviewBlack.png", - "ThreatConnectOverviewWhite.png" - ], - "version": "1.0.0", - "title": "ThreatConnect Overview Workbook", - "templateRelativePath": "ThreatConnectOverview.json", - "subtitle": "", - "provider": "ThreatConnect, Inc." -}, -{ - "workbookKey": "Sentinel_Central", - "logoFileName": "Azure_Sentinel.svg", - "description": "Use this report to view Incident (and Alert data) across many workspaces, this works with Azure Lighthouse and across any subscription you have access to.", - "dataTypesDependencies": ["SecurityEvent"], - "dataConnectorsDependencies": ["IdentityAndAccessWhite.png", "IdentityAndAccessBlack.png"], - "previewImagesFileNames": [ "SentinelCentralBlack.png", "SentinelCentralWhite.png"], - "version": "2.1.2", - "title": "Sentinel Central", - "templateRelativePath": "Sentinel_Central.json", - "subtitle": "", - "provider": "Microsoft Sentinel community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Clive Watson" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ - "Security" - ] - } -}, -{ - "workbookKey": "AuthomizeWorkbook", - "logoFileName": "Authomize.svg", - "description": "Manage your Authorization Security Lifecycle across all XaaS environments and Private Clouds. Using Authomize AI-based engine continuously monitor the relationships between identities and assets and gain insight into security risks and events.", - "dataTypesDependencies": [ "Authomize_v2_CL" ], - "dataConnectorsDependencies": [ "Authomize" ], - "previewImagesFileNames": [ "AuthomizeITDREventMonitoring-Black.png", "AuthomizeITDREventMonitoring-White.png" ], - "version": "1.0.0", - "title": "Authomize ITDR Event Monitoring for Identities", - "templateRelativePath": "Authomize.json", - "subtitle": "", - "provider": "Authomize" - }, -{ - "workbookKey": "GigamonConnector", - "logoFileName": "gigamon.svg", - "description": "A visualized overview of Gigamon AMX Data Connector .\nExplore, analize and learn about your security posture using Gigamon AMX data connector Overview.", - "dataTypesDependencies": [ - "Gigamon_CL" - ], - "dataConnectorsDependencies": [ - "GigamonDataConnector" - ], - "previewImagesFileNames": [ - "GigamonWorkbookBlack.png", - "GigamonWorkbookWhite.png" - ], - "version": "1.0.0", - "title": "Gigamon Workbook", - "templateRelativePath": "Gigamon.json", - "subtitle": "", - "provider": "Gigamon" -}, -{ - "workbookKey": "PrancerSentinelAnalyticsWorkbook", - "description": "Monitor and analyze Prancer PAC and CSPM scan results.", - "logoFileName": "Prancer.svg", - "dataTypesDependencies": [ - "prancer_CL" - ], - "dataConnectorsDependencies": [ - "PrancerLogData" - ], - "previewImagesFileNames": [ - "PrancerBlack.png", - "PrancerWhite.png" - ], - "version": "1.0.0", - "title": "Prancer Microsoft Sentinel Analytics Workbook", - "templateRelativePath": "PrancerSentinelAnalytics.json", - "subtitle": "", - "provider": "Prancer" -}, -{ -"workbookKey": "ValenceSecurityAlertsWorkbook", -"logoFileName": "ValenceSecurityLogo.svg", -"description": "SaaS security alerts from Valence Security.", -"dataTypesDependencies": [ - "ValenceAlert_CL" -], -"dataConnectorsDependencies": [ - "ValenceSecurity" -], -"previewImagesFileNames": [ - "ValenceAlertsBlack.png", - "ValenceAlertsWhite.png" -], -"version": "1.0.0", -"title": "Valence Security Alerts Workbook", -"templateRelativePath": "ValenceAlertsWorkbook.json", -"subtitle": "", -"provider": "Valence Security" -}, -{ -"workbookKey": "MalwareProtectionEssentialsWorkbook", -"logoFileName": "Azure_Sentinel.svg", -"description": "This workbook provides details about Suspicious Malware Activities from File, Process and Registry events generated by EDR (Endpoint Detection and Response) solutions.", -"dataTypesDependencies": ["_ASim_FileEvent", "_ASim_ProcessEvent"], -"previewImagesFileNames": [ - "MalwareProtectionEssentialsWhite.png", - "MalwareProtectionEssentialsBlack.png" -], -"version": "1.0.0", -"title": "Malware Protection Essentials", -"templateRelativePath": "MalwareProtectionEssentialsWorkbook.json", -"subtitle": "", -"provider": "Microsoft Sentinel community" -}, -{ - "workbookKey": "VaronisSaaSWorkbook", - "logoFileName": "VaronisLogo.svg", - "description": "Security alerts from Varonis SaaS", - "dataTypesDependencies": [ - "VaronisAlerts_CL" - ], - "dataConnectorsDependencies": [ - "VaronisSaaS" - ], - "previewImagesFileNames": [ - "VaronisSaaSAssetsBlack.png", - "VaronisSaaSAssetsWhite.png", - "VaronisSaaSDevicesBlack.png", - "VaronisSaaSDevicesWhite.png", - "VaronisSaaSMainBlack.png", - "VaronisSaaSMainWhite.png", - "VaronisSaaSThreatsBlack.png", - "VaronisSaaSThreatsWhite.png", - "VaronisSaaSUsersBlack.png", - "VaronisSaaSUsersWhite.png" - ], - "version": "1.0.0", - "title": "Varonis SaaS Workbook", - "templateRelativePath": "VaronisSaaS.json", - "subtitle": "", - "provider": "Varonis" - }, - { - "workbookKey": "FortinetFortiNdrCloudWorkbook", - "logoFileName": "fortinet_logo.svg", - "description": "Gain insights into Fortinet FortiNDR CLoud events, including the Suricata, Observation and Detections data.", - "dataTypesDependencies": [ - "FncEventsSuricata_CL", - "FncEventsObservation_CL", - "FncEventsDetections_CL" - ], - "dataConnectorsDependencies": [ - "FortinetFortiNdrCloudDataConnector" - ], - "previewImagesFileNames": [ - "FncDetectionDashboardBlack.png", - "FncDetectionDashboardWhite.png", - "FncObservationDashboardBlack.png", - "FncObservationDashboardWhite.png", - "FncSuricataDashboardBlack.png", - "FncSuricataDashboardWhite.png", - "FncMainDashboardBlack.png", - "FncMainDashboardWhite.png" - ], - "version": "1.0.0", - "title": "FortiNDR Cloud", - "templateRelativePath": "FortinetFortiNdrCloudWorkbook.json", - "subtitle": "", - "provider": "Fortinet" -}, - { - "workbookKey": "WithSecureTopComputersByInfection", - "logoFileName": "WithSecure.svg", - "description": "Top 3 computers by amount of infections.", - "dataTypesDependencies": [ "WsSecurityEvents_CL" ], - "dataConnectorsDependencies": ["WithSecureElementsViaFunction"], - "previewImagesFileNames": ["WithSecureTopComputersByInfectionsBlack.png", "WithSecureTopComputersByInfectionsWhite.png"], - "version": "1.0", - "title": "WithSecure - Top computers by infections", - "templateRelativePath": "WithSecureTopComputersByInfections.json", - "subtitle": "", - "provider": "WithSecure" - }, - { - "workbookKey": "AzureOpenAIMonitoring", - "logoFileName": "", - "description": "Welcome to this Azure OpenAI Monitoring Workbook\n#### This workbook will help to monitor your Azure Open AI Instances\n\n** Please enable diagnostics settings for the Open AI instance to view the workbook.", - "dataTypesDependencies": [], - "dataConnectorsDependencies": [], - "previewImagesFileNames": ["AzureOpenAIMonitoringWhite.PNG", "AzureOpenAIMonitoringBlack.PNG"], - "version": "1.0", - "title": "Azure OpenAI Monitoring Workbook", - "templateRelativePath": "AzureOpenAIMonitoring.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" - }, - { - "workbookKey": "SonicWallWorkbook", - "logoFileName": "sonicwall_logo.svg", - "description": "A collection of queries to provide visibility into the events reported by your SonicWall firewalls.", - "dataTypesDependencies": [ - "CommonSecurityLog", - "ASimNetworkSessionSonicWallFirewall" - ], - "dataConnectorsDependencies": [ - "SonicWallFirewall", - "CefAma" - ], - "previewImagesFileNames": [ - "SonicWallWorkbookWhite.png", - "SonicWallWorkbookBlack.png" - ], - "version": "1.0.0", - "title": "SonicWall Workbook", - "templateRelativePath": "SonicWallFirewall.json", - "subtitle": "", - "provider": "SonicWall" - }, - { - "workbookKey": "AzureServiceHealthWorkbook", - "logoFileName": "", - "description": "A collection of queries to provide visibility into Azure Service Health across the subscriptions.", - "dataTypesDependencies": [ - "AzureActivity" - ], - "dataConnectorsDependencies": [ - "AzureActivity" - ], - "previewImagesFileNames": [ - "AzureServiceHealthWhite.png", - "AzureServiceHealthBlack.png" - ], - "version": "1.0.0", - "title": "Azure Service Health Workbook", - "templateRelativePath": "AzureServiceHealthWorkbook.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" - }, - { - "workbookKey": "EgressPreventMetricWorkbook", - "logoFileName": "Egress-logo.svg", - "description": "A workbook providing insights into Egress Defend.", - "dataTypesDependencies": ["EgressEvents_CL"], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "EgressPreventWorkbookBlack01.png", - "EgressPreventWorkbookWhite01.png" - ], - "version": "1.0.0", - "title": "Egress Defend Insights", - "templateRelativePath": "PreventWorkbook.json", - "subtitle": "Iris Prevent Metrics", - "provider": "Egress Software Technologies" - - }, - { - "workbookKey": "NetskopeDashboard", - "logoFileName": "Netskope.svg", - "description": "A workbook providing insights into Netskope Alerts, Events and WebTransactions.", - "dataConnectorsDependencies": ["NetskopeDataConnector"], - "dataTypesDependencies": [ - "eventsapplicationdata_CL", - "alertscompromisedcredentialdata_CL", - "alertsctepdata_CL", - "alertsdlpdata_CL", - "alertsmalsitedata_CL", - "alertsmalwaredata_CL", - "alertspolicydata_CL", - "alertsquarantinedata_CL", - "alertsremediationdata_CL", - "alertssecurityassessmentdata_CL", - "alertsubadata_CL", - "NetskopeWebtxData_CL" - ], - "previewImagesFileNames": [ - "NetskopeDashboardBlack1.png", - "NetskopeDashboardBlack2.png", - "NetskopeDashboardBlack3.png", - "NetskopeDashboardWhite1.png", - "NetskopeDashboardWhite2.png", - "NetskopeDashboardWhite3.png" - ], - "version": "1.0.0", - "title": "NetskopeDashboard", - "templateRelativePath": "NetskopeDashboard.json", - "subtitle": "Netskope Dashboard for Alerts, Events and WebTransactions", - "provider": "Netskope" - }, - { - "workbookKey": "BitwardenEventLogsOrganization", - "logoFileName": "Bitwarden.svg", - "description": "This workbook provides insights on Bitwarden Organizations Event Logs.", - "dataConnectorsDependencies": [ - "BitwardenEventLogs" - ], - "dataTypesDependencies": [ - "BitwardenEventLogs_CL", - "BitwardenGroups_CL", - "BitwardenMembers_CL" - ], - "previewImagesFileNames": [ - "BitwardenEventLogsOrganizationWhite1.png", - "BitwardenEventLogsOrganizationWhite2.png", - "BitwardenEventLogsOrganizationBlack1.png", - "BitwardenEventLogsOrganizationBlack2.png" - ], - "version": "1.0.0", - "title": "Bitwarden Organization Events", - "templateRelativePath": "BitwardenEventLogsOrganization.json", - "subtitle": "", - "provider": "Bitwarden" - }, - { - "workbookKey": "BitwardenEventLogsAuthentication", - "logoFileName": "Bitwarden.svg", - "description": "This workbook provides insights on Bitwarden Authentication Event Logs.", - "dataConnectorsDependencies": [ - "BitwardenEventLogs" - ], - "dataTypesDependencies": [ - "BitwardenEventLogs_CL", - "BitwardenGroups_CL", - "BitwardenMembers_CL" - ], - "previewImagesFileNames": [ - "BitwardenEventLogsAuthenticationWhite1.png", - "BitwardenEventLogsAuthenticationWhite2.png", - "BitwardenEventLogsAuthenticationBlack1.png", - "BitwardenEventLogsAuthenticationBlack2.png" - ], - "version": "1.0.0", - "title": "Bitwarden Authentication Events", - "templateRelativePath": "BitwardenEventLogsAuthentication.json", - "subtitle": "", - "provider": "Bitwarden" - }, - { - "workbookKey": "BitwardenEventLogsVaultItems", - "logoFileName": "Bitwarden.svg", - "description": "This workbook provides insights on Bitwarden Vault Items Event Logs.", - "dataConnectorsDependencies": [ - "BitwardenEventLogs" - ], - "dataTypesDependencies": [ - "BitwardenEventLogs_CL", - "BitwardenGroups_CL", - "BitwardenMembers_CL" - ], - "previewImagesFileNames": [ - "BitwardenEventLogsVaultItemsWhite1.png", - "BitwardenEventLogsVaultItemsWhite2.png", - "BitwardenEventLogsVaultItemsBlack1.png", - "BitwardenEventLogsVaultItemsBlack2.png" - ], - "version": "1.0.0", - "title": "Bitwarden Vault Items Events", - "templateRelativePath": "BitwardenEventLogsVaultItems.json", - "subtitle": "", - "provider": "Bitwarden" - }, + }, + { + "workbookKey": "CiscoSDWANWorkbook", + "logoFileName": "cisco-logo-72px.svg", + "description": "Cisco SD-WAN Workbook equips administrators with the necessary tools to implement robust security measures and stay ahead of emerging threats.By leveraging the insights and recommendations provided in the workbook, network administrators can effectively protect their SD-WAN infrastructure from potential vulnerabilities and ensure a secure and reliable network connectivity for their organization.", + "dataTypesDependencies": [ + "Syslog", + "CiscoSDWANNetflow_CL" + ], + "dataConnectorsDependencies": [ + "CiscoSDWAN" + ], + "previewImagesFileNames": [ + "CiscoSDWANWhite1.png", + "CiscoSDWANWhite2.png", + "CiscoSDWANWhite3.png", + "CiscoSDWANBlack1.png", + "CiscoSDWANBlack2.png", + "CiscoSDWANBlack3.png" + ], + "version": "1.0.0", + "title": "Cisco SD-WAN", + "templateRelativePath": "CiscoSDWAN.json", + "provider": "Cisco" + }, + { + "workbookKey": "SAP-AuditControls", + "logoFileName": "SAPVMIcon.svg", + "description": "SAP -Audit Controls (Preview)", + "dataTypesDependencies": [ + "SAPAuditLog" + ], + "dataConnectorsDependencies": [ + "SAP" + ], + "previewImagesFileNames": [ + "" + ], + "version": "1.0.0", + "title": "SAP -Audit Controls (Preview)", + "templateRelativePath": "SAP -Audit Controls (Preview).json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "ZoomReports", + "logoFileName": "Azure_Sentinel.svg", + "description": "Visualize various details & visuals on Zoom Report data ingested though the solution. This also have a dependency on the parser which is available as a part of Zoom solution named Zoom", + "dataTypesDependencies": [ + "Zoom" + ], + "dataConnectorsDependencies": [ + "Zoom Reports" + ], + "previewImagesFileNames": [ + "ZoomReportsBlack.png", + "ZoomReportsWhite.png" + ], + "version": "1.0.0", + "title": "Zoom Reports", + "templateRelativePath": "ZoomReports.json", + "subtitle": "", + "provider": "Community" + }, + { + "workbookKey": "InsiderRiskManagementWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "The Microsoft Insider Risk Management Workbook integrates telemetry from 25+ Microsoft security products to provide actionable insights into insider risk management. Reporting tools provide “Go to Alert” links to provide deeper integration between products and a simplified user experience for exploring alerts. ", + "dataTypesDependencies": [ + "SigninLogsSigninLogs", + "AuditLogs", + "AzureActivity", + "OfficeActivity", + "InformationProtectionLogs_CL", + "SecurityIncident" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "InsiderRiskManagementBlack.png", + "InsiderRiskManagementWhite.png" + ], + "version": "1.0.0", + "title": "Insider Risk Management", + "templateRelativePath": "InsiderRiskManagement.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "Fortiweb-workbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "This workbook depends on a parser based on a Kusto Function to work as expected [**Fortiweb**](https://aka.ms/sentinel-FortiwebDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [ + "FortinetFortiWeb" + ], + "previewImagesFileNames": [ + "" + ], + "version": "1.0.0", + "title": "Fortiweb-workbook", + "templateRelativePath": "Fortiweb-workbook.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "WebSessionEssentialsWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "The 'Web Session Essentials' workbook provides real-time insights into activity and potential threats in your network. This workbook is designed for network teams, security architects, analysts, and consultants to monitor, identify and investigate threats on Web servers, Web Proxies and Web Security Gateways assets. This Workbook gives a summary of analysed web traffic and helps with threat analysis and investigating suspicious http traffic.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "WebSessionEssentialsWorkbookWhite.png", + "WebSessionEssentialsWorkbookBlack.png" + ], + "version": "1.0.0", + "title": "Web Session Essentials Workbook", + "templateRelativePath": "WebSessionEssentials.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "IslandAdminAuditOverview", + "logoFileName": "island.svg", + "description": "This workbook provides a view into the activities of administrators in the Island Management Console.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "" + ], + "version": "1.0.0", + "title": "Island Admin Audit Overview", + "templateRelativePath": "IslandAdminAuditOverview.json", + "subtitle": "", + "provider": "Island" + }, { - "workbookKey": "CodelessConnectorBuilder", - "logoFileName": "Azure_Sentinel.svg", - "description": "Create custom codeless connectors on demand with this UI-like workbook. Templates can be generated by going step by step in this workbook while filling out the different values.", - "dataTypesDependencies": [], - "previewImagesFileNames": [ - "CodelessConnectorBuilderBlack.png", - "CodelessConnectorBuilderWhite.png" - ], - "version": "1.0.0", - "title": "Codeless Connector Builder", - "templateRelativePath": "CodelessConnectorBuilder.json", - "subtitle": "", - "provider": "Microsoft Sentinel Community" + "workbookKey": "IslandUserActivityOverview", + "logoFileName": "island.svg", + "description": "This workbook provides a view into the activities of users while using the Island Enterprise Browser.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "" + ], + "version": "1.0.0", + "title": "Island User Activity Overview", + "templateRelativePath": "IslandUserActivityOverview.json", + "subtitle": "", + "provider": "Island" }, - { - "workbookKey": "IllumioAuditableEventsWorkbook", - "logoFileName": "IllumioLogo.svg", - "description": "A collection of queries to provide visibility into auditable events reported by Illumio.", - "dataTypesDependencies": [ - "Illumio_Auditable_Events_CL" - ], - "dataConnectorsDependencies": [ - "IllumioSaaSDataConnector" - ], - "previewImagesFileNames": [ - "IllumioAuditableEventsBlack.png", - "IllumioAuditableEventsWhite.png" - ], - "version": "1.0.0", - "title": "Illumio Auditable Events Workbook", - "templateRelativePath": "IllumioAuditableEvents.json", - "subtitle": "", - "provider": "Illumio" - }, - { - "workbookKey": "IllumioFlowEventsWorkbook", - "logoFileName": "IllumioLogo.svg", - "description": "A collection of queries to provide visibility into the flow events reported by Illumio.", - "dataTypesDependencies": [ - "Illumio_Flows_Events_CL" - ], - "dataConnectorsDependencies": [ - "IllumioSaaSDataConnector" - ], - "previewImagesFileNames": [ - "IllumioFlowEventsBlack.png", - "IllumioFlowEventsWhite.png" - ], - "version": "1.0.0", - "title": "Illumio Flow Data Workbook", - "templateRelativePath": "IllumioFlowData.json", - "subtitle": "", - "provider": "Illumio" - }, - { - "workbookKey": "IllumioWorkloadsStatsWorkbook", - "logoFileName": "IllumioLogo.svg", - "description": "This workbook leverages workloads api of Illumio and presents insights", - "dataTypesDependencies": [ - "Illumio_Workloads_Summarized_API_CL" - ], - "dataConnectorsDependencies": [ - "IllumioSaaSDataConnector" - ], - "previewImagesFileNames": [ - "IllumioWorkloadsSummarizedBlack.png", - "IllumioWorkloadsSummarizedWhite.png" - ], - "version": "1.1.0", - "title": "Illumio Workload Stats Workbook", - "templateRelativePath": "IllumioWorkloadsStats.json", - "subtitle": "", - "provider": "Illumio" - }, - { - "workbookKey": "CEFOverview", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook gives an overview of ingestion of logs in the CommonSecurityLog table.", - "dataTypesDependencies": ["CommonSecurityLog"], - "dataConnectorsDependencies": [], - "previewImagesFileNames": [ - "CEFOverviewWhite.png", - "CEFOverviewBlack.png" - ], - "version": "1.0.0", - "title": "Common Event Format Logs Overview", - "templateRelativePath": "CEFOverviewWorkbook.json", - "provider": "", - "support": { - "tier": "Microsoft" - }, - "author": { - "name": "Microsoft" - }, - "categories": { - "domains": ["IT Operations"] - } - }, - { - "workbookKey": "TenableIEIoA", - "logoFileName": "Tenable.svg", - "description": "This workbook providing insights into Tenable Indicators of Attack", - "dataTypesDependencies": [ - "Tenable_IE_CL" - ], - "dataConnectorsDependencies": [ - "TenableIE" - ], - "previewImagesFileNames": [ - "TenableIEIoABlack1.png", - "TenableIEIoABlack2.png", - "TenableIEIoABlack3.png", - "TenableIEIoAWhite1.png", - "TenableIEIoAWhite2.png", - "TenableIEIoAWhite3.png" - ], - "version": "1.0.0", - "title": "TIE IOA workbook", - "templateRelativePath": "TenableIEIoA.json", - "subtitle": "", - "provider": "Tenable" - }, - { - "workbookKey": "TenableIEIoE", - "logoFileName": "Tenable.svg", - "description": "This workbook providing insights into Tenable Indicators of Exposure", - "dataTypesDependencies": [ - "Tenable_IE_CL" - ], - "dataConnectorsDependencies": [ - "TenableIE" - ], - "previewImagesFileNames": [ - "TenableIEIoEBlack1.png", - "TenableIEIoEBlack2.png", - "TenableIEIoEBlack3.png", - "TenableIEIoEWhite1.png", - "TenableIEIoEWhite2.png", - "TenableIEIoEWhite3.png" - ], - "version": "1.0.0", - "title": "TIE IOE workbook", - "templateRelativePath": "TenableIEIoE.json", - "subtitle": "", - "provider": "Tenable" - }, - { - "workbookKey": "SyslogConnectorsOverviewWorkbook", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook gives an overview of ingestion of logs into Syslog table via Syslog based dataconnectors such as AMA agent", - "dataTypesDependencies": [ - "Syslog" - ], - "dataConnectorsDependencies": [ - "Syslog", - "SyslogAma" - ], - "previewImagesFileNames": [""], - "version": "1.0.0", - "title": "Syslog Connectors Overview Workbook", - "templateRelativePath": "SyslogConnectorsOverviewWorkbook.json", - "subtitle": "", - "provider": "-------" - } -] + { + "workbookKey": "BloodHoundEnterpriseAttackPathWorkbook", + "logoFileName": "BHE_Logo.svg", + "description": "Gain insights into BloodHound Enterprise attack paths.", + "dataTypesDependencies": [ + "BloodHoundEnterprise" + ], + "dataConnectorsDependencies": [ + "BloodHoundEnterprise" + ], + "previewImagesFileNames": [ + "" + ], + "version": "1.0", + "title": "BloodHound Enterprise Attack Paths", + "templateRelativePath": "BloodHoundEnterpriseAttackPath.json", + "subtitle": "", + "provider": "SpecterOps" + }, + { + "workbookKey": "BloodHoundEnterprisePostureWorkbook", + "logoFileName": "BHE_Logo.svg", + "description": "Gain insights into BloodHound Enterprise domain posture.", + "dataTypesDependencies": [ + "BloodHoundEnterprise" + ], + "dataConnectorsDependencies": [ + "BloodHoundEnterprise" + ], + "previewImagesFileNames": [ + "" + ], + "version": "1.0", + "title": "BloodHound Enterprise Posture", + "templateRelativePath": "BloodHoundEnterprisePosture.json", + "subtitle": "", + "provider": "SpecterOps" + }, + { + "workbookKey": "BitSightWorkbook", + "logoFileName": "BitSight.svg", + "description": "Gain insights into BitSight data.", + "dataTypesDependencies": [ + "Alerts_data_CL", + "BitsightBreaches_data_CL", + "BitsightCompany_details_CL", + "BitsightCompany_rating_details_CL", + "BitsightDiligence_historical_statistics_CL", + "BitsightDiligence_statistics_CL", + "BitsightFindings_summary_CL", + "BitsightFindings_data_CL", + "BitsightGraph_data_CL", + "BitsightIndustrial_statistics_CL", + "BitsightObservation_statistics_CL" + ], + "dataConnectorsDependencies": [ + "BitSightDatConnector" + ], + "previewImagesFileNames": [ + "BitSightWhite1.png", + "BitSightBlack1.png" + ], + "version": "1.0.0", + "title": "BitSight", + "templateRelativePath": "BitSightWorkbook.json", + "subtitle": "", + "provider": "BitSight" + }, + { + "workbookKey": "VectraXDR", + "logoFileName": "", + "description": "This workbook provides visualization of Audit, Detections, Entity Scoring, Lockdown and Health data.", + "dataTypesDependencies": [ + "Audits_Data_CL", + "Detections_Data_CL", + "Entity_Scoring_Data_CL", + "Lockdown_Data_CL", + "Health_Data_CL" + ], + "dataConnectorsDependencies": [ + "VectraDataConnector" + ], + "previewImagesFileNames": [ + "VectraXDRWhite1.png", + "VectraXDRWhite2.png", + "VectraXDRWhite3.png", + "VectraXDRWhite4.png", + "VectraXDRWhite5.png", + "VectraXDRBlack1.png", + "VectraXDRBlack2.png", + "VectraXDRBlack3.png", + "VectraXDRBlack4.png", + "VectraXDRBlack5.png" + ], + "version": "2.0.0", + "title": "Vectra XDR", + "templateRelativePath": "VectraXDR.json", + "subtitle": "", + "provider": "Vectra" + }, + { + "workbookKey": "CloudflareWorkbook", + "logoFileName": "cloudflare.svg", + "description": "Gain insights into Cloudflare events. You will get visibility on your Cloudflare web traffic, security, reliability.", + "dataTypesDependencies": [ + "Cloudflare_CL" + ], + "dataConnectorsDependencies": [ + "CloudflareDataConnector" + ], + "previewImagesFileNames": [ + "CloudflareOverviewWhite01.png", + "CloudflareOverviewWhite02.png", + "CloudflareOverviewBlack01.png", + "CloudflareOverviewBlack02.png" + ], + "version": "1.0", + "title": "Cloudflare", + "templateRelativePath": "Cloudflare.json", + "subtitle": "", + "provider": "Cloudflare" + }, + { + "workbookKey": "CofenseIntelligenceWorkbook", + "logoFileName": "CofenseTriage.svg", + "description": "This workbook provides visualization of Cofense Intelligence threat indicators which are ingested in the Microsoft Sentinel Threat intelligence.", + "dataTypesDependencies": [ + "ThreatIntelligenceIndicator", + "Malware_Data" + ], + "dataConnectorsDependencies": [ + "CofenseIntelligenceDataConnector" + ], + "previewImagesFileNames": [ + "CofenseIntelligenceWhite1.png", + "CofenseIntelligenceBlack1.png" + ], + "version": "1.0", + "title": "CofenseIntelligenceThreatIndicators", + "templateRelativePath": "CofenseIntelligenceThreatIndicators.json", + "subtitle": "", + "provider": "Cofense" + }, + { + "workbookKey": "EgressDefendMetricWorkbook", + "logoFileName": "Egress-logo.svg", + "description": "A workbook providing insights into Egress Defend.", + "dataTypesDependencies": [ + "EgressDefend_CL" + ], + "previewImagesFileNames": [ + "EgressDefendMetricWorkbookBlack01.png", + "EgressDefendMetricWorkbookWhite01.png" + ], + "version": "1.0.0", + "title": "Egress Defend Insights", + "templateRelativePath": "DefendMetrics.json", + "subtitle": "Defend Metrics", + "provider": "Egress Software Technologies" + }, + { + "workbookKey": "UserWorkbook-alexdemichieli-github-update-1", + "logoFileName": "GitHub.svg", + "description": "Gain insights to GitHub activities that may be interesting for security.", + "dataTypesDependencies": [ + "GitHubAuditLogPolling_CL" + ], + "dataConnectorsDependencies": [ + "GitHubEcAuditLogPolling" + ], + "previewImagesFileNames": [ + "" + ], + "version": "1.0.0", + "title": "GitHub Security", + "templateRelativePath": "GitHubAdvancedSecurity.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "SalemDashboard", + "logoFileName": "salem_logo.svg", + "description": "Monitor Salem Performance", + "dataTypesDependencies": [ + "SalemAlerts_CL" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "" + ], + "version": "1.0.0", + "title": "Salem Alerts Workbook", + "templateRelativePath": "SalemDashboard.json", + "subtitle": "", + "provider": "SalemCyber" + }, + { + "workbookKey": "MimecastAuditWorkbook", + "logoFileName": "Mimecast.svg", + "description": "A workbook providing insights into Mimecast Audit.", + "dataTypesDependencies": [ + "MimecastAudit_CL" + ], + "previewImagesFileNames": [ + "MimecastAuditBlack1.png", + "MimecastAuditBlack2.png", + "MimecastAuditWhite1.png", + "MimecastAuditWhite2.png" + ], + "version": "1.0.0", + "title": "MimecastAudit", + "templateRelativePath": "MimecastAudit.json", + "subtitle": "Mimecast Audit", + "provider": "Mimecast" + }, + { + "workbookKey": "MailGuard365Workbook", + "logoFileName": "MailGuard365_logo.svg", + "description": "MailGuard 365 Workbook", + "dataTypesDependencies": [ + "MailGuard365_Threats_CL" + ], + "dataConnectorsDependencies": [ + "MailGuard365" + ], + "previewImagesFileNames": [ + "MailGuard365WorkbookWhite1.png", + "MailGuard365WorkbookWhite2.png", + "MailGuard365WorkbookBlack1.png", + "MailGuard365WorkbookBlack2.png" + ], + "version": "1.0.0", + "title": "MailGuard365", + "templateRelativePath": "MailGuard365Dashboard.json", + "subtitle": "", + "provider": "MailGuard 365" + }, + { + "workbookKey": "MimecastTIRegionalWorkbook", + "logoFileName": "Mimecast.svg", + "description": "A workbook providing insights into Mimecast Regional Threat indicator.", + "dataTypesDependencies": [ + "ThreatIntelligenceIndicator" + ], + "dataConnectorsDependencies": [ + "MimecastTIRegionalConnectorAzureFunctions" + ], + "previewImagesFileNames": [ + "MimecastTIReginalWhite.png", + "MimecastTIRegionalBlack.png" + ], + "version": "1.0.0", + "title": "MimecastTIRegional", + "templateRelativePath": "MimecastTIRegional.json", + "subtitle": "Mimecast TI Regional", + "provider": "Mimecast" + }, + { + "workbookKey": "DataminrPulseAlerts", + "logoFileName": "DataminrPulse.svg", + "description": "This Workbook provides insight into the data coming from DataminrPulse.", + "dataTypesDependencies": [ + "DataminrPulse_Alerts_CL" + ], + "dataConnectorsDependencies": [ + "DataminrPulseAlerts" + ], + "previewImagesFileNames": [ + "DataminrPulseAlertsBlack1.png", + "DataminrPulseAlertsBlack2.png", + "DataminrPulseAlertsBlack3.png", + "DataminrPulseAlertsBlack4.png", + "DataminrPulseAlertsBlack5.png", + "DataminrPulseAlertsWhite1.png", + "DataminrPulseAlertsWhite2.png", + "DataminrPulseAlertsWhite3.png", + "DataminrPulseAlertsWhite4.png", + "DataminrPulseAlertsWhite5.png" + ], + "version": "1.0.0", + "title": "Dataminr Pulse Alerts", + "templateRelativePath": "DataminrPulseAlerts.json", + "provider": "Dataminr" + }, + { + "workbookKey": "DoDZeroTrustWorkbook", + "logoFileName": "", + "description": "This workbook solution provides an intuitive, customizable, framework intended to help track/report Zero Trust implementation in accordance with the latest DoD Zero Trust Strategy.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "DoDZeroTrustWorkbook1Black.png", + "DoDZeroTrustWorkbook2Black.png", + "DoDZeroTrustWorkbook3Black.png", + "DoDZeroTrustWorkbook1White.png", + "DoDZeroTrustWorkbook2White.png", + "DoDZeroTrustWorkbook3White.png" + ], + "version": "1.1.0", + "title": "DoD Zero Trust Strategy Workbook", + "templateRelativePath": "DoDZeroTrustWorkbook.json", + "subtitle": "", + "provider": "Microsoft", + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Lili Davoudian, Chhorn Lim, Jay Pelletier, Michael Crane" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "IT Operations" + ] + } + }, + { + "workbookKey": "GreyNoiseIntellegenceOverviewWorkbook", + "logoFileName": "greynoise_logomark_black.svg", + "description": "This workbook provides visualization of GreyNoise Intelligence threat indicators which are ingested in the Microsoft Sentinel Threat intelligence.", + "dataTypesDependencies": [ + "ThreatIntelligenceIndicator" + ], + "dataConnectorsDependencies": [ + "GreyNoise2SentinelAPI" + ], + "previewImagesFileNames": [ + "GreyNoiseOverviewWhite.png", + "GreyNoiseOverviewBlack.png" + ], + "version": "1.0", + "title": "GreyNoise Intelligence Threat Indicators", + "templateRelativePath": "GreyNoiseOverview.json", + "subtitle": "", + "provider": "GreyNoise Intelligence, Inc." + }, + { + "workbookKey": "WizFindingsWorkbook", + "logoFileName": "Wiz_logo.svg", + "description": "A visualized overview of Wiz Findings.\nExplore, analize and learn about your security posture using Wiz Findings Overview", + "dataTypesDependencies": [ + "WizIssues_CL", + "WizVulnerabilities_CL", + "WizAuditLogs_CL", + "WizIssuesV2_CL", + "WizVulnerabilitiesV2_CL", + "WizAuditLogs_CL" + ], + "dataConnectorsDependencies": [ + "Wiz" + ], + "previewImagesFileNames": [ + "WizFindingsBlack1.png", + "WizFindingsBlack2.png", + "WizFindingsBlack3.png", + "WizFindingsWhite1.png", + "WizFindingsWhite2.png", + "WizFindingsWhite3.png" + ], + "version": "2.0.0", + "title": "Wiz Findings overview", + "templateRelativePath": "WizFindings.json", + "subtitle": "", + "provider": "Wiz" + }, + { + "workbookKey": "ThreatConnectOverviewWorkbook", + "logoFileName": "ThreatConnect.svg", + "description": "This workbook provides visualization of ThreatConnect threat indicators which are ingested in the Microsoft Sentinel Threat intelligence.", + "dataTypesDependencies": [ + "ThreatIntelligenceIndicator" + ], + "dataConnectorsDependencies": [ + "ThreatIntelligence" + ], + "previewImagesFileNames": [ + "ThreatConnectOverviewBlack.png", + "ThreatConnectOverviewWhite.png" + ], + "version": "1.0.0", + "title": "ThreatConnect Overview Workbook", + "templateRelativePath": "ThreatConnectOverview.json", + "subtitle": "", + "provider": "ThreatConnect, Inc." + }, + { + "workbookKey": "Sentinel_Central", + "logoFileName": "Azure_Sentinel.svg", + "description": "Use this report to view Incident (and Alert data) across many workspaces, this works with Azure Lighthouse and across any subscription you have access to.", + "dataTypesDependencies": [ + "SecurityEvent" + ], + "dataConnectorsDependencies": [ + "IdentityAndAccessWhite.png", + "IdentityAndAccessBlack.png" + ], + "previewImagesFileNames": [ + "SentinelCentralBlack.png", + "SentinelCentralWhite.png" + ], + "version": "2.1.2", + "title": "Sentinel Central", + "templateRelativePath": "Sentinel_Central.json", + "subtitle": "", + "provider": "Microsoft Sentinel community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Clive Watson" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ + "Security" + ] + } + }, + { + "workbookKey": "AuthomizeWorkbook", + "logoFileName": "Authomize.svg", + "description": "Manage your Authorization Security Lifecycle across all XaaS environments and Private Clouds. Using Authomize AI-based engine continuously monitor the relationships between identities and assets and gain insight into security risks and events.", + "dataTypesDependencies": [ + "Authomize_v2_CL" + ], + "dataConnectorsDependencies": [ + "Authomize" + ], + "previewImagesFileNames": [ + "AuthomizeITDREventMonitoring-Black.png", + "AuthomizeITDREventMonitoring-White.png" + ], + "version": "1.0.0", + "title": "Authomize ITDR Event Monitoring for Identities", + "templateRelativePath": "Authomize.json", + "subtitle": "", + "provider": "Authomize" + }, + { + "workbookKey": "GigamonConnector", + "logoFileName": "gigamon.svg", + "description": "A visualized overview of Gigamon AMX Data Connector .\nExplore, analize and learn about your security posture using Gigamon AMX data connector Overview.", + "dataTypesDependencies": [ + "Gigamon_CL" + ], + "dataConnectorsDependencies": [ + "GigamonDataConnector" + ], + "previewImagesFileNames": [ + "GigamonWorkbookBlack.png", + "GigamonWorkbookWhite.png" + ], + "version": "1.0.0", + "title": "Gigamon Workbook", + "templateRelativePath": "Gigamon.json", + "subtitle": "", + "provider": "Gigamon" + }, + { + "workbookKey": "PrancerSentinelAnalyticsWorkbook", + "description": "Monitor and analyze Prancer PAC and CSPM scan results.", + "logoFileName": "Prancer.svg", + "dataTypesDependencies": [ + "prancer_CL" + ], + "dataConnectorsDependencies": [ + "PrancerLogData" + ], + "previewImagesFileNames": [ + "PrancerBlack.png", + "PrancerWhite.png" + ], + "version": "1.0.0", + "title": "Prancer Microsoft Sentinel Analytics Workbook", + "templateRelativePath": "PrancerSentinelAnalytics.json", + "subtitle": "", + "provider": "Prancer" + }, + { + "workbookKey": "ValenceSecurityAlertsWorkbook", + "logoFileName": "ValenceSecurityLogo.svg", + "description": "SaaS security alerts from Valence Security.", + "dataTypesDependencies": [ + "ValenceAlert_CL" + ], + "dataConnectorsDependencies": [ + "ValenceSecurity" + ], + "previewImagesFileNames": [ + "ValenceAlertsBlack.png", + "ValenceAlertsWhite.png" + ], + "version": "1.0.0", + "title": "Valence Security Alerts Workbook", + "templateRelativePath": "ValenceAlertsWorkbook.json", + "subtitle": "", + "provider": "Valence Security" + }, + { + "workbookKey": "MalwareProtectionEssentialsWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "This workbook provides details about Suspicious Malware Activities from File, Process and Registry events generated by EDR (Endpoint Detection and Response) solutions.", + "dataTypesDependencies": [ + "_ASim_FileEvent", + "_ASim_ProcessEvent" + ], + "previewImagesFileNames": [ + "MalwareProtectionEssentialsWhite.png", + "MalwareProtectionEssentialsBlack.png" + ], + "version": "1.0.0", + "title": "Malware Protection Essentials", + "templateRelativePath": "MalwareProtectionEssentialsWorkbook.json", + "subtitle": "", + "provider": "Microsoft Sentinel community" + }, + { + "workbookKey": "VaronisSaaSWorkbook", + "logoFileName": "VaronisLogo.svg", + "description": "Security alerts from Varonis SaaS", + "dataTypesDependencies": [ + "VaronisAlerts_CL" + ], + "dataConnectorsDependencies": [ + "VaronisSaaS" + ], + "previewImagesFileNames": [ + "VaronisSaaSAssetsBlack.png", + "VaronisSaaSAssetsWhite.png", + "VaronisSaaSDevicesBlack.png", + "VaronisSaaSDevicesWhite.png", + "VaronisSaaSMainBlack.png", + "VaronisSaaSMainWhite.png", + "VaronisSaaSThreatsBlack.png", + "VaronisSaaSThreatsWhite.png", + "VaronisSaaSUsersBlack.png", + "VaronisSaaSUsersWhite.png" + ], + "version": "1.0.0", + "title": "Varonis SaaS Workbook", + "templateRelativePath": "VaronisSaaS.json", + "subtitle": "", + "provider": "Varonis" + }, + { + "workbookKey": "FortinetFortiNdrCloudWorkbook", + "logoFileName": "fortinet_logo.svg", + "description": "Gain insights into Fortinet FortiNDR CLoud events, including the Suricata, Observation and Detections data.", + "dataTypesDependencies": [ + "FncEventsSuricata_CL", + "FncEventsObservation_CL", + "FncEventsDetections_CL" + ], + "dataConnectorsDependencies": [ + "FortinetFortiNdrCloudDataConnector" + ], + "previewImagesFileNames": [ + "FncDetectionDashboardBlack.png", + "FncDetectionDashboardWhite.png", + "FncObservationDashboardBlack.png", + "FncObservationDashboardWhite.png", + "FncSuricataDashboardBlack.png", + "FncSuricataDashboardWhite.png", + "FncMainDashboardBlack.png", + "FncMainDashboardWhite.png" + ], + "version": "1.0.0", + "title": "FortiNDR Cloud", + "templateRelativePath": "FortinetFortiNdrCloudWorkbook.json", + "subtitle": "", + "provider": "Fortinet" + }, + { + "workbookKey": "WithSecureTopComputersByInfection", + "logoFileName": "WithSecure.svg", + "description": "Top 3 computers by amount of infections.", + "dataTypesDependencies": [ + "WsSecurityEvents_CL" + ], + "dataConnectorsDependencies": [ + "WithSecureElementsViaFunction" + ], + "previewImagesFileNames": [ + "WithSecureTopComputersByInfectionsBlack.png", + "WithSecureTopComputersByInfectionsWhite.png" + ], + "version": "1.0", + "title": "WithSecure - Top computers by infections", + "templateRelativePath": "WithSecureTopComputersByInfections.json", + "subtitle": "", + "provider": "WithSecure" + }, + { + "workbookKey": "AzureOpenAIMonitoring", + "logoFileName": "", + "description": "Welcome to this Azure OpenAI Monitoring Workbook\n#### This workbook will help to monitor your Azure Open AI Instances\n\n** Please enable diagnostics settings for the Open AI instance to view the workbook.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "AzureOpenAIMonitoringWhite.PNG", + "AzureOpenAIMonitoringBlack.PNG" + ], + "version": "1.0", + "title": "Azure OpenAI Monitoring Workbook", + "templateRelativePath": "AzureOpenAIMonitoring.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "SonicWallWorkbook", + "logoFileName": "sonicwall_logo.svg", + "description": "A collection of queries to provide visibility into the events reported by your SonicWall firewalls.", + "dataTypesDependencies": [ + "CommonSecurityLog", + "ASimNetworkSessionSonicWallFirewall" + ], + "dataConnectorsDependencies": [ + "SonicWallFirewall", + "CefAma" + ], + "previewImagesFileNames": [ + "SonicWallWorkbookWhite.png", + "SonicWallWorkbookBlack.png" + ], + "version": "1.0.0", + "title": "SonicWall Workbook", + "templateRelativePath": "SonicWallFirewall.json", + "subtitle": "", + "provider": "SonicWall" + }, + { + "workbookKey": "AzureServiceHealthWorkbook", + "logoFileName": "", + "description": "A collection of queries to provide visibility into Azure Service Health across the subscriptions.", + "dataTypesDependencies": [ + "AzureActivity" + ], + "dataConnectorsDependencies": [ + "AzureActivity" + ], + "previewImagesFileNames": [ + "AzureServiceHealthWhite.png", + "AzureServiceHealthBlack.png" + ], + "version": "1.0.0", + "title": "Azure Service Health Workbook", + "templateRelativePath": "AzureServiceHealthWorkbook.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "EgressPreventMetricWorkbook", + "logoFileName": "Egress-logo.svg", + "description": "A workbook providing insights into Egress Defend.", + "dataTypesDependencies": [ + "EgressEvents_CL" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "EgressPreventWorkbookBlack01.png", + "EgressPreventWorkbookWhite01.png" + ], + "version": "1.0.0", + "title": "Egress Defend Insights", + "templateRelativePath": "PreventWorkbook.json", + "subtitle": "Iris Prevent Metrics", + "provider": "Egress Software Technologies" + }, + { + "workbookKey": "NetskopeDashboard", + "logoFileName": "Netskope.svg", + "description": "A workbook providing insights into Netskope Alerts, Events and WebTransactions.", + "dataConnectorsDependencies": [ + "NetskopeDataConnector" + ], + "dataTypesDependencies": [ + "eventsapplicationdata_CL", + "alertscompromisedcredentialdata_CL", + "alertsctepdata_CL", + "alertsdlpdata_CL", + "alertsmalsitedata_CL", + "alertsmalwaredata_CL", + "alertspolicydata_CL", + "alertsquarantinedata_CL", + "alertsremediationdata_CL", + "alertssecurityassessmentdata_CL", + "alertsubadata_CL", + "NetskopeWebtxData_CL" + ], + "previewImagesFileNames": [ + "NetskopeDashboardBlack1.png", + "NetskopeDashboardBlack2.png", + "NetskopeDashboardBlack3.png", + "NetskopeDashboardWhite1.png", + "NetskopeDashboardWhite2.png", + "NetskopeDashboardWhite3.png" + ], + "version": "1.0.0", + "title": "NetskopeDashboard", + "templateRelativePath": "NetskopeDashboard.json", + "subtitle": "Netskope Dashboard for Alerts, Events and WebTransactions", + "provider": "Netskope" + }, + { + "workbookKey": "BitwardenEventLogsOrganization", + "logoFileName": "Bitwarden.svg", + "description": "This workbook provides insights on Bitwarden Organizations Event Logs.", + "dataConnectorsDependencies": [ + "BitwardenEventLogs" + ], + "dataTypesDependencies": [ + "BitwardenEventLogs_CL", + "BitwardenGroups_CL", + "BitwardenMembers_CL" + ], + "previewImagesFileNames": [ + "BitwardenEventLogsOrganizationWhite1.png", + "BitwardenEventLogsOrganizationWhite2.png", + "BitwardenEventLogsOrganizationBlack1.png", + "BitwardenEventLogsOrganizationBlack2.png" + ], + "version": "1.0.0", + "title": "Bitwarden Organization Events", + "templateRelativePath": "BitwardenEventLogsOrganization.json", + "subtitle": "", + "provider": "Bitwarden" + }, + { + "workbookKey": "BitwardenEventLogsAuthentication", + "logoFileName": "Bitwarden.svg", + "description": "This workbook provides insights on Bitwarden Authentication Event Logs.", + "dataConnectorsDependencies": [ + "BitwardenEventLogs" + ], + "dataTypesDependencies": [ + "BitwardenEventLogs_CL", + "BitwardenGroups_CL", + "BitwardenMembers_CL" + ], + "previewImagesFileNames": [ + "BitwardenEventLogsAuthenticationWhite1.png", + "BitwardenEventLogsAuthenticationWhite2.png", + "BitwardenEventLogsAuthenticationBlack1.png", + "BitwardenEventLogsAuthenticationBlack2.png" + ], + "version": "1.0.0", + "title": "Bitwarden Authentication Events", + "templateRelativePath": "BitwardenEventLogsAuthentication.json", + "subtitle": "", + "provider": "Bitwarden" + }, + { + "workbookKey": "BitwardenEventLogsVaultItems", + "logoFileName": "Bitwarden.svg", + "description": "This workbook provides insights on Bitwarden Vault Items Event Logs.", + "dataConnectorsDependencies": [ + "BitwardenEventLogs" + ], + "dataTypesDependencies": [ + "BitwardenEventLogs_CL", + "BitwardenGroups_CL", + "BitwardenMembers_CL" + ], + "previewImagesFileNames": [ + "BitwardenEventLogsVaultItemsWhite1.png", + "BitwardenEventLogsVaultItemsWhite2.png", + "BitwardenEventLogsVaultItemsBlack1.png", + "BitwardenEventLogsVaultItemsBlack2.png" + ], + "version": "1.0.0", + "title": "Bitwarden Vault Items Events", + "templateRelativePath": "BitwardenEventLogsVaultItems.json", + "subtitle": "", + "provider": "Bitwarden" + }, + { + "workbookKey": "CodelessConnectorBuilder", + "logoFileName": "Azure_Sentinel.svg", + "description": "Create custom codeless connectors on demand with this UI-like workbook. Templates can be generated by going step by step in this workbook while filling out the different values.", + "dataTypesDependencies": [], + "previewImagesFileNames": [ + "CodelessConnectorBuilderBlack.png", + "CodelessConnectorBuilderWhite.png" + ], + "version": "1.0.0", + "title": "Codeless Connector Builder", + "templateRelativePath": "CodelessConnectorBuilder.json", + "subtitle": "", + "provider": "Microsoft Sentinel Community" + }, + { + "workbookKey": "IllumioAuditableEventsWorkbook", + "logoFileName": "IllumioLogo.svg", + "description": "A collection of queries to provide visibility into auditable events reported by Illumio.", + "dataTypesDependencies": [ + "Illumio_Auditable_Events_CL" + ], + "dataConnectorsDependencies": [ + "IllumioSaaSDataConnector" + ], + "previewImagesFileNames": [ + "IllumioAuditableEventsBlack.png", + "IllumioAuditableEventsWhite.png" + ], + "version": "1.0.0", + "title": "Illumio Auditable Events Workbook", + "templateRelativePath": "IllumioAuditableEvents.json", + "subtitle": "", + "provider": "Illumio" + }, + { + "workbookKey": "IllumioFlowEventsWorkbook", + "logoFileName": "IllumioLogo.svg", + "description": "A collection of queries to provide visibility into the flow events reported by Illumio.", + "dataTypesDependencies": [ + "Illumio_Flows_Events_CL" + ], + "dataConnectorsDependencies": [ + "IllumioSaaSDataConnector" + ], + "previewImagesFileNames": [ + "IllumioFlowEventsBlack.png", + "IllumioFlowEventsWhite.png" + ], + "version": "1.0.0", + "title": "Illumio Flow Data Workbook", + "templateRelativePath": "IllumioFlowData.json", + "subtitle": "", + "provider": "Illumio" + }, + { + "workbookKey": "IllumioWorkloadsStatsWorkbook", + "logoFileName": "IllumioLogo.svg", + "description": "This workbook leverages workloads api of Illumio and presents insights", + "dataTypesDependencies": [ + "Illumio_Workloads_Summarized_API_CL" + ], + "dataConnectorsDependencies": [ + "IllumioSaaSDataConnector" + ], + "previewImagesFileNames": [ + "IllumioWorkloadsSummarizedBlack.png", + "IllumioWorkloadsSummarizedWhite.png" + ], + "version": "1.1.0", + "title": "Illumio Workload Stats Workbook", + "templateRelativePath": "IllumioWorkloadsStats.json", + "subtitle": "", + "provider": "Illumio" + }, + { + "workbookKey": "CEFOverview", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook gives an overview of ingestion of logs in the CommonSecurityLog table.", + "dataTypesDependencies": [ + "CommonSecurityLog" + ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "CEFOverviewWhite.png", + "CEFOverviewBlack.png" + ], + "version": "1.0.0", + "title": "Common Event Format Logs Overview", + "templateRelativePath": "CEFOverviewWorkbook.json", + "provider": "", + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Microsoft" + }, + "categories": { + "domains": [ + "IT Operations" + ] + } + }, + { + "workbookKey": "TenableIEIoA", + "logoFileName": "Tenable.svg", + "description": "This workbook providing insights into Tenable Indicators of Attack", + "dataTypesDependencies": [ + "Tenable_IE_CL" + ], + "dataConnectorsDependencies": [ + "TenableIE" + ], + "previewImagesFileNames": [ + "TenableIEIoABlack1.png", + "TenableIEIoABlack2.png", + "TenableIEIoABlack3.png", + "TenableIEIoAWhite1.png", + "TenableIEIoAWhite2.png", + "TenableIEIoAWhite3.png" + ], + "version": "1.0.0", + "title": "TIE IOA workbook", + "templateRelativePath": "TenableIEIoA.json", + "subtitle": "", + "provider": "Tenable" + }, + { + "workbookKey": "TenableIEIoE", + "logoFileName": "Tenable.svg", + "description": "This workbook providing insights into Tenable Indicators of Exposure", + "dataTypesDependencies": [ + "Tenable_IE_CL" + ], + "dataConnectorsDependencies": [ + "TenableIE" + ], + "previewImagesFileNames": [ + "TenableIEIoEBlack1.png", + "TenableIEIoEBlack2.png", + "TenableIEIoEBlack3.png", + "TenableIEIoEWhite1.png", + "TenableIEIoEWhite2.png", + "TenableIEIoEWhite3.png" + ], + "version": "1.0.0", + "title": "TIE IOE workbook", + "templateRelativePath": "TenableIEIoE.json", + "subtitle": "", + "provider": "Tenable" + }, + { + "workbookKey": "SyslogConnectorsOverviewWorkbook", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook gives an overview of ingestion of logs into Syslog table via Syslog based dataconnectors such as AMA agent", + "dataTypesDependencies": [ + "Syslog" + ], + "dataConnectorsDependencies": [ + "Syslog", + "SyslogAma" + ], + "previewImagesFileNames": [ + "" + ], + "version": "1.0.0", + "title": "Syslog Connectors Overview Workbook", + "templateRelativePath": "SyslogConnectorsOverviewWorkbook.json", + "subtitle": "", + "provider": "-------" + }, + { + "workbookKey": "PhishingAnalysis", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook fetches data from MDO tables and provides a comphrehensive overview for Phishing Analysis", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ + "PhishingAnalysisWhite.png", + "PhishingAnalysisBlack.png" + ], + "version": "1.0.0", + "title": "Phishing Analysis", + "templateRelativePath": "PhishingAnalysis.json", + "subtitle": "", + "provider": "DSR" + }, + { + "workbookKey": "GSANetworkTraffic", + "logoFileName": "gsa.svg", + "description": "This workbook provides an overview of all traffic logs within your network, offering insights into data transfer, anomalies, and potential threats.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [ + "AzureActiveDirectory" + ], + "previewImagesFileNames": [ + "GSATrafficLogsWhite.png", + "GSATrafficLogsBlack.png" + ], + "version": "1.0.0", + "title": "Microsoft Global Secure Access Traffic Logs", + "templateRelativePath": "GSANetworkTraffic.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "GSAM365EnrichedEvents", + "logoFileName": "gsa.svg", + "description": "This Workbook provides a detailed view of Microsoft 365 log data, enriched with contextual information to enhance visibility into user activities and potential security threats.", + "dataTypesDependencies": [], + "dataConnectorsDependencies": [ + "AzureActiveDirectory" + ], + "previewImagesFileNames": [ + "GSAEnrichedLogsWhite.png", + "GSAEnrichedLogsBlack.png" + ], + "version": "1.0.0", + "title": "Microsoft Global Secure Access Enriched M365 Logs", + "templateRelativePath": "GSAM365EnrichedEvents.json", + "provider": "Microsoft" + } +] \ No newline at end of file From 5864ffdbc077f9170f17a65b9cda183d62cafe39 Mon Sep 17 00:00:00 2001 From: nlepagnez Date: Fri, 30 Aug 2024 13:07:20 +0200 Subject: [PATCH 09/19] Update Workbook Metadata after merge --- Workbooks/WorkbooksMetadata.json | 326 +++++++++++++++---------------- 1 file changed, 163 insertions(+), 163 deletions(-) diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index 20e84866322..2562d2d7262 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -5626,169 +5626,169 @@ "provider": "Microsoft Sentinel Community" }, { - "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC-Online", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook, dedicated to Exchange Online environments is built to have a simple view of non-standard RBAC delegations on an Exchange Online tenant. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment.", - "dataTypesDependencies": [ - "ESIExchangeOnlineConfig_CL" - ], - "dataConnectorsDependencies": [ - "ESI-ExchangeOnlineCollector" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeLeastPrivilegewithRBAC-OnlineBlack.png", - "MicrosoftExchangeLeastPrivilegewithRBAC-OnlineWhite.png" - ], - "version": "1.1.0", - "title": "Microsoft Exchange Least Privilege with RBAC - Online", - "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC - Online.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment. Required Data Connector: Exchange Security Insights On-Premises Collector.", - "dataTypesDependencies": [ - "ESIExchangeConfig_CL" - ], - "dataConnectorsDependencies": [ - "ESI-ExchangeOnPremisesCollector", - "ESI-ExchangeAdminAuditLogEvents" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeLeastPrivilegewithRBACBlack.png", - "MicrosoftExchangeLeastPrivilegewithRBACWhite.png" - ], - "version": "1.0.1", - "title": "Microsoft Exchange Least Privilege with RBAC", - "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "MicrosoftExchangeSearchAdminAuditLog", - "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Exchange Audit Event logs via Legacy Agent.", - "dataTypesDependencies": [ - "ESIExchangeConfig_CL" - ], - "dataConnectorsDependencies": [ - "ESI-ExchangeOnPremisesCollector", - "ESI-ExchangeAdminAuditLogEvents" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeSearchAdminAuditLogBlack.png", - "MicrosoftExchangeSearchAdminAuditLogWhite.png" - ], - "version": "1.0.1", - "title": "Microsoft Exchange Search AdminAuditLog", - "templateRelativePath": "Microsoft Exchange Search AdminAuditLog.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "MicrosoftExchangeSearchAdminAuditLog-Online", - "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook is dedicated to Online Exchange organizations. It uses the Office Activity logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Microsoft 365 (Exchange).", - "dataTypesDependencies": [ - "OfficeActivity" - ], - "dataConnectorsDependencies": [ - "Office365" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeOnlineSearchAdminAuditLogBlack.png", - "MicrosoftExchangeOnlineSearchAdminAuditLogWhite.png" - ], - "version": "1.0.0", - "title": "Microsoft Exchange Search AdminAuditLog - Online", - "templateRelativePath": "Microsoft Exchange Search AdminAuditLog - Online.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "MicrosoftExchangeSecurityMonitoring", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers. Required Data Connector: Exchange Audit Event logs via Legacy Agent.", - "dataTypesDependencies": [ - "ESIExchangeConfig_CL" - ], - "dataConnectorsDependencies": [ - "ESI-ExchangeOnPremisesCollector", - "ESI-ExchangeAdminAuditLogEvents" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeSecurityMonitoringBlack.png", - "MicrosoftExchangeSecurityMonitoringWhite.png" - ], - "version": "1.0.1", - "title": "Microsoft Exchange Admin Activity", - "templateRelativePath": "Microsoft Exchange Admin Activity.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "MicrosoftExchangeAdminActivity-Online", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook is dedicated to Online Exchange organizations. It uses Office Activity logs. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. Required Data Connector: Microsoft 365 (Exchange).", - "dataTypesDependencies": [ - "OfficeActivity" - ], - "dataConnectorsDependencies": [ - "Office365" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeAdminActivity-OnlineBlack.png", - "MicrosoftExchangeAdminActivity-OnlineWhite.png" - ], - "version": "1.0.0", - "title": "Microsoft Exchange Online Admin Activity", - "templateRelativePath": "Microsoft Exchange Admin Activity - Online.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "MicrosoftExchangeSecurityReview-Online", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook is dedicated to Exchange Online tenants. It displays and highlights current Security configuration on various Exchange components specific to Online including delegations, the transport configuration and the linked security risks, and risky protocols.", - "dataTypesDependencies": [ - "ESIExchangeOnlineConfig_CL" - ], - "dataConnectorsDependencies": [ - "ESI-ExchangeOnlineCollector" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeSecurityReview-OnlineBlack.png", - "MicrosoftExchangeSecurityReview-OnlineWhite.png" - ], - "version": "1.1.0", - "title": "Microsoft Exchange Security Review - Online", - "templateRelativePath": "Microsoft Exchange Security Review - Online.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "MicrosoftExchangeSecurityReview", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector.", - "dataTypesDependencies": [ - "ESIExchangeConfig_CL" - ], - "dataConnectorsDependencies": [ - "ESI-ExchangeOnPremisesCollector", - "ESI-ExchangeAdminAuditLogEvents" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeSecurityReviewBlack.png", - "MicrosoftExchangeSecurityReviewWhite.png" - ], - "version": "1.0.1", - "title": "Microsoft Exchange Security Review", - "templateRelativePath": "Microsoft Exchange Security Review.json", - "subtitle": "", - "provider": "Microsoft" - }, + "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC-Online", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook, dedicated to Exchange Online environments is built to have a simple view of non-standard RBAC delegations on an Exchange Online tenant. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment.", + "dataTypesDependencies": [ + "ESIExchangeOnlineConfig_CL" + ], + "dataConnectorsDependencies": [ + "ESI-ExchangeOnlineCollector" + ], + "previewImagesFileNames": [ + "MicrosoftExchangeLeastPrivilegewithRBAC-OnlineBlack.png", + "MicrosoftExchangeLeastPrivilegewithRBAC-OnlineWhite.png" + ], + "version": "1.1.0", + "title": "Microsoft Exchange Least Privilege with RBAC - Online", + "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC - Online.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment. Required Data Connector: Exchange Security Insights On-Premises Collector.", + "dataTypesDependencies": [ + "ESIExchangeConfig_CL" + ], + "dataConnectorsDependencies": [ + "ESI-ExchangeOnPremisesCollector", + "ESI-ExchangeAdminAuditLogEvents" + ], + "previewImagesFileNames": [ + "MicrosoftExchangeLeastPrivilegewithRBACBlack.png", + "MicrosoftExchangeLeastPrivilegewithRBACWhite.png" + ], + "version": "1.0.1", + "title": "Microsoft Exchange Least Privilege with RBAC", + "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "MicrosoftExchangeSearchAdminAuditLog", + "logoFileName": "Azure_Sentinel.svg", + "description": "This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Exchange Audit Event logs via Legacy Agent.", + "dataTypesDependencies": [ + "ESIExchangeConfig_CL" + ], + "dataConnectorsDependencies": [ + "ESI-ExchangeOnPremisesCollector", + "ESI-ExchangeAdminAuditLogEvents" + ], + "previewImagesFileNames": [ + "MicrosoftExchangeSearchAdminAuditLogBlack.png", + "MicrosoftExchangeSearchAdminAuditLogWhite.png" + ], + "version": "1.0.1", + "title": "Microsoft Exchange Search AdminAuditLog", + "templateRelativePath": "Microsoft Exchange Search AdminAuditLog.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "MicrosoftExchangeSearchAdminAuditLog-Online", + "logoFileName": "Azure_Sentinel.svg", + "description": "This workbook is dedicated to Online Exchange organizations. It uses the Office Activity logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Microsoft 365 (Exchange).", + "dataTypesDependencies": [ + "OfficeActivity" + ], + "dataConnectorsDependencies": [ + "Office365" + ], + "previewImagesFileNames": [ + "MicrosoftExchangeOnlineSearchAdminAuditLogBlack.png", + "MicrosoftExchangeOnlineSearchAdminAuditLogWhite.png" + ], + "version": "1.0.0", + "title": "Microsoft Exchange Search AdminAuditLog - Online", + "templateRelativePath": "Microsoft Exchange Search AdminAuditLog - Online.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "MicrosoftExchangeSecurityMonitoring", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers. Required Data Connector: Exchange Audit Event logs via Legacy Agent.", + "dataTypesDependencies": [ + "ESIExchangeConfig_CL" + ], + "dataConnectorsDependencies": [ + "ESI-ExchangeOnPremisesCollector", + "ESI-ExchangeAdminAuditLogEvents" + ], + "previewImagesFileNames": [ + "MicrosoftExchangeSecurityMonitoringBlack.png", + "MicrosoftExchangeSecurityMonitoringWhite.png" + ], + "version": "1.0.1", + "title": "Microsoft Exchange Admin Activity", + "templateRelativePath": "Microsoft Exchange Admin Activity.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "MicrosoftExchangeAdminActivity-Online", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook is dedicated to Online Exchange organizations. It uses Office Activity logs. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. Required Data Connector: Microsoft 365 (Exchange).", + "dataTypesDependencies": [ + "OfficeActivity" + ], + "dataConnectorsDependencies": [ + "Office365" + ], + "previewImagesFileNames": [ + "MicrosoftExchangeAdminActivity-OnlineBlack.png", + "MicrosoftExchangeAdminActivity-OnlineWhite.png" + ], + "version": "1.0.1", + "title": "Microsoft Exchange Admin Activity - Online", + "templateRelativePath": "Microsoft Exchange Admin Activity - Online.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "MicrosoftExchangeSecurityReview-Online", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook is dedicated to Exchange Online tenants. It displays and highlights current Security configuration on various Exchange components specific to Online including delegations, the transport configuration and the linked security risks, and risky protocols.", + "dataTypesDependencies": [ + "ESIExchangeOnlineConfig_CL" + ], + "dataConnectorsDependencies": [ + "ESI-ExchangeOnlineCollector" + ], + "previewImagesFileNames": [ + "MicrosoftExchangeSecurityReview-OnlineBlack.png", + "MicrosoftExchangeSecurityReview-OnlineWhite.png" + ], + "version": "1.1.0", + "title": "Microsoft Exchange Security Review - Online", + "templateRelativePath": "Microsoft Exchange Security Review - Online.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "MicrosoftExchangeSecurityReview", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector.", + "dataTypesDependencies": [ + "ESIExchangeConfig_CL" + ], + "dataConnectorsDependencies": [ + "ESI-ExchangeOnPremisesCollector", + "ESI-ExchangeAdminAuditLogEvents" + ], + "previewImagesFileNames": [ + "MicrosoftExchangeSecurityReviewBlack.png", + "MicrosoftExchangeSecurityReviewWhite.png" + ], + "version": "2.0.0", + "title": "Microsoft Exchange Security Review", + "templateRelativePath": "Microsoft Exchange Security Review.json", + "subtitle": "", + "provider": "Microsoft" + }, { "workbookKey": "ibossMalwareAndC2Workbook", "logoFileName": "iboss_logo.svg", From f15aa28c144e42ca0b8f57c838dab19ca66d9d0e Mon Sep 17 00:00:00 2001 From: nlepagnez Date: Fri, 30 Aug 2024 13:59:58 +0200 Subject: [PATCH 10/19] Packaging Microsoft Exchange Solutions --- .../Solution_MicrosoftExchangeSecurity.json | 5 +- .../Package/3.3.0.zip | Bin 0 -> 99403 bytes .../Package/createUiDefinition.json | 20 +- .../Package/mainTemplate.json | 3531 +++++++++++++++-- .../Parsers/MESCompareDataOnPMRA.yaml | 276 +- ...crosoftExchangeSecurityExchangeOnline.json | 2 +- .../Package/3.1.6.zip | Bin 0 -> 46700 bytes .../Package/createUiDefinition.json | 4 +- .../Package/mainTemplate.json | 284 +- .../Package/testParameters.json | 2 +- .../Parsers/MESCompareDataMRA.yaml | 240 +- .../ReleaseNotes.md | 1 + 12 files changed, 3633 insertions(+), 732 deletions(-) create mode 100644 Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/3.3.0.zip create mode 100644 Solutions/Microsoft Exchange Security - Exchange Online/Package/3.1.6.zip diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data/Solution_MicrosoftExchangeSecurity.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data/Solution_MicrosoftExchangeSecurity.json index 178680a6cc4..c7462b84ea1 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data/Solution_MicrosoftExchangeSecurity.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data/Solution_MicrosoftExchangeSecurity.json @@ -17,7 +17,8 @@ "Parsers/ExchangeAdminAuditLogs.yaml", "Parsers/ExchangeConfiguration.yaml", "Parsers/ExchangeEnvironmentList.yaml", - "Parsers/MESCheckVIP.yaml" + "Parsers/MESCheckVIP.yaml", + "Parsers/MESCompareDataOnPMRA.yaml" ], "Workbooks": [ "Workbooks/Microsoft Exchange Least Privilege with RBAC.json", @@ -34,7 +35,7 @@ "Watchlists/ExchangeVIP.json" ], "BasePath": "C:\\Git Repositories\\Azure-Sentinel\\Solutions\\Microsoft Exchange Security - Exchange On-Premises\\", - "Version": "3.2.0", + "Version": "3.3.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/3.3.0.zip b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/3.3.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..e0f052452cc7f2913a6f15fec1407b19c04313e9 GIT binary patch literal 99403 zcmZ6RV~{ApwxzpI+qP}nwsG3FZQHhO+qP}nwtLRKFJ>lY>PJN>E2H+R*qJN8EiVNG zj0^w(01jYmi>qG#M@7jC4gla;5C8z}-&I2gV|^#%zvjZmCgwKgPUf~Yv=)xGHrJZg zwp(ooKRS88{%b9FHg$C2w+?8)(>O0yuNKTU(3`IB@L*syL)*qQ;hYH%9*!_^y$X5X z3%Mz}3+egf3Od!hx*j6m{b~xx986iMrXfdkz27i~*}Iu$w2C|Kv!{x}4^C_rX5qK`G!^$QLlF2Zy5knJri~GA# z6F#fwi&~C3!{Kx6t2t3kj20H5hL~LF`Bz?)P5%CMj)n~n&ND1>!NIa~hiFy-BjUzN z9FaqN1c%(9!ku@hR;zray(!rc-BU%l0HV(`bX~O^*hO z==u7hk%)rp@MJf?d+?aXqzMS%P+{2JDon;(ow;9~`5f6euBePHj_ALar|%e3ghy63 zm7}&XjfYp`iM^CmI=t=!FG&5-dK%KfCMpbEXjT;o!Zb##hDZ#5HR#hZCKG`*@46Kv z{I9x<*jG;FeoerLM@OVyZur~k?I|C7F58{6YD{M>2)JWIkM&HHt8egFb8oUl>TZ|- z`QSv9&CFBp9Ot|qNwKah<0Xlv%8G)(F-q*=#!bXu=d}PlDRlpoUTsU1pkgGBAQN*u`iPO2Jb)kL_2DFX^jG4*phT4@a}Fv>f( zh+L?d$rA2NL)Tc-IM&q~y%V4l#{G%J+&wT0&%j_^rZmpN;8Q1L3{*bR$eu_eACiFf z?(bi#!r;XDAczc>O&N1)=Drdaew6MXLo5OIjuDu|HpNejke`&>V==8C1BprykqW7X zId1G1_s-ZZQ>JGb_Q9XM(9DwXQ}K72EKbVv`J8DB3?^=kQ?Uuil8Zl;+*BYm;l@b* z(etZ@c&EsL=7-aN_k>;m{Gv8#j!+$41PAZ#S}M-i*XU6E>6<(S>;%;1`1$j&~DVR!ijEC0h* z@dQ3HR)sOV_291%920~=jm-n(e~8H#3lZ1;7agiY;AuH4TXLpl-*Qfb5QCj(jf30Z z@OwM59AQ0=zM6R-I;LPOmSeB|Yvm!_J-HI3?WkQmAxEjx;eom^2DE!ElGpRWDA&?1 z_vs5ecbC$eQQ;y;qh~0EAtN*yfr}hbU^;Ute$y;RT#LYJKz*lM6jUvObb_p+&OgLc zuK9p4jN+EeXeZ5r3{v3f)h|X*Zn~q`_4m4mD() zO@~jWTBFe7#BRkI@1f|4-=qmZKQk+kHQIsiGpq|_{3BoA z2xoT{4o@hagz}*JAV6>^_T9I-Y zd|wh29sC^>S2uQ7r7B2y-Iz8btWxoEU#;{|E5KQ!I^jfBl0*!#{Y;)ZZ34I+HIv#h zTwpKVaT53;s0Jn2Q+~oP9v)vdKM>yD&;=?rTs6|HN1hQV|^fSA##N>}blVb+L3E1;l$Or_|cv~-m+TdT9Gfg}1K*Y+P z4KK*Clk>>_MN=$(yUhy~;^yjug9xa$Vnw@=LF?)VYd@Cg9f;g8;LcV{p&b56Et2}c z{m>>}_>EO*Z&@gVGzQVN<~WIgIS3$l@juDn%mZ3VBvH$L<5lYFN{rYDzhg*h4jO$) zr`n})+NQYM(ItRZPa&mi-Ln%uJTDhmLCWBt(yJA#=p_@bbr0RVkJi;6tAViE<|2}Z zN9Y|L#i-U_4p&A#Tkh^#>j2yU+h>)$o9s7Fv0TCupPR8*^iQ9T9uXZh&0(tE!sPWE zB*EE|BA&P1V0#Z=il_cMEER-KovhhVhtaZ$L8Axa8U-fOd%`K?MX&~w}A z+Tm=L*N5O9zF_%#M#o6Won`Hal6LG_gH&E1{!&M=b13&luOhJo_EjaYb#*U&mHzcq z(q)WO`Z!&#do;o~C`GUEK4UI!%y95e?e73a$Hzfo)5pk&sKObb2RL5B^wTm-SIq5S z=)9~#+si5jjT+(43w%xh?jkSAk~~-~#Bw`>tPc5*oi)%cviWzm#^$RHkHdphDvk`^ zg8CLTW=Fo>E_d5*P^ef=)YVLavgsyklK7?&uvPh1$!Q`kl+6?JM%s&54cd_scqJ}s ztKop30vnKs8gHn?mgxhfJ1^0~Uxk(lJ67^BV)dRM?v*paFvtOcZ4bv{59w zldUHmxLgo6i9ill@0d{0wh4&m^ZhWb9OL!Gklla|T!|h*FdxfDP@Lcgk?)0>m>FmUL z!;m95)Myo%ua%F@LqWs{MGo!Ag2D)s{nt&XemSGsw#<-u`#=$}wIA4O8LjFpB*r6k z!9k;Dy2o{0g%{6QmuM5v1hT5a<+QhkI!kwhYexoTk`r$kA$D-5++PiyRE#b`nJ3Kq6}K5cO{4V^oPDrlCsih#-c!v#%_e7mJpRwGFn|LuC_WiY%&) ze_xdmd3H3q?fnWs3wVWzw8ggmv(ulJwB*~ZRJmbE9rXord4DA*g31vZCw@n5UB0G` z^#pKrVf5Iuia=%#$JyLcgS;d~XwNg2H%Sw{(g(T^IC>ZSswPt6JUFDfFLt~aXxC^o zoS%c_vRHK)YJosYw^ohZpGnfTyjqghMeE57r5#uM4Q_$>`Qd6>`4CdpZAp2Pjjg5k z*lC>{e0(LkU8Y`TUV7KDQ&e!}&m(T>KY|1VK|2Cek$?}JMgUyiB4(^&ldEa4a#1`A zN?WfjBOH2_um&={0lG7SaRV-vN3y0<_q_jPj!aLASZ_ALFW zap2|RETMy0uX*8zPZS3CsgW}w-1jKB!GYpdgS~QpTToPJa5TRF!zg>J{o%J@h+*GE zL*H4~ga*J&F9}qpLmG5=f*l7S49>p=0C?U9nfD-V3{=-heZuL&Qm?jW4nP>8pkBq` zg#}M-shq<09B|)xd0J>f-kQ(-g1M3 z3&)=u$MN*X?l18Z59^GXu5bww&321%@)UC!?_IiFTbwU=g9HVa&?+LWbh^Q~0uJlS;=f zVvyX;!l-cLT?0Bq;=kmzVCr}0OCnZh=@n|SQb3Gs&3RH#4RBUmx?8o^ar1TcntjLF znlhg~kj~!VmF}N9G}KhSa7!iV^Ho6X zu-7`dQo`s2plNMbLJ-F0YG*Hcx^ycmmk#jR=diszH5)B=8wzTAK^r5B$B}xRHdw&0 z6WOVO1Pi~fSyY16QC1aE`uEg^g0<4>jDrXN46T`NM8n_}63EsGBQ51oke7>YyLMgA z)T5)#az9mu(h=bLcWk&|Dj@k6+@H)hNt=G`& zmj;KDn8ZtcbSYqRmYkECKwoWrB(_YCCl82fqf_u?CkDNElE>{LHj__PrQs42gS zY!D1>zPz#x!(T7fZ~BL^FzcX+EH&|vN2zT~K@=g|Jglx(z!N0G6#_-m$IQ7gP;D_6 z1!BbqWc9gwgpS&$Jy=!Ki8f2`mO*y+8v?*a4|!918m3DVuy5aGaykZO1I=%JG~n5j41%s47a0PX7t%*4| zy{^d-Xw5w&`{3`zFs~WYTN&D7bZwy5c(i%)OPtmOfQGn-54Hmqm4o(5NjGZ5Q^cC= zgA{Z|sIeT!qBg8Ns8c#+&qCVNN!nfFJ9M*jOF1dtL+V}Ltlr)0g`Pq&7#W{0M`Hm1 z-89T4@tY{%T?_2~)w#=`grCu@-?EJvc^=kU)X{NzPPC9bzhUq!I_PkpdPNlk4&eXg zu9;-qNk;N;L7zY-O-1;dG?8(N7+THV){VOY$C75xSAoS{QRhD2h4Ob72@ANDgzNS! z%-}U7wGf}xsW4MF?jkZ5DhK@+g!Se7DbnM_k*)lUHR&|p9;sq+Z;H&!-`qyo*xJtOpKbrIRloAK zble`wnD_Vt|LiqB2|046}<4P1Li<^X}>=Omeo z((2CsH}dCD*NY-jW@Dc%R@~Id8$cr%mQC|E&{L4NUMzf5ie2QsS)vP8-pEhc|0wwJ zFfe#_FfaDkqM2mbs^#sry1H8Paf?Z*CQY5ASzYFxZ6_D4pMRX!9ckCImeBVtDdZb? zg)t3yVy8Vo2352lK9vn(;k?a(vYY*UJ^#ow2Ao)p7vhlm^^|L}vM;v}*Mr5cyek8C09nPj8HqdX7I=KBOSMi8*B`Lf z#Uk`EJA?i24p^-Iow>eauZ93m2si63E}I zfqcfe$AdvuIV<0j@NW;`n#KZ}AkT(aq2TV{Zq)q6P9ayr`n#@Qy>f^7s-T6rPc(%3X`U zOI$;g1N(&S-NllXDqlHYHy6M-1CtC(iVbFh^9o65b-YT)w4+!^aq7e z{oDmq_s77?Ca7#GiD2CWjj>wGnFlMSm=Q8jT8XABuOEf?6^+J0u>57;Z%wYWpBtSP z&@>>_8^7A9&W;#w-YD6~7U*5Hkb`KZhxG%#!O4F;`eq5=b6rA{#va7rL z?}7T`@x52<7B7<)%Z}q$npQ7d0S8~)yXjY(tQ+&$t)pio4ww7fj%i={o_DyZ%wC&c zlqp|11E(7{Z%n9QF#heg%G5=gRl8Q->=%%3@f zMZ6B1k14BFr$sysn-A`QBTybim)-t-b?%2j@XXx2B_4@4NR^x4!iR5Pqn+PpG5PtN zbd;pnD7JfS^?n5ssxna-6xoNWJu_|f{&)~7b_ZjS^z|AFD)t5=5O?75?hnEBFtIQE zp0+m1%@?|f)^DiCme$Maf*SY8)YyQ3Z)tstoS@N(&Y;XX`giEOeLzRu@&>g^laqd( zVRMg`qRAbL-%b~sEb|&*+tDhJ@b=pOJap?D1d(L@diZedW3_X0!=u_{xbtyLbnq|w z)xKKo&;Jws6+WHSYG14R=UDAlpZ~=EIhLl?=U?n&bI7so(ro+iYHR5L;c{~)SidFS zOZXUUJyLn8H0W(#AL{Q&a}Hhj%C~No%gP5Nd^&ThE?xNQ*KWvaHhGvfS+;M;QZ{*F z@%eobrFWix`~=Nvl5%i+7jvWXrvtndXp zotZNfQ`rb`d`=c&PxhZfj3S~z5oJy7S)YZd^XWRhPMn+Q7Gr6{{WWrw7iCRZAq=*f zDIB#!6g$iPA(d8y8sJbP-B*K?ljBTzQ$s&L3b7U99xzc6;0B|-Kl>~r%pGKWsBhu| zc<(f}j(ajP;J9s13}-aLS|Ha@i6|17K;En-3@v1Is9WM; zatITXC+45(jilY}@%<|ZB{o?Qd~tsU(eE$AWRQDB3PCWUyy7;z$yf$#_d{26+_~fddOERjQ+h;*%59o zmeU@3asSm%|9N#ZZg%vy%kNy__~cW@swd*I&1C3%>u+6**lDTGb>*I|75cDd9;|*a zl%5aR(F)1yW6vfQ_@tj5ep5Hf-4`agX^QXB8*;I#7yQ0Oe)`WlU zWZ|mMnqp#C9nO?b*OSSHurs_+{l9!Tp`9r8o?okwyK@nid{v=dm;`s`ckXR|^L*FN zv!8TbVC7;yvQs@f17mu7+1%a_$iZJ^mB0NqzkB65(vHk&UP6r~ zzA<3)>vBPB2k@0;`d~Ng!`nN${`#H3UPO_-BSTOl3ANMl?{7^$pph6)jeyahos9`o zTMP@(!xjiU&?cA>?5f^c^`Fn(`aazTcC`je!e}zqPgQ4OP$NK7!z@z+Sxuy4gBpOZ zqyutmVbsp1hMX86NTlMPCwPLXU(z~7>D+taG#Wmj=Eh4p4c%49n^4S4&@5ZmAhZ{; z$NL)lB2Sz9ELsV{{*L{W-#{+jt9Y|lI2FDwkD0k710uWJ>6pIqcLs_iW2i~2bc-*# zY-`hEzM+c-<^IA8_Y+_JI^hLvWh(ZxTVRLv@U_ zL6{)fxj^9_JeM_*4EOBS8w8ZDt`=9%4R!SM2rfX ziuFNLANC0xj^ZQP8N1~RLZ~BQ{gZKZ1<{gD>z|B|k_MVJk)Gl=4Ul+WgC{tT?$Cfw zSQ#o~Fe&~>yZ1{k zk-6$wF{Lniy9qJAC;A$ZdZ#PYlHc_fGoxm_SWwTuQ7@(P?Q;-|_rn@2lYc0U-J~4j zckZCacW=bBYJUNDP5~&4q{qna-CIPPQFqqzbr&a}5c(qwEGS6+ zYXmXn)|dQx-D<-jZ3r7Ja14m zd|PU};+S&A;^J$$xj`4V5r|It@M1B5bRVIP7LDl`9@z-F{6JgEF3C zp(m=W(`kO5E+0){fu+%TZqY6uy?(KwzGQ^+!iV<2fN@R%4$+75tp_>Gus++V5GYP%j#+exP+ynS?y0#J5ufmTfJt0G7VPxU%f7o9hof zgwyepmyIE|^qydpMipW*EX6R3W2!XX-)0sm41cjFv96wG#Hs|^r2X9Bakn!*ZLnM= zE1v+4b%ohG2=~-dKhL%~~HFYe^zL?3P!a$bm^tdK-KJM%{Hf|%F^C(d+G z6d54_M%&7SKt1%Zf@6~ACK(@cYoDE_xCWTv~ri^h?nZNpX znWJbGm)>oVWdXMEucdAkb8CcV#^`T}V_3uTTeriD%I1GGd$x}%Jj>FZih-ytuEK9} zep;CdM!Ip976#4s#Fo08c@=oJbPseORexiaE?J}vFD4qZV&4l$- z0)B+B$pAf(gRMY%wD}K)T2;NQkZ-uF5CRT8Nk`myGZb>Wz}T_7#Lh4$x8qGZ>f+2A zM6WTR_ZI_m6KMI~?Udp=;amtMTiyQRy8!Bono(h)*+Mr1(7b;15e7-A6Nn_P3LV~^_99Ocy^kD?&i1h#- zSg7kh&yooa+E=T4u2Q&~Wr{i`SY)(Z`)(b^e7p}CVf&XzBrUrCwGFf{jYfn)v zYSOESNF5il*W`gn+*3Q|C>GTlZ^$YXay5qX6>1AB!pk3g&&KMOCm$I^tR{ybP~SJ$ z{0KYK*-wL{$q0PH6ViihdUYBQSK4`PEjl2sttd?RZDqSFyz6bhpnx!OTuiv6B~NCL8X3gd;?Cqz1jsZYG44{9IY8;TcdYMA_L; zX$6@Ue1tlb9ClB$^_rAUMaNYkW^uDDb@Rr|cD|b9%uRM5k9G5E)7`3?GtwZ4&NA4z zk4URAivu8SGx~W=5Z2^C;CR!RizcW*$W4|Ly0xp}#OHrgE?(w{qpTqPEtoDu z5|zL*K*xL}*wZ~7)O>9{qTb_XZoo>IAYW(;ETNWl2|%O3crXtd^(fsX6F1h%z0Z2v zM2`pwhlV(hSe68l=r^bmB@*R6r*i}E|^u*8K zZJsfLkSyJatI{sP_q7S8a+iTZO>S)#Yc735))ZYWNN{h1|A8|Ymey((s$4*0wJrRq z9m}ABeVC@Tdk5Ov?aguxL2PB)x*yrc$}t)LLqt8ME3&gQLV@kn{RkcwJ*}<=&fP@I zpN*=#0r=G|RGhMez7^bW7uN(}y^AxTA2YL56wF%!cQKsXoe!r*2-NB4%_fj3B`wLX zOLXzO6-%@>EL<8wsz`qIdNAr2a|y0d99iG(4bkX!hlCwd08}AF)#9LwdeV&WqE7^H zEcc!7nnEDxLQq0%;r?^M--{sM9KE5r6i{$cy6AZ!j}kYqo)nrdW)#-P?=9!b%>Ez; z!Q`L_!LkaZZ*oJaZ{wvhAblthNBj!uhVi@wrnB%8hN(J)v7{{kk#X7k%A@M1r8N{I@9L3c0l2{k3D17m{(f7M%O)`qG znZ*-X7CCh2q6c@Y5%jnn8fyk3poDH3=>`h8$))UZ^rh*92`?HQG1dj!B85)6WK|!Y zU<29@&zaG*k;8|6x9ue|3(S~;idP)PZyulV)b45)ou;lSjWR1He=-5-2*W#=E^IYY zl&v~vn>KK!Ej)-N*D>q9zBW{q+PILPG!VnxKcht{IvReXU1fJl9Fe5}`1 zpDNT%6ef7R>A|ujEJ8!Pl<6ZgQdTFFH~txR%e>{3UPsdseep0Hzz1l$oMTGPiI;KL<2Z3nQ}^zdM34aks|&(D z!E{$Yy;VTghyk`LZ+iwi?W7f9EfNgj6!ngYG{WtOfYWml0Ay_dayB{QsP|RNAvv>2 z7~zzEyT-rVa^}n|q|E$@&GPiwIsjxQ2I0JxZx5RkJ?h#Fj7AmwJ-}Hz2u?#Ew%3$| zsB9bSh2K+16C_AO8L!7<2i(|~KTfO1hXPC%%rjqaLYSt|F&5LWtt4jzg$xj(V-#Py z6?^Zo^*6b&z))+FAPhzbS-I!&?gu?qR6f%yC`a((jv2Dhjv0r-=OA^kPwtO966vzW zS|Y820ptAY41$Ik;LkU@PSK&8YvOTP}`JcC;Ju(iv7h!`95aUFR;k z4c1^a3v-Aj($thT$yD^LWSTiQc=UeDzx#`JQl!(@ElWQiJQ2Q%xR#TZG#3w_Kk$#{ z@ZIdz6~jq~G#befHU+4)O+pq|bq!n*h&c5QTWQ`HOI&^AQ~Ni?ff;3G!9gC2wc{#S zjdUQV$qu^3?Fl7|$T*~@j5K5kja>o0JSMuncV}YX0J8)Z^iM}&UOxQ@E4sp%o!js_ ze2qNp1aO7=1nx8E(|xqj^NF={Gx|GOSJpf8dnYvJYN)x8q$Uqg)*g|YnaiC@hPF0W z(<|2+E#{Hg9Cpr;`B-4vYnj?MWvHFCX12WeUgz=}*}=)JCd$2$@$Ch4ZAjb3LN^SJ zR0^GU@vY;xzS4oWeX}QR^+9NM;=AXp#T-GT?)$GaZWB&eN z5*EYxmiNYyAR=}J)DX>P(gDtV;Fukq&tsie!n?H+_=rm74me4kh6D4%$pFIS zQ`+1pT#_L`UxEoc&eFMZ&rOn)c7^M@e0uwP;VD};a$v*2U!(}2e(1r{9U9(N-ECF_nm zu(!Z8V*N;_#3v9fo}%xtyBlZ1T_9+Vnn&rec%;h0orBUP#0Iv)#Q&4Y=Q?w;JTuW; zb&v}y0F-L@>O%p}8%|@%MvweC=h#cCqUCnmr9Y)hJJEf4f9i+_X{_0CN7Lfc+p@-@ zm!~l!gV3g;Y+MkvFdT4C#8YZJr!HeWo5NeFE_F&8>SmHgyCh;&PGmgnUxwckBD{tMI(MR=@Xva5G zU0c~>cO61^99;-&GA}QpkQu}}e5&mgO(&wA3pYnZvOCJC9tcmlq83uGI%bmfXlx&; zNx$M=_B{>xy!*6+Naj>Vc!>>0L5>981?*1cLeEi08K@ngs`Z6$MMHNj7-J;Tf^C@> zO0bw~PLZ=zC%ltSBr{}{oYJx;o3g}b7B=EpYfe*YPQT{%VNXlThVZTD`oCQ4E);I9 zY0viraNt8@Mr=FpH&yyOv?p1u>zTk(%ov;w^RRM((TszJZ>T-=Lj?4fT^WcdE0M$lEK6skIJrcoM!5c)s_Y@lqwRw-)Wp)#ortHR z!-%Jtaf6;&^sA!Hd+Z_YLpTzQo0Y%?NV!sK753g6B;wt}yUeo9QN&<&jXD z|~IvKSUaH@3Hg*Ffv7v zNK1@#i@Clp468u(JMuCsp$CBrJ8=3RhfS*RU2nJ9R14toy=e}CR8wl7yF!mql+`bZ z$R$DUGi~8|LF4bI%wc!^%{UzjZTPKB`oH{C(OWj#u7`e#IeftD_+7r@iN3qPI&1R@ zG%T_B3}mH0N4(-Z4E!CjXDU!cwIVAp5N*26pGzjKt-i3l6c$XjNGrWSSd8da2%nq! z=e#g)iG1osy#(f&1{$HzVOJ}xhdCLC@j<4(kc(i7!B*CB2m0t*DYP$sf%xW`e>#RR zlo=2{8KO$Z&9Ec+Ti0g>%SxZ~vJwCJ6n$G7Rf%ND3s5bgm&Q zThq+@8L%-~2nXG;e~Voh1NZC^jSXXRzMewtM5O+2C!`xCMb1dyNOpivV1=+^{cr+7 zO(2IKs4Cd(&T#{)({MCjreMF@9oq@cHiTO>^hRfQqwEsnm|mCOX7h5{U@z6qn<|ky zS{1%|2mc{@sIRfhdQ% zTtpx0)qqdalKs6)c%tc~%q;HyXS6e@{&4Stc7>lnrKwzrvaG*S`)U3IkA2n|y;cL#=;^%66WDr)#$NNHjaVz*KEk zC#u!k;VNCU-)Sq?lvzE+dUYk)#NR{atOFH0=!%_icrGQ{vQ)x77a>xkHEv50WQwnL z_ro^^s*>c&z&$B!DftHX_n(Z*$6S&usf$4=4?SITBZB4sdgG>)a8py%XXS&`#3r}a)jTK{frG_ zDLOb3(Yrb(UVfjPtacY>W?J@a?u-`wnSrP>Pj6_}?wSB{F^$(ya5Qt>HBt8!SpWSuvb zaZ*RE+HAI3MCEd1$EOal!FEE@J~iCtYy#kCusm1`F2wmO(NnUlde zG4V$MEcw&TkHl`=95xd5ajPXSvn+< z`cXqg3mXTdj|A5BATC4ixacYYs3Vb<1k*7~L;uYdUR(zbqaosta_qnZ6av0}jE3V% zxm*_xS#}NqK?Z(%RN1MWKJ4WWjF$68#mx0+CGt_p{TPt--Pw7f5A{5##794zhS3oP z)nAB}s8sAkJp{<%={CIX;$-WGxvt4Xs1K*`Zt5hoKt3A-+^|~fsjLri$PSIE9=`o{T;Dcg_xaSklLs6=;bUgr7!@nUaF4t3GSw=2zskH)0S_S?QKE@bz; zd${RyTvxfX^ap;3$(I4x6~h;jR28n@jy%J(rO5sH&Sz`1*XZ&1r-PG5@USK`a74Qm z@_&mHSNb1uo;W)$Q@))vH*%3@<&X48-IBxy&fwa55OLDk56eYu_J$2Rf}f*PWNMs% zPDq+=`MEt@y?C6JoMy>Do+IY zp7MZp?vRux!-vY81faZxH^*tf<pMwqdWaDm5OoT8+-V(Fe); zPfOT*TF^rlsxAtoDMm{*fBvZ*Hac-zm~UOo7cZlC=djz6WIZ2JATd|Z^Q6y)H%}qZ zv=6=XKyyu3O>zL;VI`6`)($fbKewtdes5wIK59x&&YIC-NXZlx)u`8HfIux2veOWO zXoe^4@4y2NAL@FK&_}8jVs%T3J7rvTdkyT)EW(XMJo(W-s%Y-gw&a7@L_*9b?RX6~ zP9W&OhS|X}bZ)E$;%#~lA@}p=gFA$H!q`>#mY=6xmmJ$aavTQGYCdFOLehh7d&(h+ z1mF7e4BoZ>EXbnMBoL*8Sr9zH-mg;*gcJ6>Gh0uF{-;8%3?Zj|ITV7+AfMRUZ|UXs zo8DobNmE=4Im!VIWb?V4MoOX%y~BQPR#I*0H;<+kjhf9b#VcuJA~rSJ&M%Oclb8J* z#C0@#C-TSU^p5t-)#Jye_V6|K^*%Ha=+_uy*_OUVW*zmbwrOvap0Hct6C;sGN=k`J za(SE_^Qb{T_$b)boDdpZr)2B&6aTqLPDjkg6U~{Hte;%^kLtY#QF_e$jv9v@Z^oh< zbB5@g>+skjJbQ_;dKbB&x)1$M;1l;XLL!;M>B6rIJJv2lqR|DfP#g~4LHIH-NXO*I zocD?swbz9ASZp&rV?7@gj)F@O*2Ih(B3}ql-Zf5rG$i=?-ROQTSzvnhIO#*~SHZL~a_b~3kdg`4-=27OabaItdS}_v<6LuPg%l7~sByHYbX9e! zSwX88p`=&2q~PcfH*OR+455(=P0e6OF$O-aC|q6`0|#2sv!(ZGqmE&-e>Cnooowbl zr_V^vxGbjIa88=?4GynsO+cOw#aD%~HO@n6Io39M=AC9R)m>ik{@tjW&SQT^Qk|>& zoeYL~ym%z|Ld-!FEBRAC*2MMiY)X=bEZ zhU3d7t2vZMRuVtfXPv@DcIYeql*g>;xbQ+tTQgR+X%Uc3kQ<^0X~g^ViSv4FVk7+@ z4hRrTwpD-*Eia>0V5`F2TLOVuwv-}HnM&KN@M5g&%>OV#JY)hwLj*Vwl^CjXB?lTF zHl??t`vb3n(R1)Nh@hys7d%h2p>qo{UI&|Y`;Y!DR2QXjj8r@wyb&?TGHyI0{#cHI zYniQ~q)=c%75t}?K}2bJr;2-B>JPh=a+3OLV_R!qk*={;$C`<^9O7;09*#F|c?nZRj4)8{pBBZ7u8AOR9R;n?m#Pe!1 zO0kIx{L^~%tX){yeDWzf5ksH+sP?$L36nn?svs)N>4wIPglfYUs35pnfcRHQ>HW!JNhRD3lkyLWR9T}W>{+LPEAiY z^jO;8?s6ptz4rI#2<$%;b>4CGUX|TsRk`C7Xs2gc5sto3p^JHIr0>@DT=y_~*ck`l zbc1_oq8{!O+<9g_53cx*BblQ>)s?F2B^n3d)GtGbVumH>ATXqSDOn=j7DRJ*CSV9$ zc)B32WFE$p93;O@afHvvv1yTH6g&Kk=niWqKZSU(-#YBV-@^SK^#Z%8et0hqhdba% zDX0!YiOCF;By4*d&}f)Tpk`KKSX#}l<2TQoA$j!`R#C?8mdE}nl*#+q3Ot`IlgZ)g zGGjb!ae>_xK%WJP0SKw(VI_wf>(!g7b_O~{nTO4Yu^t3?Q6t& zDs4M7i}>@ux!xJ?W@Ksk0&olUH$uM20#0~(fkW(2&f>3&D07V$*rJ93^ds!No)fQv z_sD;-UQ5i9M({tZX9)H&XR1h3*r#|z^a_AyVFb3Ps(Uf{vVd7_y4jyZnSF`1~mKGKlrl*Cxeq#@H8OF zV#rBN0Y356BOyO9McZ(oZGXn%OOJ4)IVW&Id1Ut&!MNF=YWf1E?~sx%8GP_RTwq`w zp2~jGxz?tBRz>ge@ih9c@x%=XLjr4ytrXPyN!#}gX7JitHUlAJi)1G_?dmUvks z+F8wsfK6YemG8WqntdK{{mwmN=UAr4!>8l0llgbbiv0+@Jnj~w7Wp=5tpD-e##{LB zVtLn=WEinOk()cQN=y4YgWw~|N8ss-DN$OR7^TcPF;<@lYT7Nmzm z`UFC;h5Qw15*3xSCUw+ySNyENl`9qU`z?CFc!PiRvvswP4U_1q z1P2W6*pd8!J9;ie^&9dqbzhMBqB)Xb$|w&TNAfnCjHu_FDzzXA1;uJr1giIbZA z^ME@S@sp(k9w&$)hwp&5awtgIrHw9F5|ntm9tWC|>DgW(tT?Bz1?SMkh9>glYU`A= z5+)GR8EEtWP=Kpc<{_iG8RefP?Zz2W3ejGTA%6KG)jRYY@SJ5@;HB;R)&Dex5KSwm_Z3pr4O_iI5A%y_`3K=texr2U*CuL&iXj7zIQW zA!jbEgnM1<*_yr@nfki^&M|@%Q|Rit&k_r2N+ggr);B;u5*RlUW5?K8P5N1vX4CaU zHiO4(@e7jTe+oi``=EVeivcU48VUA?sF6=023aF;8zAr+%*W)zELvHH#w){CJIRwc zHyu9_h+GL8WSDvZydoI~aLZD9x9E zc6UE8ZwL+a85MA&Nr->;By2#1rz+uyNIK<8qM2MtswJ5*Z6d2#(o#|Mvr7U`PRVd` zj8G^jMW?1Z(b7{wmh&MwLT609{~Kiw;`M?ZfyDw6zy2zYOd?io4Q;nZA zT1zQjR9=`tEG&D|Mk%BpWKc~=o`Spm>vC-ImX6#IvG1ehGod8Y((xqAmiYpHXn=CY z)ZWTFYQlo(h>jbSt+}mkzzNy%}fRtUZHk~JUOefA<{`XZ2vEQnOG!vRFIrK zPRX#yE|#)kNT$FONH5MI<;nmaauMC=@2b?7RLZX%?}Q$qs)nVmnQ*t`!X#(krLF9@ zuaHf2%FH1m(sat$D=q?a>FZ%Rxvu9$Q*6ix7~ZoEu@)grNfpwnc`tdc&YfY?jL}A5 zVHF*q%NGwj0nXzxV82Qs1NIR*9c>aM>JL#6MQitu{L(&pKQ_f%;H4vV0!Xjw+}zag zkyCON)OU!PUreYCbLCARN^E(}%YzdVqZvEU}uqKX#`YzTDz+*2j-j97Y8Kqj6rY zB1rw4qKAzi@Se9U%##r+o#CR;g@~g`8UQ7?Y_)rXsp?R2(69PL7|wmX6TDh8CB^m+ zbW{>xrwVcB^*-L|ApRfFLC)|$pyMaye?Z3|;eSBKf*{?+e?do*7g#?IbMU`fw-|Ac zLN2PUh3gXu{X(~KQ|+q_Rs+r;VrDU$=XlNar-HO{2l}}(D-U*Vv6T)^AXOB^?e(f- z_SF=HWuiY2u-*jBA=Mn{EiYJuDu!!_bLcJXOD6${CMThY7SFN&PB8~pxS=(T7Pe|c zu9bER(@2hUTe=GJX*z=ys`3;Bddo@bGg>LDA%5#!drz>S72Q(vsxd z&Zk})i0=gMMg$+Q=QGE(Fbm0~^0NoK+NU?W3I*&m7w$-TQKapT&^De>TSu3DENe@I zEk(A#n~PWf7j5qtWJ&vOeRiqKwr$&8wr$(Cx@_C%vTfT|mu+_0v-|m<=e+Nncw=Jb z!$f569eYRI-!d|@FIkaQ8^S57(~hxA^-95$ ziDqbs>6m>?Y@4|Kl}1JxZ!GZ-(s-3c(8fcO7TF^odiz=TA++{G;zA;m)S$0~>5YV; zn?Qn^GZUFFvq5w{Sd|20U1WB4rs|0-D4D=hTc+1Vx+r9vmGG>e;yDY+B;wFt0Rcz+ z;FbX=n6fGBgEJUa)X*sZ^}<4&AZ?4KsPEHY5gxqtzIL@LiL66BJZf%pt69H|j4f0i zxh52*<~7b)AfiS;9Y1gyQ@fF|^%K%AA#GaU7sJE@rBxQ#$3b75h?N?V3yIr0J)-hP zUL$;{jB(p8ZBi1NZTks-k0gx3$qwd8btvmpN6@I1U644F+1%JEVI;l8&ec_}0dd5N z{irh{NSup@r5OMG*sb*mQZYsq}bE@Bj-xicS zpX^k^{selL)59qXnHE^{EbFZrup`2$i;&L*C7G0l`Fr`~v76-n2TJTOAu4(Os0-yj zVLJNVX;P1mYYww%wLjrRw}3HkK{p&5%J*%+UJ^TIgprJdgv`24pk3pzwYGf4xh7tJ zg5Zt;yxwcmWQ%R1LZp*)pK8#|Ae%DMBOJGCQtD#wBJvh7QNMHHq<616DU>U7=*3e3 zHb%)Mqj3Emhm(Kbc}1M6sl4h}Ayc5#*1tG{Iu?K0P6?Z_vLZ3yd9eLFjAG3r)3v9t`Mh#cD>{%EF zTigL2Pv>%b=NXz{w+MtgY6(<|^;B?#1cvYbiP4PxHO5q%?*tVc-CQ?^2Gyn=Kwa8l z{>#VV95tuHg|%dD)za*0FjxTNu?2NJd5>;1Ro@!D?+;+wnrf~!oSAVwZ=U{39-24) zArD|&ysQ>%;+_Se3J$yg@<5M>?=a2-%lMZ(u-s;udJs|Kz1%tf7kR+@OCIiHdy;_& zkYlJwiu#43RrL23kxvRiVskQ9rr2rQ}K4XBEKd~yJW#Z4E^l$;e zs!zmaxu#CG;_+b!+aS(3ohHOAf@oZ?6$%FL^upoFJ$kGPcOz8xEq<3B4wVv#cA1%Y zQWn))QRgxh8(fi8%*t53M3v4<*nwF8P%%B(LCcFnFfUGI-`PPHKOl;`y@MAsd?Sx= zwroq)A1L^ZcfJq{_$6Hd`~!a1+VP@c+5>c_+WrG;Uw9d2%4SV^g>giaB*QYm#M0Az zB?3Y41{br@yYiCP zJ-EJ%d8E(V+4cm`hy}zIg5z;~-0qfPL?o)|O#+`)%kYStwQd+LwTACjX2N_GtUtRo zD4$bb2PhVTipl5^Hiv!_-4Nuy~?0O2cSH8xSm}6vOTcx+zMr=P>OhB zObUg1w<>7`ekb>wjE9o+c=c@h-!Q|mckTZXGt~Zz8L;gCkC;J9Ea@lq&Hoc-!1?w+ zF$2W^JIrA5KQP0A_`jIpZ1w*i%+N9RFJ{<1`3Eyt>&TVrds5mF{lyFo4@Khl{|hrn zyQ@0dsZ-uhsr0uX)vZhrK9+0R3P;7i{R&pj=xA%_tWwm-Y^PwHSp=o5pVUjPC}Xsl zlqcaS(rJ|KX=`iC8hk?bJJ^M#Xlp}E>u4K$@O8R7-44yX-uk_Mn{A^2n&Rc-9+py^9ypC5Gpy@5SgJF+Rw|OEpN@JPqN5n31JM=R zpylsJDs%@+&9jBYq=e0BlPoK_5`Hk3qNCAF;p|{&(of#yV?jw(rCN;6soE;>!TANW zR4bi5q5JEtKeHgMLeU=*<%5p$Uf{a%&fjAz(eN&De1@iPA1|qwru~Nrb2#M{4(;sx zMs+M#XIw56+_MXMa&$l1lQD^?@JE;8w?!0wj6GvUX5zLL8$J{6xb(U4+^2A&?*C$6 zyrXJ}&7~mA-MDX;X_V$%z3_wrd?V8;Q5@{yC<$y1nWyh-U5}ifOTo8J9+Mv1Xx#i8r1h=;y^+YZG%@+!!Wzb5=vZ_B-18CVB~^Ul}P?&oH$0)2Z*F z*&0HIbIaS{*gus${^#Rs&BUP%%ddRsSt)$q$d#TdcQgGkJ>Z85iObDijA%J|jvDx} zZ+)8U+dhC9STOGUoW~9Xv%F7V(-v>aeHN_oK7{I80WA zKJEYbB+aCM;#=J8$9@_Z{y@lg;A3gSKjPa&TT9-9!#kWjh#>dD_yAg=E9gKpBVR&+ z?R1xJ5pS-0&w~cdNwx0=x!v1*cww(Cs+rRZ_9(1Vr(yvGN+hQ5-Cv+d1jP`XA^+G1 zFaxUFzs!Iu5Woy7+X2i#B=^{aj=>;TJ-IX)at#Tqodi#|uBiHnH=W@l>}04pJp;bS zggaz7l+YRKLeP==rIc<7LOHX@gO8%`u(ILWZDt?^;8nj{jJni*O!K zsCdtI@qzA&sfPam#>Ym~9BM0Ej34vbwLVIPL5q{u6t<{AIjTUf$<1=BvadGKu=}tq zWBp;pJ=MP}3BUys_I=q7&T2b#jPW{8K?UrEkGpGy8HH2iRyvGmit%!84Jz4%2_fF? zG34@Uo@37NBV0>W1=G4`=xgm+qei54q8MZ5wc==yE_6Gu|AeRoN_Kt=aBr~}h5|DP z=u!|PMquvBHIlPd?>tlbMd@@7i|lGFAhGtX>~j0f!1$M%bxY*P9bL!2;^v)*nA$%eamVYgg9VRbG)VYyEC^p)JvfYgpp1#6eE~Be?6wa9iIw ztmuotwgIi|>QR1?c$>I=w%;|K?cAp>cw1gJj7Kiv|~@zJ7eA- z>CUue0~FFg!5Gt^O0E3|<2`11Pp-<}t&KplL|WsH2ScNK=3AX{5cz~oQ?J6F^N@jL zGFDFP#-=~7wxlFgxE15}vz@=h_fF_Fa@za;lYgmW($FN1Ha^Uw;af!j#9#JF3K4@N zS`h1~^(Xl|Gf9IMZ7-E)6)LLcWlVibP*BkWeFTL?^1EsSpSU`}*KlddCwnECj22dz zEw3HtdI228J5l|h|C1g)gURGg6a^vZ3)-mFq`;mvkxntWlpHi{FXjM4`SBO|!C1o4 z@WK{@G#)>c;!06rZ9nd87y1WnSQw!z_ZqZ(Czf0yIIkB%;MA*K{%Za$JrP+r2~C}z z&4%3j?Z9?%t#&)_K)y1=`Zpy1|usHy$dBWd+|FTO6%lr(cIK=xkt6%qw+&ydzoeZ9lnXYH7yH4 z>_8f+;j|oD-JZag2zclfMmcC~^#=5d#MB&Xt5Jx|tnz}LjvvhC8Z*(xI@7dWv{pv{ zo8hn-pXM|cr99#b0QMp+1&F$6zU>N#V499~0e2X(DM6IAe^mlcpA?)AOpbXjOcFD#{wK?s zPmroeT=RY9Xk5(GF4azT!w01!s%N1P^+0c~@D_!rjt6~Cu_W?py|Ss`R3SGK^Y9yb zTlgG6)m;pC0Ke8gVQ3K|y5!C+Z5jBh>Z13=B+U&7fSY%N_$Y_Qrz$ifrb`i6_RJg< zx1*GP3CslFMv>srHPJ$7D+&y_g?&EwBuvEUZf?t5eNen}7e%)0HDAi?S;Dr<+T|Q@ ziQ~U7V!tkw&RDA#0oQwykuo_d%F+NT^LwV+Kd157yI4jo-7 z6l2&rH9L-ecU1on3hD`Jz^^Wqs*Lzn^~FNNorvj`X<+g4HTs{R1NI0gX2MI~)mU=< zjja@w4>Z}d4w+cw=$N+MIWtz)Hz{7tiBN3m_Tov!6)Q9JYsqP<}*ZqbNK{fey^1jhhoRSNoi`$02}Ix^km7n;(^reVQb z4D!7}+aKLm@^x&BL%Kvx_D{zux=_e1gIaT?t}$LLyf`(@_L5) zucawiaXIDj`b+f|YQP4~qJD(ppVzfPD&m(qdqye;;U#Gzl)@5u3 z=632KDUe$Y{F0<+P1R3WI`LQUrwphL(NzsQ)xl2Ozxd?ILrJ7hfJ6og@@Ynwl6Lo! z=`q1SZs;zQZfo}Nny@6mjQadQs2UKN4_Ge^^;g>uGyVI&OYkSOy?UUVElmTvzG2E4 zb$WCX;woS4M;xgJZ%;@-gw7*xWFCj;E*F|vI&H0H2TK*0DTTnFJRcOKZ8h<%ELK!I zLdT2|LnP3eRhiv1e8&92rt;cZ#Wpap4r(gRDRc<3B(&S%Gl0d3n7KOM$SAR&t=OXw z>nlZvX!ed3)A&u=6@X~+Ua+WOIYXV(VT2$yC>R9xLO2ouQw)U5?a8-EDamxuzUzY` zSJ-1#s+~7s+s;hyxKFRWu;4HyTk~*Fjy9n6tkWHnTW3DxJ4B)$1=nYRO1dbR_Se;T zbdoyRCx~2M{W*p+*&+wYI@iU~V*+=6*)wSXS*n|)#~j*pV|S!~?{uVp<94Lq@uP_q z66qh?M}uPWiJ$$g+c(WW3YOG-x@l^94DKF{UhEuKprK+T*+O3@CdUT{wk-=@zx_O( z=bxVBT%`a8OuQncLtVF?4n55{ZW>eVzb1mO(DFnDmQj-ds4=NqTSZ*|U^l&GktlQ7 zPu=mdad88HcYx7N_Au{7Ty{5wIeHek=qy11_MXjz(HwQ+kI-$-YG0U7<_Y$xA9q&p zb?>1eR+49S@)W|saHzW>tH5d2DgRhTY_MD#{7W60C|e|U&8i?+5Qi{m7?sl>f72!{ zvoq1NMtPUC!pt#ujN;59-}ylebWd{|o70cN=pO?NXWwwE#-vs8G~-+vr$x{>Ji@&C zb3Y4C&b8MPx(TN(cg-zuXmbt%6)sf>|FVy|$86%-1{f`J*A1L3z|J?0tl zeP8}%!2K!!M$CtUCMw*`1vA`xYSY$98=8yn#_p)}ASd!&q3#>b&%xVwWdXHLX$kWP z0-#5)n0gPJE7GE>2)>j>=J_nmP@7lk2h=54N9NTju#d^{|7QBNnrx9)Bn%PX%O^zh#+Z6&dN)!0?bcxoWAa zEqK9a&cIoP<8nQCBKh2Ta@Rq{z`^vsT8m?&iq{raph+Z)jv~zUrLRFny$lYR2L7`G z?sb9+vOMs;GT^N-q6LdlYv^zk&Mrp4yD8v_W%eVz%j~R3!{oc+)Nmr#dD`xNr3+JgaaPOkoIC`hW4COwBobF*}Bi_W7 znh6Sq8q%=Aes11Q8T+XMOTZE>EJ=Qzw*NhFjz+s?nFOM0W2GO;;HuB`9L<=G7}ydt z(T7*Sn0YT{J1{F?NEMAlbx*g@g>IgB_;*9utjQd=#aN%NDSSLxsTG)jP9$%eO+W-q zK+}D-OOBL%ih*8wf3WisdNjIGTrwtYabCGb-Cn=R8K@K|bF|giNKbuU=>u$tqwXNt zNtx;MU_#rQ=XchruPZfj_c7o*Bq~vV{U$6)2Xs(zhUQ3y5q*-#%$xS_gvr~wBpd}! z4t=8MxWaT zlnbu}X*&>@5by7uO!&uqL7}MFm)g~K0q+mDL#@f)k2p_xrhtEIGVE0@@z5HbSgN8= zTAoH}`Q6LmJ$_>ub4hBSb!8tKQQf2!ki9Oql2Wyk!Asr=pi6b2wlv9Rf~0h+5&DBZ ze!J}pZFZQE|@s>m+K?q&y zh!j1ktV*X=VRvOb9|yUA=AllJT48tREGnGoX$3~NSrS*{_$TAE{_bVLI7rlq0uI{uk0qM!@NA0});283H z|F5j8&SaS%LpDSXxN~XdSju~H`D^`CMhn@b zzX*M`ymh$cAB0Yr^B19qFBY#Q7@q^uhTX)}!F*nOZdaIHUAW9$P&8Z(`UdbOWNGzN zHZn%;Edw#74Vrs4R7xazYg-yo<(fEFTz$d8iWpVWON=jjCxQN4Ie<9ql7L`!;qYL$ zD`)rRQ!}VgCPV}}y9@2;$+RW!HUA4}R6L%Qvf#HM_}tE$Y3K#j{-^@v)enpU@mYK^ z;X@HO3tthp2q_O_8@mQVBdb3&q#)Z{-?6^-Vie%M3z-$AH>{1GS~DKVa}_eRNt5y} z=>?Rsp~h;p!)?e{hN+Z}QH6ig!}t|&+u1d5)gAsl9S-XE4{Q?#{c`C%^14omYHy@+)P4|ePr{jdZKJRUD8}9%b&Be@CI4JhO2<=8Su18J1rHxzhUE} z6kQ*1352XMLH;t6RP7bG039zox(BYSw!IM70*h>?%+8S(9{aLqW@_RNT+q9K$h0#q zN`Xt*MwmaDz$=218~PD+*b0Jxm-ZTP^{fab>@(3rV7?(H-<2VkcOLMWx{%Lj`~NKr z8Wz$x!a^2`ZDUlirT`-3tf%Kaa9uFuOTdy{zxiFuJE!ao>0rQsOF+*)ZW^GwX7c5$pYwtG zAUyMV4PIx$TmZApkPyIWr~|)Zk&9;Q#%XPq87AZ51Ja{7%k!fl0l6KZJJF##xWgXV>oTE3{$L=BPW9cClKpYjNf|*} zHu65m83c>*7h z{bk~d*U3zTWbFd!w6FEahZz!QrJ$QSyiaGKhK{(eQu9G_vA+w09>~V!qX@}1@@p;2 z0BYvv;Qp%~{E!`1M;KAA97rC8-1tCEIF^Aw}uui7?(JBX=CX z$(Q;tF8KeO#VanVrOL|!WIw?-urTfLL@#W4D)RR6l$}@C0`Z+<>0I8bZ0u{^N#G{kymyB$L;qlbd zPdAR$l~;cH84QI@<+}t`8A?OfNBtzMtdq~0OFTJK@VXk4d z(tWR=8QsYUH$WV0*+cKifPrET@?E>!!%9cWQ3wg*;Vt(&f@5pgPEz18XToE_gvYzb zgr7t^IZprG+Yh4XSHJ4cu6ZE=Noqqd8CRA!CSQAE6d@E|lDIr0aqYEtVXSgee?rmJ zC=GH2v$y-(6h)n8fx#3;{hQVt(c*OKyN5AotvVAVDu+<5rf5;?grfvtnyVdz_#&(C z3BOqJkB)Wb)y#1M{o)e2;;tixRCO1&H&#HhWTO7-`kIv_)Bf5b`i(rlEZ3+9_ z(T@V&)gMTs|2Lfj~JsNbM*B`yc31Nsx|B1fSJ%{Y@8RUdJA@6iocj< zKO!^iGQBu2r@KKr(bg4iPc$|wVl74Xu=V$VoVmsO;Y9Mn97Dj4%MTHAqOD!{>?syT z|1CK(0#q*&;zrbU-2d)pWWCa(Q1Wrgiw&=acH_V&kj;idMpx6^~%IAlmX9NCxt0C1|f|$`p-TEm+BO} zM;vW?dBpPmeDBYYSyY8;SqLf9&pTM{-JJmPiJxe2ha3&?_J}H`-r9{giBeEbyYi05 z4jLgx5(?A?#ftFkE&Ry84WoY|14geWJruVvAo(*Exd<%1K5JlgXK@E;W5kCP{>7=p z0zEl?m{3pcU!r+YrElKArW}(3{+4!h_1)MkKx}$;Kc{@}3QJv|AHVOOCC(0ET-3Jw zZNo?-low-}1HGU*#W>Vwz*WV9tC$LzX5)YZ6g?zPD9;P&t%!)e+NWhJ@rpNh02&8f zt8;$th&hY*jzQs!F_M{Iw#KSc<;S97nGgM*9HdR@9c<*dbRRNUF|{K5@Uv% z3clty%){d~1M6|id{J1X;F@ZHbG^)9c=56yt+m%LIB;gdql6HRMfoKcQ5T(zBZE3c z7a&sZ%EdFe`nxs3AQ3GHHK%tU zP|BOkPm_;tQgF>;X#LhCe8;^~aOWsL$MVry5_f{kf--RA`=dJL1*5wW(NJo~@*y|g zseswX3OzQ+qI=%)mW&nGEG8n6HX<0Tzqeau%aPp%u`Rt$${jgCkZ z)Y_IPw;SF*&q9f0>}1GSG7*_(6U?~ zAF1@RSMR+&UTtd4Mj7N!O!}T-;YoGgQQ=8V-f`hc*)N>nsFG%@JZgJ&f+wp+6}HAS zJ4Mp7fI(vehs+EJjHF5wWWLjEI9lR*%hOxY-xfj8yR*z*U#n4aj^CuKMvQuk3b4QX zFZ=G6wP=1GWVua%rBs0Bl<3AWCXdx_Q#qf8b*CKdV_{GN8-giBh)sY#x{tI2g@eSr zr`YKxdsbIIln$CtbPD?9*)*XldSm;l4xg6%8E{$%8vAr#iOlRNaG)$Lg`(h4IkCDz znWDF^Kv7emgbZHYRo^dE*@_~#iVFSR4AY}N&m)8jPCrp)=2EAkzO0IkG&*R4zE!&Z zKY`4dd6Q%mO5kM6vGTEn$2i_?vI42H+7bb%c!)Th$w3)BQUOAG5YSKs)&b<1J7YEE z?(+ycMS>=^sZeaz*#Qlcl^_+A>M&cTtEx1Xi~_OHFs>|yvp;!}k4)8%jvZ4c{K^$a zrg$Oh#vA(I^}}gwAI-D+v}$`Y)QVyNC*VlAFJDxcp6DQuKE7z4xmGFrb)-V6FpLpp z;Vg|tN}cW;UoOn+P)Na+p>|?`={(KvJkp)(+`OFi`Xy8Lx;+l0iNeMKu%3MF;$mgx z-*wN9A}=_C)K16UZtxa>ajopXlu;F?BEwmb?2AoND~Or;;8q=|q7)%W+t%WY&+VU} zQJ;O3WycpG(}1U@t3F3MQRI^HVb!11s6R9L{pq(pK4zKj1EWltKEN4AG``lRD_`v- zQi-W1^++T*$N3&Bq@XxKePfV9(?s=U4l;KdnmQz&|r{XetdYJp4Tl2K?yjEi@Z)iFv z>fN4u7+*X#*iu8e?EK)KI>~ain?tGr6XDr*m>%lNbu*w_;peDivE*7wS9Ug0i{vad zNuLxQP9~TbywO`|qfY@|@e~rAhvawZM;v`5xWk&*Ye?8Pfcp^i0$H?(({43fp$#qw zhqyHe=~FG#!`2S@k@Ihn!plLflDZNJJ=tgP(K84dlz1U{KQLlme<{4$4|QwxEmcW+ z63RJGmzI{PjX{n{&1W9tXBx&I_Vv_h+TG;N9PH9e=}8^Q{&ArolFvD?Vdo97Da&!k zsw~_ixExyAG3KVb*dDUCTm`$V5$pcg;z+_tI(&Cwxc<6t3&H_lyaXI`EkT^3_x7c@ zzX$pzvnX4|UhNsUYB6+@HdEF5&x^Awy#6CYAj&FwI zw>dp-4SN>2AK$>q#XiS&Zc3xbGPNHu8B93HOlTT#66;gaV3Pw;A(?T`@N(LuL#J^{R8f@G%Db_PE{i5kY^5EjCN;>qP6%+P z0ak7w)VrC&H#z;DS&4QY)_w}sXgg}BXW1DC@mLZG67q&@yLuq^uF`(O^rr5Ebm495 z+0lLit21=xYmM({U7 z!HO#p189|frjHejcpuRfe*0(Jg>@_2K=;Ry(Sh+p(*U*ddp``_YqZs80X#Jv>6NJF z40+daNJEKI{zO6M+#l_WY|cToQ^~K%=P66=eYF!Ly{pKRpc<35Zu-$fAJk6ig-IB0 z1GdzM7dsNNz^Sv0t=2;NLDJ0tYN=9nJ5cIZ<%pS?!_MZ4wy~j&&8E(N+|ET*Z&YdW zuQJJ>^$0RJ%3DW;F7>UyeR%?HQrh@vxEoF)$r{WPHJl~VMf485Euo~jO60wK0Y6yM zMMN-vS#{3A3MW+>&x@2JJq)HhI5>!a((}+YzBLjBwyLE6Omaj3svn?K^hLA{T_TWR1IE;T3USim_<##{@j*A#-Q(}< zFik+AW5OLWA53Z$bQ!u#Y?vO<9G^1}^nqcgbhF@$Ga6lM5tpx$e9-hQCE(a_ByGrP zBWxPKHzwdv*&R4Jg~rn^+eacMU-F;`JAli970D*vE~FLKJ2cD@4oz)}E@}ZQuw(M| z;I-hwJpkk}H@v^{*n@pqVEw|Dr~&N|yDh(74fd=;;<*yHx7ULFgT#p;n&av^5{wPe zH=hB;0|igT1>X>Ac<(%J$-Ijz_9Bh$a*pjIO>65yVbyetq-ec1>P?Q5f5c+_!U z0O*kmXJOKGU$i(|_F9;j8yq zsn!xSC_zaX5xLB=HA4j>xsJN<_g{a5IuJ>eReWgZzl|Qk`@Pkj@i-{l+_FBtu#3mJ z8y_mFegn(gZfm!H1K-|{HOlah`B)d|wxHS?@^!G)ok@o$tr}v*C8aNh{>Z@8(M!fQ zqt*J%h0++$OOHsTtHk@cRETO04NX|(_#oSp%PimVo^Co%6uSJPm&`ZR&DbNh6*_R2 zzyc`R#|=U_B*jLt=L_L}*YxW*_Ulh#rb_5IaI(_=B0D!BxnDsrh4^BDak_JJd%(fF z(;pbK3T1^}kWTJ5i5>_wUPY3Oy5LvXh0U!sAph1$b#xK9Uj*&|B@8d(*VE3-c)E5J zCh)6QdC~;vj`On;S&qx^2elmjm4fW1B8&;frm^Gw{TI)jM3WqFZ4cn3O6S=7+sE*? zp0vZo!|#}KdXw8=&2EWbI}xg%{6C#jI-;`00v&Kf%Xq+t3+wkHpU_ztrF0&z3-h zBvwZgiK8d;Zoe)>w6++J$!?HtugMF(|J50Zlx}mKqnt zthMK`UL9&?!&%flBd(Se$pH03S(NA()v7))kx)Kd6GDqTXXA3L%J3F5=2R?2)>m&h?w9bE-X9fR#gtec=x|sXF!C*G{fL} zT#&oeQ+-Z##{|6dce6{vuNRs668HCM6nmVYb-S*~KV z4Y$#fp7FQ-2acwi7RYxNQ$KvXrf6$}Rq6fYxVXH;!v_nT9=qC9IKDaTvn_E$zi^R_ zi49Cd?;1!H@T;-bVxi|Z?oC3^N~)WLl^xeS0w*^ylO-z`JcY?bClIc96tFHB&+2!5 zZ8!||y>06Grhv3~&{kqi2ff5tVv9zKigt!)JG^GD`;(#A7wxc8iQj1!uGj;p-%j_Z zJ>c1=_tPH!Df2ctw0~4b&w~Q+>^pW>5sl0G9CXdRF1xbNsCl5&#cS3Dh%)0sfK82S zjy?+Ne?*zX{JpThqRbzCfG9%^k5Q>W__1)wDJfl4>c?YR0S$ z98p^+eEKsAsHsV-sf-o$i-CTffj)Er@2PWWTdN+~TQk>=R?*f+W~hbfgl56~Fgxc+piMscUL-~VqV&_hUPpS5gj8x7V z&Q}_`tqshfX+r9E%Ds{KOz-h z_ClBrsS+VQPcDW_ptAWP3%y|zk-C3x+CW&38^r5NDebn`XnL8H6J ziK@QGxq#f#@Luv?LZSI?$824(*>+;T=>oN2Gwt&I+_8EFVQV#LosPY7CS+HhAhT~H5G26!gy3Rk~L-%vuB*!D9kB;GeDNF$5Q93QtAf5UzvvW}+U4fRW za{OTAvj^b54=uAB+{>CH)b@SA2{=f*1l_XkUg$R_9Am&{uK)R;3oz{GSUD@9|M#$O zYyNn&PCz)#ymHd&zZSz@G~=ql*%{gYedGz96=!<_ybDIo{a%caoc4}6gRD{E?2n+b z=)f~_&Hyo2r|@%Mm_PWO5l8qh1%j+|r%pMSdx;|IA?RxPFZm(eO&+D3v3>X8re!bT zNHQk6_e!Q3=*AB~X-Vq)cM(dMzJu+ld>n~3p@v86uga{lA~_ClbQon&E_;gHE(nMP zIyo?pBru^9GrsL!2sk?RdYH5w`54BxZ%_(DM@78QowSs#0YYQhlVGP)6<(?dibZ_m z8~p^vk*xiM!Y14^&I%iSLONv&o$Y4c6xEP5vxGymlY;*|p=+*ucz3aI&K#n#3~&mr z?jVnM7{I}5xhS2{JpRLPn1kZO$TI8`NO6DR zz!XnO4wyD+Ec_N7&36_zaZH!=jD!=~WneCu4=F*pH&QjADu|>{$~5PJL$2BX2-(8r zy5zcnTGU-J;8NSI#=Iraby?no`NNuKIiXcvp6Eg)ytc}w)t+XRu818&%G!*2}& zE0G=GCc;H(SrgX2!R+x2f-4V?HBMC#-p*J823au8GIu6;Q`{vKx{-gBBpY#;kA;8`K!}wk9r6XfroA~Pmh1zrrZNG zocVq_nun#We|sH3SUrq&NSL=9Mx4Y1YW#|vK)t8Q4N@044st56?|SbJ6hktteUB09 z^apV=c(+Cs`u1Xvx*4O&ZnWj%j9yde6jwak<`+EF=gq_rrjqD;GIdSZ)tOoD zpkusXFupr%ey^gG*^g#%*|aFKLodcZ3v>Dyg)|>m0u}A z2G^I=2CMAYx}h>Be^RY#m>+Y)TGGlX%1h3jY7X>Y3wEmINVH6ibX|EzuCh_n_2O*I zd9zeZN827)58bW225yXY@DIpm94a=_h@t}GRY z4cwccNYI+{{33aU>sC6mJ`78IMnGgDDQxM2ExojN%iQZr$&;XtU#?Z%`ZMz+7g>~+ zkJj*?c#$2jYQzN?6PoBkz_lxE+W`Y{)^d|>VFCz~n&VjZoVFv!d%dyahAdbMe2Q|+ zsP-UXsmtrs)YKtKcj&DL1wI)&yCI^Ttz%$o+l$Nf$pI zk0pM`6HQuhOWA(QMG(7G?PwzPn@J<;v|C79$6^D=ceQKjWK&z(w^QZ{(R)0ge>cs1 z@xk{4=#meiAg_U*q^f>DNcbwAL?2d&=PQ(V%-X#PE6Q_YZFv|E;h2-dBdG7*5I=M(fW}e01)!Oz zwU0`Sz(Az4Gqd-@wdHgc=q(nsUlIx9bx=Fzbh1bZ0y--#nC{-X6}kOJrkjQB)6_;y zBXP<_T8CM*g64B-w~c*?Ar^I98e|ZRk(7iVxrg%0t480WI8fS%xIW3h#;_ZIn|6nn zcI0!=Oy3-;pOGvQRR)plD)%`0a>i|oV~-OOY+{%vz{B`?-rzT7@lACgYzmL4jIkTY zlj|I`zK0>qCplgY-4=fG-W4UONpuWGh&*Fm$tGDUd=I4{5)hrZ*19?z-h?)@& z`Do5^zAZ2YI08(0xAxUI9QacfJXkWslR?TN>?~SQG8$2!BlYh{9&${yap%NsxPU$% zcl#6BG!msJ%-4l`!W?xO`6EK-JkzO>{*sN*cXeoDWUWoE)0l#T!}Zdi2%(iN1yEvB zQ64`uE>+3u1i*vnqz9TM=nae7_$34-Px70Zie|tpCnF($k+I`4B_@~5Oi9z_^0MFk zqJ%CdcO2G5x${VAF0>14C}BqKQPL>&^3_}xW$i%;Y%4!VZn%-~3Cx0m8dXlj+O}K` zjQPM&j}5sz0S80RvscGJd^uyl04ZrX{L_r%>$|ZzDzn6g`XV_5Z2v8x;;l=ao$`u(?5$J+|a z8BnTokwG$I3)||*rJEd2Qo>)id*oHkopo&G6O(GzUSlhnsnu;ubOm@9vtG^(1GgFj z6!f%~SXBi&9E@P!Mi7u2A%WBU3B1pO0U!-!#zoD!C==RtijezpgBI#YNu7l(R!_7w zDca)4sgLHGy;&le*@US)1PydJSuqnT|47tZiTP2*^umt$o~!ZQPw42gpua%0_%r$y z^L3N?&Ws+CbMId2ZU&v4>bbR9X^KQG-K^VkIcie+FE7d#be**sHf2Tw&hWr znP*vEcsVMTdGc5xq#RSltd)MoS}%Ldsw7y+(n{LHYMSON=*xtpB>4dxHKt$s&v9%ofa?M<a;%e`OchKqaf-O zxfCbw&j4D1su7`w(iQ-5VEh8+SiSyc)}{>pZ~m?MynxxSMrru^D9^06 z7iLT5=&H!{s(BX#=}3~yX>7KuTg+{`^R3AENSCv3k`|;z=rxM$&Nb1a!*oUF=n}Ok z(3;7PzU!Lo?s2{Yx5{={QZzByWy^TWmdUP$W7{dwLo3zI0u{sp@Kb!zlF5!ey(M#U z9k4X_1F*(v9AKi7F3>knEYPpPC($xAQuRtRaa)cUH8T&?sA?F3p$yH0`P~X}9!I$D zimgy8Q+78U#H;6M&7{wcS(^#7D)aq<48%1NsAKHs$0U=!AEX;*rr|$f=wyhNw8@?@>;DmZ2b$Go83)}|r$T*#1bUg|V#T=B)BeLl z5qRqTj9f;Pa{*Z9q%(kE3vJdJg>ab!kz}ABs`M#L-!6|8c&Ely(4j={N&_S1OD@nc zKxS;|@>d3s%B``;dIXV#kD=n-a@otBl#xt@Q{oCj4p%5mI#8hUo)=~zyReoW+YcQC zs4Pw$7%W?@^E>gT)JnivFrexmJGlr}*9a@$><(6Pv#X zA9ux^5q1cjG?UCeyZ0){0~E7SScs2|56?1F-#rC0bKKfI09piQi`PD61f8 zpgBWrV<~c&yBqR4;M^V+(n~j+QMoejyz~n}ZtHay!4{MH#22a%jwk8)`~OALH->2v zD{YT$+qP}nwry+2wr$%scI;P}ZDsXGviTl)gZ=&gZ5 zA3pxTo)0MKjU{tCubw6VU_0>lfe$Bl>|xvqT+3*Owc}%jjO8~o*y28lJ{}66oklzB zhSV-(fI;A37sN;>iA3HCA{llAq)74ujuF`FbhQe6e}4D~FzmLr|6RpTqu^-F?>50M zM3wNEv^wwv2SaUuFi+r$qbf6kTwGK1v8Nvp?OuKb(Q$pPt6F&x<|g8j6S%FDKw%ZJ zMsn1fAInhTh;ZX~eb%{%L?Z}6qsrt(gmLpF>`sEy6#+!!E7n#R;Crf_5O?xlvX9Ri zMdN7Yh?*3N$u zF(tr4q*>BbWN0Y5)w9g>G{kDPnoRUN796>DPAiiz`l7I$HwBb^xCfjn4jQPuy8i4M zc0GY#PJ0*jSt^Ug*VWBJ6vf6&#EflSeN1ctWCpVuSLQlM-^@Eo>BTQC`dDom*<1Gx z)st$rZo_#%>T4I-5Zc2L?nJpV+CBLC;?raH-I+*iox9}y$cz$S`w=^m1Vi2XZ-yLW zL@jm(hF%?eTy3mjnv@MYx47V~{#M>5AjQ&$G_sTNi7P%+)_Y>x|JWijG7<8U1 zPb$>VU&F(|#6~?sF7(tPwKo6x0NsAfif&>~Ld30(*1OQ}?R!9zP4}7{hzh7-lN}bh zHz?C)!N%V8NGJcHK3NwQB;V#eujoCYyUos%|EN#B?r)vE1$_+Y#Qn)wlgfDFHh1iX z<<5SuxTYv6usymecjbJTw@7*fK5@DvM<6J0ex*n&N^YUkPN1KPu1(vIlDh!EkF*SC z=i&vO7ZZ%_gNj+)R(KuL3Ah~NT&U#i36c=p1}dG0-fH{MFzg<|wR#TmC5;ns9!K)O zhH#>FR@(I2YOo~uK7=}!+MF|qFCNiZf|$XO&m2=jPn(Y-31(X&F0E@e%V?zFw4(>BbQ9xnXedvqkT}`-gxMxlnW{#& zizi$>$_ydo5tRs*sUT^Rjw8ueEyzkm-)3~6?AW~ww7 zu~m6dQlDh&bY1uBK4xm7|9+Wly;O@ngfYjKq9yM^kynZfNj2fG8lvO1ECZ=eY;0FC zIH;ETL3x~J*ddEH4t?w=jtsZcsYSDv;gz(SNkyUGm7W3-rw&J*Q>UNGK`_)`2~nmN zl~x{`&VNqkL85AKekB`#IU%1bxPBxaxH$m3oI)uBQ#i2kl`8X7)k%I<-VT|Zk#VKf z5}{>nE2ob>PM??_-q@4Cm=jjOn3MRk3UGRyKO?$kQ0@J_KLuBls&;1q@P3?!FMl~M z7-ltaYLA(FhFB;EI`0w^Y}Fc>{Us|imX6x9wyl@-TQC&RC4|+2E=kv-&wAdjH$cGk z$78`|v&3fvn*-O~av$+Zv|$JDRkEbEuW1A=MlD%iQ&pS>+#4WZhyYihosIIO&cnD! zG!NTIvds*YTV(Y?mPJ0oefN7BdtzS`WUh!<@6e1ptW~ZiF`~SlS_NYmAgWyt*E!gV zSP3CSE%@i^UTOu>7>{u}VS!xFiH(tMkj&H=+Kz)yjvqj9-dIkA`qk$IQK(&M=#G8nw9U{d*t$B}LjTmKi;HsYA6z8bQK$5MyIcI}=5Y|` zy(oeE`oqe%bvS(&Nd(hfc<&3eZw_R=0S|Z^F}O!?!qtYx3?H zTH&@d)AXDiPL$P@dJ96}O(#*yt1*$$ z{3$`Me(8WE3gvNc*~}}ef^vuFWH4-C3XS3q#4M})v8(oNX6@|t@~Cc#K$66hdwwb$ z2B$pM$Bfex@@0!pliN84R@JqNGFY%XC>&=6_!T2Ha%Rh{{w2CUb6i9rl5}cLWZFog z_(}qGau4;+Uo?~r#wj^j^#c4t3dXU&aK_q4Tc2yjW}N9L|M<1PQwi>TSF=5VhX=@B zoa|u~w5)@xdqm9^)`*XpURhm4#L$)gEXf=brHCq++j^B%bIa0of92zSvsGQDDKyui zd*5lE^=OKN)I4orPT4x5wbUi`@bQn(c&$wv4ruIt23Pe>mp;$UDi#!E2rv@<(veHH zu~4;5PjM7*{1B+&doq8T-UE9)IZm2KZM^vGR`))Xr_wkH8;}s$GU>@=AlT3>%IMi-toq2*wbsz!sjqcDU0m62ja`}Vb%&!dkaNEyMb&cx$@AAX~(aO!4#A*1+xQQ~q9&-x;_D=|^oQ z(>t0Dag|qAn~Xr$&G6alQ^ubE?xTuqh9Ar?}P;GTus-izLS zPijIh_xhH3_|v!gN1r_#gF6y8q7OSXd5+|PuUmp0L6T>VD&ZDyXu5hPEHg+i6Q5=5TLe9GXFIIP4%x1{jjcUg;Ue?Bgy5s9f-B&4*;UX5>mDul zY<{kbbHe;r$HwK)CU@xo>K{!t-|M!PAoY)?^Zz(?f4jOH8bOaV!k(#wJRkj&@qY@< zk0$Yr{}$>}>-?`ou;Y6jQTSZ1R10`NCQx4r#*@{%&XK9W{TA+Y#$b0w-!w}zFdceX zKVi}*j&G?3#Tv^6h(Vi%j6N!N8R08gL1)ym&?!DNYhko0*Ou>J=!jyI$L9|SgaRh3 zK;tjL>1q4*nd9lk1IyRR#Br>rVoO={*rM`c&(BPdv!}_HRGyEmsIX(9fX6j0Q&gsm z6(1w{LzZh2kCkYv>U~d}>rK&pYOI*mylivR(b}4eM56QY@VahrMi7GL~I(f;Jyt!Ypr=)>IbjF1}0N z*idMJp-7}fevlXhGCLVfwACrO$6vnPW)DpG*9AdyWDpZ^=sj2u7sIhw(+~MK?*o}d zg3W+lepDWpr{MKcZlo-LX-l{hvEs<+)Icu8kQg!O2}b4En-2W|`1%bri1%S=o}ueC zZY0wP5nPjR{q6A0lGiaP@j9q?Lmw~yW}h{uQQ>&(jUKEl0N-mdS5NwMy6|;n1FifR zE%Khkk8lBk_&b$PRvLxD`Ju4E7Q;4h{&Y8I+&967JyIAP6|q5L+AyFGg(#VYX~}A> ziPAVVQ#dnA^SB0cZoBD`LcnLvjBn})iu3Mbvgs8}&YQq6aXJHj2(-ld-1=rQl+mxr z7U?pYbY^2NCWA3QcyXzk(f!k!>po)v_)*gDh){K%&V7Nk)D^& z020$ppG2yOZUVH5DFtmrIQNb^$Z^^Je+YTP*Vk9i@mP%R1C);N6zoxuR?&c>Py-z4KzlkNkIIj*X7?F!wcd7l zaj>a6FW4Aszr1WOopV&)<9vm^l(hZh*C@O7R>-$9Cp4eq;Gkjy01CJ7q_F}`*pn5H z@YliS2HWDQ$y|ox-`Driu2{!sBXYhmm)>`1I*qrKV68mHBDKBt<#?{%#PwHfe%*Us zd;~${^Q&_ZC5yL@s!n=AOw2HSQSjy*BTV*dhglx3Mx4@{r7}nq->u7J!oBW;%xwlQ z`Qr-I_Va+;*b9Ekx3~A}EB!GmB9WV)pFn{X0}8#gsz_L9S2#ujXRJ;;wG9dltoT>J zjbS%4H(nkpAs1j2{lkGZkM~cFW}|0Hb5ENgj^oWv3;w6MJE9xpNrwWZgzbl2#6F7U zZgLr~Vmg9X6VAaf7=l%bF!*F?>e<*(zLrif47`i61+9$3NRJ)Ar)@8AsYs&wCsHIL z)Wg}TL9mSljwnHdRj(ZPD8G#C2?~xMC9|>RIt}zE*#6LheRj$6SZ*jSaLX&1$m90~ z^{ax;ZjClnkd@ArfbdiROx^GgUP#uY!DF%401B;sJ?<*FNHxaFW>IS(pn{t{Rq*VY zEPDosEay8s^dfkHDfXzr^Ud?d2fj{xLi5q`C7KqL3|}@8ASw+aohyYh34kaBFm~Ur z=BNH>(JL)c=i4_OZ<{9;8$+h~ik%$8QdAlpL{7F8&}~5Y)R^YX7dO;)U+(yKv!CfTsZ#BH{EFQexZp z%1|T2x?gcHNKh0M=^j+UhiIMRF52`B5aoE<;Pjo_*oX*F85yEEX9P}xjNH|C_Hshr z{@Cv0A%t9lb#aXk8SNsBmpGot@fpfDj%~Lthn6O_r=iELUPaq92i90@V@H6xJI3RD zgVU0Q42q^j1t9>885^RI^hvm1xW9t6n6QIu(=(Ge6HIhV>mm{Oplm#2b)b)-Ap+}m zA#DKA7Zsd4J%;PH4quIGG_iTzS6Wi)94Zuye(ihs6kiupCEL)wz+i5tk1Ft#@#cW= z+VDNi&vfZ@?bBVrkr|H_--X$=So^@s09s4a{8?JPMJ{QkM_ASLND98=mE+8n#LJeI zbh5r2aIejKjN_Ybq(79@a}8Xlsn?*q|iGp zZ43Mdy4e11VQIsgO`PXl3PL+`kKJB0$Uaj;j>@>HL`WvO~d zHW)0zjOPs$@-&}}P{t^3AUGx@J*So(ut(oju0++A-L1)3X)8UqPYzkKF$v8elz@%d z$EhRlt)Yz$PvEvaT#AS*&dj*UQFDReH#nb2PKb2x<4b8vH=)&}3t5r=Tsi%j5yl#y z9z2fD%78RbZ>JPI)+W-$X=@a$6#_M&5WS;P3hY~JCvW&OEMEg6uI`nk%!qk*%wu;| zP#mou+|g#Z#@3xfjMAG$$YTAwP0g$KL-T3E&<9V;W0!8*bI4$|bv=)VyJJGTl{e?^ z5EF^{#~NFS_=3Qew1r2*+zcZiHIsOA#{snUyyvrOY?kl#jcAqZy*F%DyUvWN5teGU zp(MvpmoeYI$9Or!(Df;G#kZm4uKsyDEx!lg`XpWTAC8wWR%X7h@;@vtjGE7_%)I_Z zmpABtt7!h8NXyTexBpLpB<`R-uP-!^SG2})*}~o@i~Pqud{;-s8!Bx4G_Wf-qD!)r!E`4jovy-DbLGb? ztiyiVf^$Uvr3rVqAt4e^K<7059rt$+OG}guiUxh$-XDj|0$#4zV`>mQ9fPqX?Webp z`{yY~nmbQ)G7MQA;%2kMZ;K$dp{mvMVI)rYIgrOL$VST-nbP^f4b@?3yA^*@{t_w3 z%B_Zv6o*1&U;znh>-FxmfGna7??-tqMz)Vn>uiHcPg*lV@pFNjQU(J`W4LkHvw;fFG%T zCSfeLc1OT8HPXM4Y+ik^(=5(b3yldPNGcITb6)=8sUj99Q&_8sN(+tjfl~m%;D!Wg zX8ngT6V#@urY$>{TcSysTPoNrT>U!$N}FTlscPu4Kb=y1jbu@3hD&wT0DyfT5Q-d^ z#5TME+)^5lv070MLZp#n@2q9KyFwgL6LN_BGrE=vRrL}gPXsLKtn8;uZhz)1pOfiE zSO_Ekl9-&Vi1|btt^x>-880Q3*N};`KL$Z_9e@|M4&BkF>~A~kQWdGC7sC0yCZN@rG z%nIzZxJ}(&j-O|=<9hz>)mkqc3kwc=$2A!7ZEqo8f(S-InI*X;Ly^ZfzvYKFBhKbp zZZhyk-dht_{|Uc5BK$VKP@qM(wGjV85j4^2gkXR$3L6d__YKiV@{ zg9-FUOx%hg5Py+>g1YbGH^dD&0Os?Yul#FCsX3h9Wdw+xt1`ACN+jI&194Q-=E#*` zdQ{~Ux0J8h^vp?dH)m;~$PJZz>leY`AJsk>vLi})v+L^CUA4Vhjsmzx1-TgeJ|1)* z#qUozf~iJRkPOlEL|QRuIB%FT|9-e~MI>gU`clI)*wuP)A zEU?7J&D8H)1LV?zb)ZN&ZlNz@p?MVne~3^cjlzhY9uEpr@+l~W6}@!2Kq{DV%p-x{ ztXaJ5BKlppr&FQ?g+0cqt8HwK!#heh2S44oG(GmFyWz8~&EsUJEgUEInY5o~^6I|MGDQYWCpZ(@Ol7c6M5CM zbeh0_b!4yq_*)eQL4 zH0SZ}FRjgeURpUw*6VtG-VIW*s8T_tpRa~KUs~O8)_rQ)*i*Et>ONjt)$+m-$lH?| zc#y?q?>@io)=G>!n$iH-n98iGpsJ<1+L$R$w{Jq1zwjrY#>jH0=-#%Qcr{1EauSht ziMt3>4rq$Eo*T_CmhWlY=@s_+Tpa;rbQrL^-(s|B;KmFmzXCBr=|6PVx}jl3+9JMe zg*$`Ed(z>JX@9k`HKDDR+d;W*(5 z?F<&~|I!F8r$&MBdhs<8|Ie_h`28E!P-RXl@y^4szE^wCCyh{APsNR`Yn_hu%U7Kp zgS+XQ7oUz*8N-jp=d`Z11;FQ2t*s?;(f752AtUD~vw@;%mTO!sTYB2qBZ3v(Ru<0m zt3>96j48GF#9zABRQtT!wmlpBS+j5pTb-$PA4@>dZ;rdQX4=i$-F-hm&HE*PbIuzUYnJ*)sXMd}ie6_oZEgFI{EWAghqK2&?HJ zKJm-D)KhBVExHQx0jATQOWTfLK1XJnZ*B>^;}FRJa^^xgk2>;IK@IHSb^nln0WC#^ z%`{!ANaA&|PJh#k3rJXVbf&9k9bP2$MM{zWffVH3=nY|Aa}(SqRmpU`+QWUKV{fJ< z)kpAm;u6*ZvFV7iJe_BK;kUF z5m5x|n{72f=qwsftZTR!@~4Vz z;axAd1|Wp_pGVbKC(o<|LrpUhq1SDg;C$CCS3kPs&1DTO*!04E3%p7bcqoHbx#Nm=Qtg#6G3C4KDWbL zI9H*gsCDxL`88`S~CmcJvfD0k>`cb|#i$OsYR#83mJ=rQ>H1w8)6k)VTK*S=G zx>&^ETInHMC5zTbsfQCb%r8wDtXs z$l^)7eydJM^yfg1Yb%a2`p3Y{bkftZToz= z{8iwge%I;?PgVJ>k|n)VH;_}i-~VN2u_e}> zea+UiZ^?*{W=Z!BjvuTIePqo%`+~JFK~$@qxS1kSl{sfypEoB zFSCK@ENzBVNSN9i?cb^Y!tD!^*4jQXl)(f6?v{nM=!HMHGmPYYf;l*!jyRud#84H- z@8$XU$2~bOgqyG7I$)b#1d2u9`hVM~ z>?S0`*VFfLfJF;r?H#NCEd8KZP-@qf=KeuijYCLq?PhtZmRjm>BHZsJ|MnsHIFK6B z3F2*!cKACJUGf29@@B3W;z#UcsyOVzgCD!vz%wt0@jK3#$^o0+0K@*-aeC;PT$8;Y3=~Ia$?DvR94XS*VS^A+#2EK(G z`1ehg>51j0;#ugdsc}7ifJYrn)UIag+^uVg=*Dl{+$*)KOR=j4)s|d_MBdS=8@ud1 zwVuu6Y@8$u4t4&w?v^BO{jjbY=XSdG)1wO+IQ_63Z!K@t_spm$TBk;|*OPsHjxqDY zO&B^^1i;!Vu^bXB{W1kd_FgVHb~B>rRe=`#<0zjF zkCykd;lJ|}%zVBV?nk4t9xY{bZ7k{$8lvqa$z7K@hw{x-(atG)A=t#RQqk(|?EPyR zA81*2)}W?e3YN9!VF}aSrTX^;Ki_KuUta<5(*fU%ss2`VE2+%^Kl7&|kI6NMO0mD` zOoxhkj~{7tX#ANxWjdiITFRD#{1FjYd?c`?B<4dAB71uLC2i#f6-VGEE@gc1{bPiR z#wOj+W-0a3#q;s-s!Z^@+OfT0M4Jf${s{i1XOL8x1L_14sec1^rO1@w_a@6_ zPsarDQ>3##Q`yzc=lvAh{QWF!Gg3}CAT8rcfF5AxX#LR_ z;o!3fpNQBd^7iboz%xTHq+8=Y1BRfwnwaa)%YjlVe{~WBO}(fWTZ>j$mHxuX*`BGD z7pI(d?=zKGUz~LLl`h^j+&}%TDo#1_?;A|rt=S}pBScD%mSNkp&fOA`A8w~xL0p!k(W>}o!ths}a%NTixJmFS&jG1W~- zG07=4^rUOlMk9E3IWZ^saXC>Re|(f4=*=8$yV&X9ZRlDWAKXui|G!HoXLj2(|23ZxK-?VYn)3W^e8fNFq05-_%sna8 zBkQBQ4&ptI?4{ltz9Q$HbLOf~#@C#T??}DI>c*8=eWXaDD#$nMFSyGUYSl9NXt$MYh>pCpUfpU%8JOXeGncYqJ%3M8Z#1 z+jHBG41Z5b)K6BC>qwQj`8TxXB1e@Gc693zjA4=+!M~FD{ZLydW{}w(M?TN%K;f6?t!nNYxGh1*+=TjeaEd(XON%4* zV2}&VXP|#n=~hf+E7lC1AlXjJD_^gtRG(6Z=CH6Tq?RY1l13 zxYs}Q{l=uW!-1y#m&ZdU{bZi=d6O=^P>P^h)5iw|>5IXyZ87#pXmFHf-KXy}V}BPc z^Ij*IBtmQxxPRy61>x2V;=OB6H{OFTGW3rB<-V^N0)ay@=_Z1L3VV|mBVd=RdT04` zlGBfxOhMidAEHD!z~%Yo`Iv=f^A#Ioh;&TNy)ypP6WsbRqpZ1n{TlIDa7a|QPgb{w zlbkEOc+0bxzv}4D>)s-GUDHzUOdh~f1_pi7SkOqf=UxZw6KI>cr-N9fi@s-j{O%#704;PfY?m;Rqt4W%! z>eKzYytecA;9%d(KFkqofEmUz93!IvlTYAEYL-o;5_BtB${yt{p~|_1ouz%rx50@7 zT;l7fp?M*wV4hyk^b3G1ItxJnSPyU-CdR#gwjZFM#&zZR+|wk6v^l+rWL%@VR4^oH z_`028&hteksfiF9=;3Ig7Qpz6$%T!kH(7CjbUV5UgkIKkQM<}*%D>xA48(jxx*Jlr zpJ4zRDe8CzllIf*u`L0b6n}kSl^l>A9EelXCy7sxRXlGHYVQUD__DMv{8PmhUo3JS z0yX5FfZ=knXez_@T|J#bf`8$EC+bp#leUh@A4CB@Eu2TUS2oX!HQ$O)+?q61rQ>wK zZ;0d>;}~NRQ%1shwL%Z95(?-uZ^d2!8X2NSGkRnY@f`3i{3;-TM*w83X}Z z{R0tt3bz%QbtXsUNTY#6G5HC$ zM-Akd(s2KSDlW*g7-~|;cShP1@fj;20O@Dz0Wr(t?}m33;3J#=JEn$NU)gg4eF1k= z4B9e~PIXBtx(H9)?uG=um`4ZrH~F`WW0P-ykU6HDKyi!-0chPpQ?XJ%@|KjpmUC*s z{h8nx5rHv%k(K%1H^{x-pX@n?9e^4^vK1+rBp6M^!{1J`p;9CAT5hzh3VJ`+QQ@X0 zAUgz>{0jzRY+;uCUsv+K1B|<5Rp#1zr>UYrV+zUOfOsQ|W0;HXron;WA``E>SUuns zFxYbAN$kOar0K>lZDA92fU__Hr;|lMlL;_x6Mb?6aYRt9!19JF1uo-qlML^;ZU(P- zLzFG|!R!O}+rsmHjKugodyV)cvZGdhE9}pzOak?zHlsc~YP%ei;aEf?My=+8^y10X z2|?El+7a{?ZAJ92;$|joRZtbq0tXhUY&$fp;lSb0TdrTW=Xvz4IeqT5-^FetWBYF5 zcKUmkkSa25G3i*lZEzwDVCBxK8dUAXe;>t2Jw$w4Okf=2;Oc4{<{k*~ER3PW!%yCVm(U6;d9Nq$R>F zxj*%A!1Bx>J|P2j6cqvHab&VEx54EE&5bWk`Zi6R;4-e3 z{kW+^CbIB!uug6@xE|D?x%~Yn=&KD5B%xj!A(I^bFZ4BaK0y%gViALn30p_FXCs7B zloh`BL`6ebq#3^#m$Jv)m^C`~f zDyp;6JBM~gdihsgIw`p?W$6Vr9j&_&uF%Fj zy8>9G_;2Wo8)$4@Ce6)nW`k~1+xYmDrWY-Lb7V0tgElj>)4d1-qScvCia=>JXVH*A z6$EpR$xk58NN_zSppP_&nKU#vq$0L>iXfI@Xk+pSCMjE#AtTV?_;H3VXLAv{RZo%1 z=r4sZd`ht1xE*mad-1xaC38O5J|>;15G5IXNKS5$##zuIe`s>e^l>qJ=#2u!w-j2~ zOgJ#RB1ECSE3gt|whsZP3H$I^0(lgCgE8Xwbr%Ng1bZ?7ui;-X8xu2pantnWOoh^z zVQx@$X}M1VLOGHEZUmGGXe0#_1mFxzO|7^eM5bC%=0NRUkjFbIUWy#G_cn%gkcktt z>%hQ5WI0bDDN88?<2~XUx%)+66zP1N(@h=V#{`#}<$+IJEA;#1Ru~)`EA?Q3t4z{A zU&MX=KVYRqcq#Z2(CtQ72Bl&I`H^4>IWYx4QA*%S%$s^bK=XeSyMbCrMNJPmYNTEv z{dp^U6xflmx{#&T?ny z)*ZBbnc`+%J6@;DVufAbMg-b)K|uyBKpw1k5G)uj9@auCDk$e@$-WiOzd##_c#t?W z{_POSC5}c^*npN9{LlW7g*9ESj902jVKHQQOZ!P ze9>txh$3q`yi|nGAR^WUeGefXuRl4$OFB&m+q7D2m z5Fv$EY`%Xydf4wJ98B?N2Rg@bJNEtzN<(8Kd_3x6Ukw!W-G38j3?6asJE&gPPpMjl z1{7ta$-felin@R$ik6iS(9rw76crb0iVxmhTNs1&N}V$>X^mZBqMYv?zpeMES4#V^ zcr{C4=6sT&e&h11!$4s39vP33bz)gh3hJUYlOUIVqf)nALLhL|$IQ7M(<4<)E6qZ= zSQrIv6Fl>rVl#^v(hy*cL*o7zEl|HJ7kj8KYZQm1*_Dy&6e$nyYaVbJTOv`%u8mt6 zll$H+{_Hoj_iI(!x&E?d3O_fVw3~Krn;SG&9m!|gMN1&na5J7&_bslDjjyp7*;XJ8 z8bZ>qJ(lZ5&?`_3<>t_=&Xs#O2Z^a_Yz~^*wqybG-jYl0n-f^XVYW{>Y=h4!UAWGG zo=z8UKA2en&9B2Wf+xC`fu#wPLYCc%vjL#ey9~3Nlh(^KkGAmg77%d4P7K z>wx#lxbSu~Sxy^4$@Gv``1j+c<+s*XBvYYg%mOG!epdY8Q3aKtKPoZ$;u3Q1=UG$A=ZV?NqF3tRY(STub2aGMilos^n8}Bnlc9oQ4 z&F0#(@I-N9>ng7=3ggy`^bg#t?#2!uaFAVf&c7bd&yb@I>Vbq4fd)p`KyFme3s|`O zv&B)Eg{?^C=N54aB$*S0+}= z?){>H+U=c5n-YF34z6*}KB-}AjQ2m1UzzVMGn8%2u46vN-EU75_xOx2szk&M@n~3d z&1;v1656_I%Qfzke)S)D`ONcg*ur|Zz5R2|A0WsvY+s4U*}1T_0@F@gXVf(U6b@5) zpXaVca<|X%7E)NoW6wLY6tFY?bjPY3>TsgukF}{vJ&KZYglPvyQ9kA-%EhQ=q^J)9 zEzD=y?sJiYmiU?6wINZmF`of!-+HAOq}-`GTEB;EV5WSvJnFt5-ITaiivQ zeRY%aRXxs7$d*2r3fUkOjys*FfqzzoCWx)>v#b$7O2e<6Br)w{9$FraXeT^Wb!*#) zGpGw-%D3`?JJv&ws+1n@M7OGhNWaiz5nduj^_f5|hX_gRE<7-X!Q3hZ4(nIW3DNmY zOt!Cof?i3(DJ@HzDkdVxM)H?ziW_33|Hb7J91G%U2aVrVe_6R%2P}WxrB1eaS_+-O zM#64 z^gDymQv(Y;Kf55FMw+|>S7jI&s=AJD{mpLW0p)@Gu^bceToD*`Td5`x#%ooT!Ae}q zDXj%90aVp8epK3v$#IBY3ko<5p#&vwiob(Ska-g&O%1-*V{n9LQH(x!nj!G5YDABpH1vjz*V*+YX5xN+%A1o03G1G|LWFUkSSH;BA(3MncBB7IaM zS9D?O{zTLBVh-L7ph4)6jjQUx+ul-9DT}5)}FlXS z3bat&H}zLtLr(bgEJ}KO!Vk_UV07F%Cw1A_;BW|urW4BG?g33!R7~A!mTVTQ3OkZ! zBX@kI7``tc!2v|Dzs4AJREX%u(6`*Om}D|{pN+(~uJcB51J6CiBqly`cVs+OYLhfN zQg)<{WUPO$3pKQXL|X(w;Jp06AnAnZU_CeM4wj@esCANlDyB5or- zMl42)~F3{0{GNAS~sRJe%KB86#OCQc_I9pMIb$NHwEQSf^?^f8Kvw%$J0 zvc@pW3Ki{b{HzC2Rc$sO_keY**1WMoP;DVdc*}KLkGy)#JCDyihn8soYU&mVb(;9D zMWq^wWtvPeT-tyvO;iQpz>!N=&q%bC%8d+Y60B@K1c_~Wfw9lk9)9wdr8EMZZT=b5 zb5SgVZz`sTe&3j@+|i#Ya?F7=d9o9lwlN-&Cz(3sDs}et zE$0Y!T#JC{8~_>9&>#K#nu!O;PIP+67rw))9Wv%y?R1Bua-u~`(I7fh9Q;hNrQv6s zP#!UZ$f2>*q0m6cILHSR&i2gThIh4zh2I)jW^P)$95K1XDqrypRf$8&062AW$;%fx zSvd&e6EVkf47G||_1u)>!#teDx~{qufxGY{AB}Ao-P<^Bklk9%eg375z30jDq=_D< z@;U*NgHRfoI*jk3-{a%L-wfU^?#K{JYMA$wr19lmit1*o9gCT@^;LmR^mAU) z3nUzUBxlDi3XM9m9vS}d1k*v^em}c#6AAP3ip0N5pImtQr=qc7!glK`f_t8t8I{JU z&og)s9?96(P&&zA6l3$?nIVJ-2Q*!AoWil{C4mtWn2f){!N?n58$Z|F)u=3{URmBk z|G_VQfYwP z9dH$I_>cbA&88-ghRkm4ni-aaF(14_@?GA%d0GO;(%cMG$Tcaa>R=E;q$W?dP~sOfyg7joiwDrv#e9XgQaPnhfyXSZ@R=D* zC3(s`vsmU*muoi0N94jMR%Ne1%wv$yJTw%eeA&WeQX+M+GNT-tPW6u3UM|efVc2@8 zTBA)L%xM%+B^1857DiDWZX5D*_Mh;*I^I7XH8-t2b@i;*o*?7!5<91byf$o?{C0&( zj5!?i)pX&v@zUd>jabb=0a=4_NUs<>0s=in{1JJJckNeL$~x`zFgUa2x^JKri#Tq0 zDuow`dCX3H4ZFl&6-!sOX-Vxa5gcrdz+%6k+9f@l#dfOGRD4NgGG&@Iq*wP}@=|Ki z*|$I8;3pl#&pVlE8EHIdjY}jfvvo&T+D>Uonn)<5(-yVN*W0a8F*Z+W;N@-pF$E)HI^7#oyTP6 zu6K_zc`>7W`%jyV8$V^cUpTRjP4X=BdwOM%KyvH`P^DujQTz{aqUjBhfahO6UtQI3 zXpHA{ai~w$9Pbi2VBfC8aUoNH3LD-#mit}fe`&!#h$fuJqm>fu<=bwORTfX{vSOK% zAN7Nysf}7|cH$0xv%0X1!D6-&H%iTeWUgvPO(7HnN5QVrhT$1%38HpGIB8=h@mc_M z7d8$RixA%jWy3O?&^aK(xrF>oE;N~2$_Nlee!e8Ep;bLyjDOJ(U&0z0LLngcYA-UR zqOloD6Vpl!Xy7Cyam8}K_Rz^w6}<hm0v z{{1COfZ7XS7O0jUkS~cR<^(^VC&4Xq zYO;KXl7?G*RM15S#TvRmJ_VlqEkl#KBE%Hi2d8-a^=MjBBsT_YT5hJMVa1(f?H5m% zJD4?;J0>b^UhO7MT3HIB5V^nX1G6=bg5MS=w!8)s420lJaNa}r%xRQZ3cWG|(u_9K z*s6v)3nP+kL(dULjEls0XLl+82$^JH_^Lx z8x4-A5X3IYXcD3r>j?CmfRv+If^rfgUotZi4~gs@OJ$nMrE|6}aB8OVg>%FYRzu?W zO9I1{bBqE8`@k{;He@Uu8DdZm;vyG;kQu4qUo;9k)#u3;27T3{TCQkatnGyr)jj!x z|8At{qF^*i9gdPM{DigqN`E^MXa>~63aigOV-id4H8F~F+h{&kb`!*IesN;fGHb2)#o7T5?{Ynd>0pv?Le1Q1jvnl%dC2GrY^>=+Sv&03iFp z;vZW-Zf?!#`>h^jT|DZny_+7AM)57GBTpZOforjR#NvI3nAYxWth9wgPL^kI$wXFR#ED!{0eGwRo-8aBo5vW$wh^_P{xTmnjpz}? z^nz>hjLKndCPn~1AFMQ-wXg#ySF3rBFxhG7|`^`^_59sj7zD_}yrd%(ZD4tN! z&w)>VJ*jJ?NLRnN@exkYhW;W&HbX#p%H3gQ>AS=@7>T!Wv$gP=jek9Q&JPo18(ff7 z=ciUSoqyY#-!Z@`9$E_1>n&;BYDjG#4RJmX^40FRK#_-3^LEHxe5bK_TpkDeEkwA3 zn~D7UqD0yEWPk5Qa?tR7neewH%JfQ-__zhEbTdg9-R~nF>c9 znMyVIuidsOa`wbHMHXryfFO-8Zns2}guQD!oSd@@61@JrMc6AY=l3)275ulw z#RL(@QTl~s06SR0t!-CivgXp;uJQ~W2^JTojChGi96b%Xyq7m9A=G=9tt znwSPrn|lZYFd>D8D9e;e{Qm?)q%YcGU=0&4+gXGUp7hwp>J{znNN`n@Rdlp;U1G~` z%&KYO%4XEQ!u9X&rGJ)a{#{y~=v^;zl5i#b1xR)jYY zs(j)E0E>Q!;lDt9m0^lK?1<{*s+LS6VJHjz3rl` zg}vV+8|MQGieXv_M#%>VQTAtCt}MNW!Iq;pMXd%{E*afLNol^K?8%MXkhJAoqFJv;WiFfB=k-; zt9I)aRBLsw;o)#7&ou(z&gS*G>b+XUqJhX}4fMboUM2+h!!)*rgbdPd7lkW;&6Y;E z09IUeez_S{gU}`^WN`Q7{Z_mIjCz#E!RhYf2!8wJ=uLv$J=vhm zt4R0l?W|gy%IN2FGoMn?4-6}eRX=GGTke0=(eIX7!AH^V%~sdXu`G7Iq(lOdA|g(6 zA&7g_L-u}Q#0etO{!(cowO4hS!Mg|}bDJiKBF9j>M3mm2HqVi?mMOCu`YCeLMZse& z&y_d+K>^V=r)cCzS&ZT+9C8T`@gp6HogkJa#S<@T_FD-vIo5Sp|rbS@}T8Y~gZ97!;FY|`GVkzh>Ez3h==9wA`XwWnwGp{|Y1 zM!k=YuTbbZBy;mNTDf`G=iG@*3y zED2B%h-=4TkX0OTrME$l1<26>pC6Juy8}`T~c) zjxs@yC}NWkq;cpdu~SJ-0{8MB7$ek?|H6#S#nPeErV}wfH?@)RSHKase2D$`}I=q0`n2T%5OMXSydlR>*WQRjg>! z>%*9iHzWsY3uPLj$B1!3^nz@j>}>gLU0?jc1ybqj@SpXow{eaR7BCI{k{XsLx&1*K zy@n11#TmLMPNTtCQ+yZ$AYBVEaX{YCF1OHneT=@H&*2Obqr+M}2A?2#{cc!tMLXBW z3wzwmoOpeDWAQEQ{3Niy1=2ci_*3u#G+9WL!@$}A3uplyOSa;rWGMX?<(5PE zYyN&g;+CcG0STyfWX*H{vGbh}R|HQ3{?K;2y(EDniQ$$18xs-jj}?NZXA)%q-=X`4 zgVzPdXVSV+ps-4qC}-7qx9#dhz~zTYpc`H-;;IH`9)~0yVBh$et-}Tj6qu5xs5ER{ ziAA=TI5qkOLq?1G@1)ZrNatK5nV-iL;z)MMB4YwD_ssmuL~BoOAH(@r_5I|1+$1By zqV31)vm6-gX#G)z+B<^ouWtG z3U@#V2>sK%8?@&Msij}j-fz?cr%QqjppUAJB2rh7B+qDp*l zWX|CG*>vKa$l0)T2{6+H^I_Pkd#C3j4q*83#}xRElM>&DlzMx)Ze!ZFva_>G1tK3v zXC}Q2w4)D3B8{+u;r=e%?kQrEg$O>`kI(7GUi#lcYIr^H8BBf<+Sl{{J1)7|``ku} zEgrFfg(%^jcawZ8QPRx@5g6!lIqZGc2gN@y_GU;>;CEQ{h)TR)r)B#vD~FEW zZ-djUQtbRIcH2CvuF0CDbpo*O@Z?X< zHek6(ZD)P20kgyA9>(pIMF|s-pes~Fo!s5unCZUZ8YEs#6C8J2%wG*vv7}^T0KV{k z7e=S!hOHx1B}VS^XWi73ZNij9O`;sX$rAiJ|M!-jkbE zIYmr;yxXbQ0IfA4wYN3i#CGC7x| z!?zzanP;xU3odtnffPlr4ty%s*xJ%Wje^c^&`F&SUg`X(O;PiU&*<~4-L7J$s8EMrSa> zK`@1}Mto5Tk#n*P*H=JAgkw3>+buF^2;p(V9iHA465{-dK)a}XslIcOw7c1`E;e>c zA+=wJpxdw7#K>1G>OJsrmCV!6C7;87cRtZ~M>^h--le z>7$EpuP<|ilEM@0S*xr0%h4(abA%21y3p%w>N)A#dW#V2RnZ4ASkfi1+spy{EhmoW zur8~ZPTD;e3gk|4Iv}Su{o=P+wZMNFM>m?+iiUUD{res8)JpsJ=_s)hMKUbq9$Bwc z7!RcLoy41#EuR^6m^lL~pWC0DRjNc9cuq~4R;`U#$lVz`FPPr1DqXsCY9_Y*Hvbm+ zO>zaC0f%1{);a~_W$}0H;J6Ep{DlLP>0l;;n1A3NxoQrc(iy;E`W(iB$Tx4hGmdu? zaHk}cV+8h_=VwD%CTeaqL7lzt(1ZHK$TRDKr1}ziDK%JQ>#W}mxAHBFO<4eAcG-B+ zwy+G=BnKj+KL%bY3UyIe6@vi~W2|=Wk&? ze|^GNE(ATelNHb{K3&aKx1h+2=I`_*nT_~c%9R2b>8hvJ6GRUbVi4#WMqTORWJ<8QcFux z%yRi5VvN8AiYo`(^=f$Z>?0s};rbai{A5dEn~dhp0qO@sHoqDb=3K!`4K(mzhDAe{(&ZbRg$WTio;)5gl8+#pWk%eviU+qb{7iNmPIf=;Ilb29PT=83|=vV91LR zgg_pn{^uk{CLIa@qq(sjWDz+c7q=}cNYSN_CMJg3JP6_ib8?KZwepQ?B_LiWxhR6q zpFaQ@4@CSAN&*G}_c4YrZ6(tff`+kWlZ-)c{m60{B#vn;U^t**f1}aiyd07wBM0`j zFDdmUIO}lS>5>ld#BC~VX(JPxD`H7BX6uBZpK-9ViSpkGF(9EpuDGkQgGGpl>c&MH zhT5`V{H+P6KOu-+aJ}OQWN75?Fe8s7>RzYf!j4S6_@&eIS+#eHm@BACC#UI-uZaty z#>A~5e%&Z(Y(>=pn=0=7@m1u^Ic(IUzo+0VZD4v=0gNVSvS%P>8jnL*uDIK3wJn=2eEBO}An6kMAE6^9Io1Aple6ND$k zFSMav%M0`@^jbPukoMOr6-ek~x$Y5~Rh#Vy>Rwnx3*!o@O&v3t_jZGS>zA&tIY6H7 zTC)QyaNd1vf3hx_yIQ>H;~;?QALJo5MKgXx0vv2dT6 ze2{R#+UU7;+X!w*;h~xd=sB$e9SONSnEM2ZI4tTbz0|xzZbKx-OLo>NE%3%JL_hl7pve8ZEAEoMZ5C4MXLR-g*it*x)K zVQ2=ACigZc5Z69kBv`d(uW?{Fzt5*q5Gu27Mf^+qT1f*y{pgG3+XoFdLQx~e{Sg5%Dwd2x2Pqv(BCjWsJ<6Nu$ z16{hbdNZrX*PPeDI@gb5Q<&4|P1*6s5mCx%;a}=UTAL9NnqzZFseJ7N*#DD=;G-$n z$t5+0B!ddkMiTvCemLDs1^6K!Wh|k|_~SuH@ZlJ!8fUMChB|sLFHSx@AZ!asbNnY~ z;9BLdj(1o~hjwSaj2?*{NFN|KO|5mC)1D$2w}rHxW{WMZa+NQVM++$*me9AAV?yi<6bo((Jxs~T=wuqXG8GiQ!0{SwU^rcI~H6kF$tiu z^S)z!`;8Q%m&r0%rp%P#e^NNoZM`#-?oJP-&Z+fjseLcON-jYzrLrw%3J9!}z#<0q z(AFAXwQqJS0ji8GwZAXmaG%Ub3F1;pR>>?2~^ucLq1|!fG=Q>83=T0R~ERg_l1(x$I>_z?rT+Sp3msL7hE_R z;L@y^arMLcUk)Nr0?(gar-Y&gxAV!_?aP6v7(4$rBJqElkK& zd0e-jWFE14J=Oz+ij=8_sQaaiTZ?)Xq6`kvR4h7=mq=K(h*)$SR~0ui>fLj=U6n(; zEp#B^|L7FfGZuZ3We-g&eKaGjrYUNv72SgyH`n!nIH!3HDg$*eJ!0}HLtaXqNGA1G zlgTLqalV%!t&Tm}hh=JoR4tnzubzbf*LYlkI1g8{cRt-iUMkooi|M75Ywm9zHsOi@ zb*LouULPZ^(vu^18EAQ-m0f78PuJrLoVP#b)?T+~2s70lEjj`HwfQuFW8GD50hE1` zF8qgpdRDL(N?M)2dS^_RJrs5v0H&({PQL*qHy<{?6AC5Nhc70kLl~gstSgxwY=4+q zTtT{(>#ykV{>?+AWPz!7#XH3ZUNWvU8ZN_HtX4p z=`^Y{`=ko>xqEz4byGn~C%XFrwjHog^xtEM%!ZXyR^CYyj?ZG*$CrG^#;Mb?8eAMM zm3n}p+cYJM4Uf%)eZ?IAoB09Bt&E)&-Pi&?Js z`$3)SX9(W0uGL+ve^)t`dO|}X@;6gK3_9XZ@jwAB4aJYz&^4M~s=z%gxlQ*35~OeeI_7urgWDGk>R#r+?cMt)C1D)l3) z;R^gTTbPUpH_W+o&B{63mPpBUW5||o=BiiyLB@c41L`BkRc=F{JRvfw+K7=UFu1!h zcgm7Nus9nBOSJPu8SvUZy(T`#oAIiYzKpQ2L>^ntDm>)O2Scb&H<&uF>U2O&pw<_A#WmzStlcYZtku67~Eb;L+LYzIBLTq-(iy2;n4(4m(tt6QY=jrlQqx_-q$6b!^ zR-gbYqopMzv2L%(pF^{}2R)3!wNHCImFXMJfU$4H4iE{r|5>)j^30@Hmb5+VhVPT6 zOn*RfsIN+k#kPh7NJ`Xz$clBnl`sCpdq9m(3M~s4;;JH7Ir8~J|C#amvH5{QVaFGn z!}q09gMDki`8?JWD2 zDslgW?TAJ0j=u>bd#JDs7p^!w%vKfu*8LV`+Ms=dpa3cWGUW3T0?2vGgB3>P7kYJn zT9{xunp@KPA_Fifsu8Ip0b>Cr=r`FjHHUA>z!qO%M(S293(AE^M%n$IHIY&4!=3d% z1f=!`NvC79F@Ng(wI-7ZLgs)sjR&WShFw&s*kvYgF-w<4OF0oCzjLLH*)kO+esvtn z3mi+INHIb^YbS_78V!Fu?-_;~hz@#R{s=eaZW8n$vl`_W%d_|*G?D7m1~xgzD$w{3 zvSu;+sLLP)NmO+z4a5CzXzX(3S^w_X2i+`FrRLi*uxKAFFTA6DVY&vaZu2~Ibgp37 z6(wvFO8RF65HLLd*kK$e#(_T@{Qz<(_YN7+12PVD;wJgw+mzfm-o?Jrl42=%m<|=obW%uz z2hhV_rOJaq5=BXB$*yZ=a}!_`CDPckq6e;KA+01@^IG)WrhkmxDY8%6x!|J&T}y9y zBo+t3`(6%bcDM9I3e$E#2=l25SGAbNakbz4Ges$;K(VbcFGJ+#Tt^oGy@1 z^pP6jA`&8>+W(2x=p?t9XLyj$I5MSYT|Qp1PTws?)FW8hb7f33=wfU;so}1M?P$^e z17>Xe3p5Vz`5&w#83ZLYJOB2?C<1^L6Eif1XnTFn{xP>crA!t1wHaYun~o!+XH);+K+r{?Il>U>a-b z!#ibi$7$KgbF7r36%oYu8rVwAl5?_b4QL6r(gkqbpo%&(WPf%2jmE;lFC2>4T*hUl z=X6tpKkf|Yq15F#7xITzl+En9Jq|o^FGNCQn*l9Zg1tG-Tr#ak9I~Em=^QtQdmXU4 zvUhNr-MxFZH4S$rR0R*NRp+11g>u&?mUL+9Q;ex3wGWK;gr2**wIe3@>CE16YK|5~ zw-GkQflXH(FQ!K=qeQNnHUBPeSYEPl>>Mj5TVtJRH_eoLso3X;6PSE$O7U%+<0?k6 znC`h^+r0Blv8-RJ_Fp%(;K3wlBbgn;%;0o5pv@w$e@J%=c=qEC=4f1b|2y;`V*rnx zOPOJy1%e$VRPnFL?vv!TX)eB`DcgWEg?%P*)9-L&8G;=sPmj$ zbvV~x8fv@2$T(R-$SAz!k(MK3 z)@+(d0y*$eT_|;aABV#wb^pCqOin9#BCsh27gE97kZTalLC@wT9p}%t^PWuwyw8Rc zkraJ>5(2)$f=!mFzVYT2y4?$MQ_BJh>Fq+1h_Lo?l@td+1_ zpoXkI#QPTW@S5~3VRAuu)8w&GuVy)ZWcEW}oZnK#!nV?p5WpLcPSnW6p2Uh^@Qbl&Tf3UG9Xvl{2J5agihY1k!J+bBJ zleBIU=fv^7*D(SVr)i0HK!wu4gj0UO%fWvPw&-8HmoT)L&5uBMN40O7YMlPbuFFc` z(oVBV;8Ujdvz1)BjTRgbkLx{H4D{R@d%({o7gMKn=$D`KQ3pq6DBgq5Jxq{T z-?}6QbDWDs1V1mo(~ukSyC2$uR&|1cfffs8p%9C_$Hmf{heA99dZ$>cCY)`UY?QbD zSX8$l)@jL2JNEFj1U1p%`3n^Eyj9SDdx^wC5KFd=BtL+#l8qX)>h(y9(y%#=*J_De z$JVj&UraXA&%pfeCMvgLWo}GUZKZ)%76=D1*0}OSKgikhV`PDXR;5D|Q7s}!L z=!{lv!T4(~7CQ)QSg{|0T3S>N$(*xGQ0HN>J@P_nHDWBEtZMQV~F9;!q88OA$p;z^}{WFK~4b=5w|$983-KwT-moGFOwu*m?6}_Epi~ zwm9C=btE^WC8`fJJI~UOi#8bXmli6`gI8KPHpOMkI5vy_<^01%c{wGS6EC0V8C;~V zr9Q+MGCO)3n-&OQl3*WY9+Q-`PgR2NXBL?#(=;eJS-uen1SB1!yOfo*D#+AtW6J^ zL0F?xsGrqHqBT09kg^{D!Y#2$21>b5_>|6;V~M_g$}n&ZuCAf(z-ea2 z2&@2}Uawql3Af(LR|9)Cs8US@!rEGTx_(?d36Njyi}bMjV0wSIgIz}xlgJ!X zx*CIsIl{F3pMMvfgy4Kb)l$%ic^w!Y_lTHI;p~_rHr1x>bJC>Nr%t+s;h3hFburZy({D@{fzbvLnheRw~J%l*$vH>D+_$9S_+mb59tC+B+vMg+JU=UI2;x8 z1~%npSp~tgx|4Qgbwth?J8hjMU&LYx1;6}G6$uFkcpIGboI3@d`s>=icCLsz2)8yz z5lMcbJM3P0KNxsy*3PI1A*+QlE@)uKf2MeIo(>%uldJ=45BtoXdpDmF@N`-+(4 z$n-tMv^d)PRSq1$=^#oKHWCz|Vpffs35zHiF}-y2mk44shi`y)q1ENAl(eqkr3up@ zM3N{Nh&kc37(t2;O^IMKF$Q8>8K1w@oH6QCn|>Wqt`H6h}!hN#E(TH^N05StRL zo=_9mPuQJo6R*#SoA<_dAThERFPqv@13hqUJv{_)=HzEpGidTIlvDhQkj%`i|Y&nz;8{=UjrK^HCnw!jHcJVoh+E@3!$i0i!+6ASsH13P-&HTJy1=N zM0wb2kBu(Q#k-U_Jci(` z+@)7}cWhL`yAL?!Pi+|*?jK9f1Bxu_rEtGb^%~bMEZFh3sxGG_?%tQPl6g@!_n|UK z$(Z}(T(Q=b?;!0{(E)EDM&1;o&$3{m9=7SGvZ{S8Pg}E5Gj9fn?!-Slu)tfX{fmqx zGB1+A+0ymYhdqbOy9&3SFmhd?p-??4exskt3cqs$oJ5Fx*OP8_0+n=-U;{A$No9~q zvR(*(1D?dll!T_p67GP^%qD_D2$V1hCJme8bwR|SK_^*&M&7a8Fpy1cP&MNn_Xa*f9i;)uB~woSXIlAtEpw| zHZEDkR7FNg-xuTwG@*@`FowsN5av&G-pB_Ygp^K{OJ`=Tg8YCg1(67MWS-EOV#XfQ8E?@NFaPVC@Kd7p=ZBqe#Wm$kce3FO^b#1Jd@6E2eM6XcbAaI85qEfSwA z4wX7pL}ZR8b63Ye92Wjb?#jqeH#g>>M~B?{NziWICK0{$)*%f?m{dlzVxp!APMrc_ z=sVB6xF%*X24F;_wUDKm+s5h$ue`bZc(R<3kg#AH7*x$xt;rR!!V$8v+d6o!qNO_I zq^z~Vp`|K-PdQz&-$^lTX*C^jo!@HEG0oJG82;2g1?*Ne;0n7uq35ntr`yuKj{4y= zvqqbwphBfKvUhqModG z>r$E29M6qVZeYdxMQw>r9@4Xu3TN%i;UQgeac{Wc%|+<%Q-Ix~srxsr`Y~hh)z_kK zsMdL*ZnVH{q;TL7Ezg)ilS)N)`#c;c30LsdIYwnjmdM$~y<|jGVhkrXEA0elns?$@ zN;O7uDo&xzdB=mo1d4;Ke*|a#MF7l_7LYo|%LFq#Vc+QzXJQ-&kc@NA8=*D4VMuLN zOCtp@3gf5$Q)+g+YbFAx20!NO&|m8Nz?cW5cY^sJnCw<>AE}*}H&>b<%s1s@G5Q`E zKW72wJi!`Z9ix`#NG8~;XijJ! z36dgp8^_L^W7h3Q_`W55K%s9a z;0&)n^BePfb2Srgw%+5(uDsr|P-5EH`OLI`|FXTk`oX78)k8@A*WE2(25eU^@&N5J z&c$H>vot0lKQ$+1E7Fc< zC#3p`s@1lO@|H54=DDZe4XB%#2hQZs45k>jHi1d)okx1%Z9-E+$}vtc*{U%CQhhG9 zAUO}aKszMR_CKguY!oLG73(n;S{b7lzetO&;5Sq~R?X&+u{SqSk*+#d?+t#h_?WoD z%R+Z&j#Of7EEt20i2;SPBN$>4LHz$A&9pjlId=TrO#LB+L~s~Cazp&mw#D!=k$%_M z(uvaBEj~EL7{eTmm{Of0vqoSL+&zmf&cP9zk7>|T=C~YU$xj)52~3^XWcUMRB>|9W zO>OJOf`YY5NDwgIDS)vAIFE(L<0?iu$xQV$ZUJ(AaJ*r#1MNDAE);B;x`nVALQv`! zi2;WHi<)txb*BFhXr}xh&}^5bX7p`3hl}wg%!xhvFXO%$28XBAK!~heE;iiK1i9!B z=_3lEq9P0rf07NZ81We=E+u9LY6dxI;n|%gaQ|71W3l2l`BDn0->mHo4tu({8vm$k zTFzvl(k%9~4q;K}GxW4-dU^juq2`LZmAmch0$OM1_PQ{v}Er)w4%8E?*{X0>AY*h*DJYqZnNoW%sTJXee~R%fs?E zR@v@rv@Bx#yz$nIrGJtZ#7^u7ma;GCjR{R{g+pE$kyIDB#XCJJcAPbKVeuQtrL7>e z6KVPtO*`|=)DUHF;b$l0Dg2`)>|XV}h^*ya=+O>b+h-lGx#~7BWarqi!hb|nks%La z6~6_FE&kp`~ zs?s6M)H^fw8ox>HDd@LYZNv7&qs}2HkB?4HM7=s{rBfIkB6&fac0oVgB3z4GEuo&` zbpKb%xiJw-bZZD@6^b%bz`7ivUp5p)@o<={#42H&PC_hO7&rVKppS^a z+OaVD%sB%j)=b#i8*7kGClQ`R)n3nW^aw{?$x-fDf29eUH;L@_hzPlb`OIpUV4@*atF12C4&5Dw5l>m5AS7xpq**>P%;%N^ZfTbNuvR1jM^)T8;{y^IKz@%!+D7LUbq;5JrVV$+*<}E9%m)hXe@hhgR^(qy79@^XNDp zjyvLetXa%F@X(A03@hyZh#sy;b~ia((6xTb3=1oOqZac;+C;%eHmW$X6MgOTZZI6^ zuoS(lzH)dmW;Mupwqw2SN#m_OA>ACWyb%Bd5ev;)OGdXTT*vbMIjkEfj}SI@7f=qeobg=#)T zIWk5ww|2|Hz5&D7$0w`LEF7%q@Q?9&VHRQ~$Yeqi`t*o@SHM=#7t#h2oL@HV7{sje z<1VOs`iL=LZf`Mo;ND!$JY%bx&$;iiM?ZqGIbAL$-y20u=^8UZPE+d%ufseM++`#G zl89%QR3xWJH&frjj5Zp1Y?(E<@U3F*w~Zb(GRPdRoDAHZqJ{2ZSL1oxOa6SO(0er1ld++uMZiNK#O%fUSK}7SjtRcIw~_==Ir8w;PO^}? zPeFMzH%;LMl$#)KaS{D%DToUGGUosGM3%Ecy0#{O8C4Q{BCE*g0KETtk*%o~YsN90 zXRLCw=Fn5tmQkfN!GG1nUDw;n4&iZxI5G=dYNh0$&s~wEye>8&LGNhab0j-YRc@74 zdoFqiddNd!Io%oOdQu5Ax@*iHaJXDx&l+z|!AXB#2b-9Np7sCd$`?diia^){7{fzg ztggHZlzWv=@@Ib_4s)&E;>ZDD)s!DC~OW=rPs^24L!%c`fNrRC3+Gso9g zmb%g`p<{K}G`l;)IcfKjZg>~f^&Jzy+&j@Q6TSbT} z>zy87`@fgJk*yUmk~!2-uB%wM1?YdT#&6iDeNs$tiDDf0otff8#FPpkIbo)W@{y-?=LkRH!` z%o8LNC9E9Qo(lu)($O$yA)g{CdL%KXJ-xaS+LHF^=~^i|zc`NGxq52;tnJx?dU@A$ z1a9CCc&9)9;qP<#KAXn$F>jWmDeIU;Hy_{2ao^YZD zpSF^nc$j+hEEuToa3>5uS5n=&l5elobf%Nb7hvj5a4EY5B`z%^(mvGSw={|_e9pRA zTQoCOVbwGpIB`16QVVW&&jicbat_Oy6xe2U zN)FOefqOll26Kwfhkh1X(_oX14dM9*t{faf5f^E2KaQ+p<>-BSri4lo{O-f$cyNagF#3PUSPun_;f`!^XY`8&yg`h_?xyG6pe6mV**F(mb}E+KF@ zvc^aoznFk#?r&o-m97zNQ9%b1kMQ7w=L>!q#PU$z@nFnN-`aj+k&u;OA+;IkjLdTK zOjC)0_@PMWivWRi6*)Fb4pBHtO>e+E8wS=9dUWO8b6@kB#X6SWdvXo=3K88Xj7nlQ zoSrU3Pj&g;=`T+dqh%Zwaw~r;vhuzphh+YKoXwH{*__8JaGV4}=i9~~kZ52m*3i&2 z#1LwN%#uBtoQ_dZ8#$OMAsR$!Wu186?H4&f;pqCpiX-jQoAH_Y&r}sH7D5zvYfd0gt>mz z2jJzPt>(Vu5RH*XadmA=+Zz|)UOud5PM=j-U)nxBlBfwXv+&O^&i>vtOC#-FW^}Jr zFr-WZ2!K=$R=qCsZ-U*P_^1gfm({wh%9Il7CG+B{6`oYw8MjAH@zFc`7a~oPEx;r^~Bu zodA(lSZ4sor=6`;mJ%l|E*oFD$p7B1ygBb%n*HIfJZJAcy1ZQ)wzlBgw>UU+mZYK? zMASU6xycxu@Un0?Aosi{c5ePDdUdy~Jp^=3Y4fgM3U}FB+VpHdT4IlKo^h~R0n{HZ z;tOp}Z*S|+-nxABMfadyIem6@)n2r8Btl;P1M{eIRysf^)FtlenhN@~i(R>SDTd0> z>WK_aa2egazNJVD_ja)l#UobK%qE*Ft5}e-B}t&iF%#kuY8n5To6VoQm{-VVCLIx5 zGl$`SX3$@$ZO2h56A=M@hQ+Wv?beqf##mypF3TO{oF9cc1(6z%cgbqftQlqcdUdbcxnyzTYpAX-kSw+5@Z&;{Q=`dFAWED zUxnh2jC&ARNad?Nr}g>D$>kcw;RwBe!~zhD9mXF5p=S2K9-v+Jst4+89)>ARq1$hX zl|6*&Z)4(Jx6Z^ohgS3ket$4vfDkd@6b{qJ z@N+D@7?>BON{1wDpZdcvV$>-%N(Aebd{-%-C9#KwKkJ?&=Lj^P3x07J7!7+#S_-G( zAnD-^4I5si?5jWF7|bV)MRFK|T!e(V6@nQJRPKcdUrCh@ub8rL$OY&Aca~bi@!V(<41zmuYNR#3X$heGIJEj8mN|l1Z)RK~B=P>> zn>r0Bo71;vc$ zLA1Ug+KXCOm`Eaeu^2fNORw=5jZskD7HWiINgM{!bS(CSjsEJW&8d-BWLf=qvv&xs zj;{f_!8_4b3hqlFWR}~rM6X-KCju;P3rDgr^H}YpH%{?C(6ReTVBP@6&7yqO-->R= z(-$$W$M_Bft4`k3Wx_pG0T>dpL-7LgV(F{vZkXmwYN6$R21m71v9^_U$^>+rZ7wmrv73 z+Ht@hH>w+vtJ}iu@dlT)J&O`RlxPphGRuP6`sF#dNM`&WNktj^swW}nhP?$Sqdd(9 z-~2k*7YQSM5~XP*%C!wSECmq+%w739l{OP=^gRFE+9USGAaF zK#-JRLSc3Zs8sHm#_P?OBug(bNQeS&fB8~)RB2VX+DhnLExX~N+p4;{{q#a`IJUkJ zGmamF8TOp`=Ml9~t>SLuHl^5NaaxhF;PZqG<)l5O8E#JLeFs)`Ek) z_5#zQ(3830A{j(PWft9iz?X+Pnfi`h8r;Ll*5k=#hVGdBw{Wj??CZn%+ z$h{!7cUGMS{4njeNz23mF03PbHp06z=S98ebKlK(eG9aLmvO&xVYq@zf07O187U*r zt{HJ5hL#gXC>z=72IPmIocL%&<^K*~ghAB8C+M_S!xi9H^X%iSVTiDL=UhXc)l0A< zw9n+0@LXlgOyTq3GJiutv;minBb*2-@ia53^d+2Z@zZ?*>~zN!cm;QvAklug6TXrR zRDv|`qlB;>x0#6Nly{b@_i`M1-n-8iNie+8;QH{M&0}`UD2Tz4!Z6@9EeUQ~gAPCz zi)Z{V0BJy$zg&k1sLM{B$5C)4-D}Wx0Y|q-KWv=-fKpP}g4W5($}uo9JX^Y?N;)mt z)ed8ML8dNhF!3)=XFK=bGNL>Js;c**W=aT0KTwPupr;pb z-whCUr zPQ@|_J_PGm=>~L`l|y=k67PZYuQ0BHMBYn3qGw8cF-%6$w_rI0%i}1-WbmuXX-gZR zcl3jI`h%wi;)wxx*l|yG*pnUQ?%Eq0VksG{H9zS)FU?c$VOK?20|K0-V~wBTn-$Re z6e;F&er?Lg4>FGC9y>4K4$*cfwHS|d`6Ha@xH>GeIA_z(qkebHxGAr+&JYKX*Rh)= zYsJGEYT=ad0aTxk-zvwgrJ9QTi72=UfKxTEk%7d>P6t6Nz(za@pWU*T=V`{7Uuy+4 zjl3SfJ6TtA=GJq&3x1>JakoY%bGfVKC}2{7J&uRHF&~C!)bz3o+U}e+E{P0hdUE#G z#)Z}ht=I$6vSQ6o3R+)^8Yuv3Z?CsH2$ARvfCvfgO|RZ|SKncer`K0*h`1%_te>&kNBLVRT+?ax)XB1INp^BiP{GkpZEO}4|VgEp(VQuz|P9pw# zg<>1DLMo@=G~hNG3ylL4S3rmD9-l6v$Iyz=<}Ub z@nt+q$O2k8MnDP(YS)-QFw3dTUv#QFf&=_8xfw2&<$sLR3FPl$)IX!jal{(Rkxsl#W*o>y>Vf67paW1*4&9jv~q)b)5|2-Ywdmz?w0LgJCb)!2EW8 z0R8uA|1aobc0H?Vpt3P-o2E*3f0o{}Y?powgJ3riWR5@Vv1rCNIF1uuG4gT&d7A!% z@?z;mm%+z4QHNGPUV?KGoJ;9`;^HkOjDdre!0|?%%C4Xxb~3)6fZcsE2=%T=R~kH~ z6rNVv+4rg*lt7t3a|w{|g^f)#Mw>>D7cc+^*N{4J1gC`L?X$xp?F3oJ&@X@UzyHtw z`gh8a%sdl#F8mNEueC8AGk+$!f7Fi4%qox{JceUZejfun(PZB0bVzj42b0iU)$ofK z)zNZ_C*5mgWx$Udk(wg0qZS)&U*vOT21{TRv37!G+UgxFXe`Y2OJJ^4xX79*^BLjy z5%(a$_ferVNZjg{U7M=y_Gpkit69vIz7^&T!2c|C%2vM7`fW!Pg{sPr>XKf;Ao1Fpf$ zuJkitp57l%^+UTS^YHKm9n?xS^*$4KvQ!GbRQSx4_MD^yJ2)^l_L}CMQ$fHM7%nQi zsv#IIT3{r^sQevD5LC1&a|=c*Hi?Oda|R3I%+A5LZUv?)GsCMhZO@i{{>(9IGgLUi zoTp@sOs>flg;__wJ$!Nc9EXBG$uIx%cjTDMCXaj%K4ov?^n)t#%Rm1uc`jT%rcmDD zMT9n#;@y?AN?Ew+q{{(2OL%)F0ZoI`^1$u(Q_|0QPatnj$+mEs#^A8+28PLdTH-!a zL^_?7SBVA>#L5WyADv2^95*CydRt!~Y?^KT=l>T}8=M;uTHr6ob^5r^-QT7)s)PII zzbz-apU1vEgo-!ZO%(V3oL2R#3R?Vlq`P}+_AZg7~}3iO}>+trY000-m{dFw1M0&k&s z3I3Cnd}Zm#7Hid7$sq`<;1v3r8Eg){*~Q3{_ft4lwg*L|XTx`spk{;QV!mdmR9AR@ zbPCDU^yy~V)(Rm@f>lV#Jq>Y*WapYP8{x-vD}-nlJ?H32t8(#RJiOQ!KsR2%WPt05 za465*;FsmN_FS@)C$&f!)5oSn5okd+Ybup%O2|V#l5$}F4nW| z$}M7y2vb7fJ?v+1&Yg0pFto(3ymcHg!O_~YTi!V^;Qc1LwKlU>hoHu5er(ic&V;o9 zkvmJA6Yy+P`}zf)Ts2$Jhq#3)CrPTw-{szdLdkQAEcE8jqD?OajO;n)|8$^GF9?%% z#8X$W!ar+|wE5F39kI)4prBqUfAVu$e1<3jcSOvfroS@A442^?*FnJ~pM>>6<&*vKqZ_On3HGWUs5YW`08rToI^DtYMlpRxbh?nZl8Fh?G=L4;XR8e$BT}Eza9|P z`MaE8o$zXy;kz+Jl!86Yh(Pu#K${AzMK|}QZ4&t{DxO>xHGCVXom&+J|BOKiN|uk?Mlw8Q0ZyjhV&?7Z{QSNHC_N=qfT$|VSIcG!7@ zShNwZ(vK?J=3?S3v(KGQ#_qkYw$pWLW2=f*XWi%)Bg*ii!KO;>b>$+<+w5ks0$Jvc zP)vrV0M}mR*5fG`vh~;tUQgdV^yzM5p@Op%QGajXWV z48TjW!ip5MzzX``Ooz3K>maAhRDM=M=s8g(WI_(6oAsU;u_JUAa-#Opah#wMs9wdTe^^Im21OZhSl1#=*d|b9NP|J z^2czr5f`J4VNFNlH=yzZ6ja36e8T6e*9cmN#!dr`IXEEgd9*GG%6{RR)S@zC@t07X z+(ipnN(rdd)G@9D8~QJMl%to^f@DRX#shoKbSx8dl11smFx1Mj{umXr9#9$#wlgY# zs_~#-{`DV)5Rm0pJ(8`=?uT&H|EF^GH3Z}cA-z7*^~Rw_*zU~)T(Lw%fecN%>3JH- zPNBh)q*{_pOOWVUIsc@w8Dl44saTMnx-kPm4ig~emk@?@!79?ds1f?KxWLBBaW+Se z3vzqqLT>Py*h9XWEmn90|JGW!pGmQDV@{ zDNn)*kyMb=0`L2U{0YfLJcL;i5j>b6I>J~hnGP^}nGQyyiR6jGVwXnja=sqK4vIX0 z!)Oe%yG{;M>`0u-2%@gMMF|u5@*qu_b=YGWzeW*NZ~$~FvaHJtXmo<*g(mn34VbA5 z*>kwn21f(;c&x3FcP~z9FM6X}^m-E!Z6kgw8T1D8@wMBnb%I`5Fb6DWsTei0V=n50kuIt2MGPG77$dTb7~+_UK|PFeEC@fhn3ZgDCI&k!46BH&c(p4P0^Q%s2$AuZ9~9jVc3Jt6G6VhYdh zeisc!M$d*9#=I5A`|cgFTVmbjFNHE zO9s5*(}+>Ig)dq|8!YBB9uvrlrdCXL#@Iz$d}XuPJS_vVF;c!{^#sX$c11!J9&pM! zjbasJA@%lD)^jbek}p0Hw&`4QHog)ATa?`iz%P>_q@9!OMG?3RA!X9m~a40%JMOAXa4cM8Ecw;qBe4d-)^zCokg!pgx z5(B-4%K-Yeo1~EfKpzAHauY=#QcMO(8CL)r&R;T88fa0vypA}V!t{wSA5TG>^2v90 zXHu;*e?|HOp0vkXqd?ab*+RT3OsU4S@sbROTsd2kKw%sv3i#Uc89uLc46orCRrsZJ z=w-zCie(#{o-Jh^N=g_qWeU-9rc`trr7H&51D~ptC23wleCZyfw9uY6n}|R+7kvU z$HYFv*jn;X=N3~LslHl2>tqldhT2e35bkJZSp+O`grEQZm;b1=$4uDrbT}R3#5qR~ zMPOL$pZ``@W06wqfjES9F;cP>Tnw1gfWVG~r@dP}z$LwLVJtw;7|nZxNRjpI)*k5R&smL?weV+5=k#U>&AYSQWU#l%wU#>4lFg`O z51P2EYT8!mZHD3MJKfVa&(XI^xRr>u(n7hX##+HB>`<%RFe`heN(NcEqqAILR&8(2 zAghYb+ZCo$r?ENa6Z%+(y2s$$*PgImY|OXYV=#1zRV(6w>=80k`naaB{O;}%%w?JV zUcF4d7CX);i~&UyQOJcHD{aC_k-E;(;6~sPFvp#+$FLO z~+>|Fd7|5A* zS6u@aMKhm`mQtKuYSyB&2pYT(vpg`jET@v9_Y$wUg(R^Rmna6bx~fN&@%BsWuke?MD0Li5SVwS0@K=t^6!}ULb*nG zoB_5Yw!3!_8AVuWj?OPV^Gr09guT+$f zj)4as5;RXI_d461>JdTgu%IX;h!fW=fk6OV(UV$ogKTJ!-jDl>4f-zAlT_=;;|dId zao$r%kd9(hf|n~GV*cZp`#X)j4}4WTv^}{BuD4t}91Y`3eXwWD@s~KKy_{oQlx9s- zP)Qc?NKR|-;H36`Piae^(9V21JHyFrl~dW-PGlcTRFGpsPabz%(2~XP=-S;J0X#Em zqJt)GrjkNZK^L#dPpk=?xy!(rD)XsR*&GuJovcG8VsP$j=TsAQvq8+cC1OCPc}Fd^ z9-W!eM>T~Nc0lG_K9JcfvkR(s**}uqkTID0c0?ImFML;I_8@Ny;woHqcVxFTZ3E+M zbNVhRTYg$YkHdGhmROl8T1K5rxh`(gC>ak_Fg0q$L!P}xt!UJWMy+_1YDE(gqb7!V zhBP5DO-M`=65|@Mgw}+_WT#n{o+?i&jy5yfX23}k64Qjls0~WxkeDXyg<-x4d$AGV zW*J{d*o)D7n71;!*A@U+1f2n2xDz3q~P}TSx(F3Z@6c zhC|-axkbb8t#$e9yuHg*49XOG9D*Gk40yMv^Y!pnu-t|t+b573FGv75Zp%L zIw$$VL7Kqoz}|c0I2zufjt~#2got4~rjO_{_!vvWz&R zq^wK6JWj4CeEDL1eSKB7b9!=&Gz4UVd+c5hatf!i!0SPXUhiPz5iiLKI{gER!QP|L z9LhUnMuHHu*4RHF*kB?9xGXEC;vs-|kkN$E=j57fyctEnC=QQ30%+&0N>aTTQS{L^ zbTa1AW#i=9A4DIcfdjj&b@us829WVsF)_7l$;kNynD*+@=6Br~m_Z}-Yj+Y4(4c{s z0CE=OB5CFD7}u2SEV48KmVLUyK_F6YXa$2r9ESYjcUtXDKa8#i$t^fQ`C7+)3X$r0 z!(QZ@#V;Ww;4D9AMD`R)69wF$dI>yp+s)aML_ctLv}v-V{URCko4**m5j`=S&t(6E zxQIinu-EGEw>P%}f2-5#`&+xceZSk@ZTszBuovxiDEVzNVO6RX*>z5glopw!c%j8VK*( zV36hmdX=bGOp-A(G4_{yX3*dBdEuDs>_?qeYrE%fcEc@ytJ~f4yV1_3-`d^`+ieQJ z9d6BlNvawM`SwOpZz-(8`>Z!3k13)L`hbJawWB`|ZFNnHhJJAPR15W*vR;Onn$=M` z8EO^5MTWIRC4nVcOfZU5x>*WuX^U}h<##Y#?I4EodI;Lpu*`)fUg^jm<8w{YYVY9V zw09X@1x5|5AXp}yh7=k)opjS%`t8b5hRbLPQ&)1x%U~E>M8IxU%{P$;St81jy{ruYDc)Dw2rCe2%gbBTd#r- z(fNSZah%7YVU8oB+SoxWg_6LomT2JCo;`cKEehnFe&goitDbK666_H5qil_n^hEAM z+!f6>9n)~wqg*I`%XVtqZt=VQz0K|I_In%_>`PV*HnhqiyXDUut?(7Kx>^c6wyVh~z)9RRd>Ak3y# z07@@^%KZuq3eYqpWL3-p#Vpdl{L9~A8LwIct6tIITotTAKF5EePz`hHIL#`~k@|<} zY(sRyE*_-2iZx8WD1#wW2&U1MS=t76{E8I1vq-W$rYwpUnZ)U36dE+jIg%gT(5-4N zTM`G)v_ZHl{H&a9Z!tDI&lN9JBHRbY#Nv2e#OQ|-@oR;HyxI*W`-(K zeG`{scg_|a?Nh6UhYE&M!D9+g%^Dt)rgN!yY$OZP@$kugDS4z=*%<`sIHW%c%7SY1 z?XqBcrqt_P9wc(DLKhM%1Q_Zu}A+vli8d=jSR*6Vs zYAKSH3Q1$F*Bh1w)q=qQ>`*XSdU zM28U~ZhK?xA^u@E?S}%Jj^`4WnU^LGGp{W|$-F;)<=L&Vfn?BT#FAHx?W&}U>1sg@ z%GeYGA}iEL)kdl|QnjKOYozLzE>)q_)HvWf6czPu+Z#zyf~Plxsf`q zeQwS+w`iAJyvd!i$E6D~gLa6=p@Ze*rzSQJ(IaR$LwsgCRWY5R2Nuz+b26DM8J2*;)(w-2Wgp}Z7A#6Z!m&PF=j_(Kd5 zeR?pZ7T<|i6^5@SS6wRHlD@H;f$60Y6+YwmV?^FQJ3PWZqzjaCwD!k1rR@aJPYzfPPBL zZ7maHF_X8+%z{-d4JI$yjc=iJ+zUi#B?wR^&%hLU1%dRp;$n%t7WA`mR z|M8SZ4$>txm{2{Kg^xnz5z-qZy%!hf8IqjHi@)B{!h+*dm|C})7DI;u^F|>d!QzEz zxgLxRWR};nI7jGBJZ9JQiC(Gp<_sWSTgzj~Yiq1Y$&xfJCKb3}8AU;;&A=**)0&0A zxHnGC0T+wx^OyhpU)eo~*b@C0r|vqriAH^@yBMLKCu4C>L6KR;M@+s^A?r9-}<^W%}1$1m5{*U3#hzGRC-O^u8kk5Wey+UyJxx&xuhnca*RF|xxj zVWD;Nd+$>8hUH2PeQ=8^^Jp?00_nj`d&oX0OdbxMf_A~;p(zNdSTQ(al7Ukac|WI{ zJ#gY@%hs`;W4r(mc@Dq!lNH5P9lpq=fxP-#vi@l_=vQrh zm$e6<*8F0js^Ipt!NAGbDDI-DWVuT;Y>zp60A1TfqFK7hnOnPLg^6`n-IY~!axB7z z8;-U*b@E_^t6~B!uN8=JXBp0v)0q-Cz8gV1?oQ>dGrb4XmYFO&&pNSyxRy!z+Kxq1 z3j0dpXgnD8n?gqB;#e$wSYfrCOYaILS{^+VSJK2FqXxCXQxw9lUPinWNlWh8fk{-e zQuM$QZ`xteAAbMe|KXRv{`)`t{=fZCEL7w@khNi1p#I^1Fc?J$b{N9!qo~Ztyv&$n zI@Vl?=;eq%&n36K47c;_Rqr|0p_fmbULnckXB9j{y?UyhZ(*jodc$0caB^lCodEij z0N7c8$$f(ejcuRFjm&~VW6=zR=Ol-{9$OT|3XsjQ!!wR>^3vxvX%+D*qdQ+dKjp`G zaQyvx_=av$R`|w+zcBVLnya|ltz@GYy~-hrUVfmZ2NRSVUFn(lp@m!s6CDB?z>a73 zH`OiX$LxfS-*KOk6>uJaWe=z99y2-d-Bb#@VJ$fhZ)|xN<>$&<^Lo#g<#Ln9%CoGx zBEuq^CIT^pVBj#b#f3n(++G7A$)v|dh5J`9K*5XXQ_vgp1bGBPI@i|R#)hrTq4+f8 z^g=A;&eO7*t>X#B5`xt&Ltt{%Y_2gFLsQgK>DM=>?+7KuXkH_@+x$Jv&ONui+KJS) zHBxA;9?I;9ZiHdZOgt(8(1pN4akIHY~+ejNO?O zjG_)K64e(t4xs~>q;SGG5*9=_rC>J1R4g`TaLkz^I02PM42eowsTv0RFj!N8+M!X= z0}_wtGlp|a`OKNZXLD4GCEQ6cwiW!Bzxm&A`OI5k_GUuGu#@-6Z89Nr&C>dm=MHYs zlx&-`J)o&Hh7=UggMI>(L)VBrIbu2{kR*jPzU33*vW$xwFE!gQD=pVKWtNoAB08)a zIP%Dr07_wUQruVKgAg^dit^;H(j1N1JpqRS*xyH(wK7gZB%xT`K%@l5*}dAE*?a<1 zWw2^c3YXjJTrSC2X_IumOGjf$#tQJ!n37A`xMs3AHm2nA;2KkMV@hsJ$&D%bahsCG zr6P?fdD*O1UV-)3#xfgi1@m!P0FBA`k(!Jnx%X&n#Y<@`o^72it&zCMKD$r@F$-m= z*)p7Gt7JAx5~Gz$L?LM=Vv2BOItEN@_EK&dW>(~R4aj%mMSX0;kj|vau`?SnQ&5|k z#9SdXL>R(qvS>3Z;C|P`Ql@MdTXZ>7w0?mWo1|jI&0v_m zCu=mrZ>?r%Hp};Af0ipx0~3Ud-MVbTk(=@_nC*+fDz;BM&C`$GD$QmYmT+U0p2sS! zg8b?-N0$%6WIZVtXF0WZCeXZy%mOPwV>54T=F@9;WbG=pz{X}?!dB^^o5p6|*vt_~ zV>54T=J#teZ``k!)q3aEVDg?DKwY-H8TT%Y&HS!x=6V*Ca!aMLnKw4``EBNg$$BBi zaw=}3_#+h|8>dv-AEqjg9l=C)ki;s41cE`zsivYCoh2aXF>>cvHFEWc*ni##PZ_Xc zJbT>*iS0>LLt~iLZk4PXHc6OA91x*H$sfrRy7CaDG{_m8hfbUZ^G9)Ke2-a(FN2iG zb`DeXR(5D5$hPA_vXLGILYL(bspexG-N>;-hPO07B>=x~uu%(OQ;o0VsCPMx#+LbY z5O+tx=ys#qZFe^JcK2649)QvHVtuc*x*nw0pHMlRVsO>4suG;p=GL-C*JEaOh8(77 ziM%#arb%iO8As^`y z;TV(f;lz9xCO1Ry*$$Z19#fXkcSD(JiUmIKToZyS=FX|XveC?&P=hIWSYD1Z068-T zRMNpG6kFYaNla^Nu=tCYOoatgv}_ocskUZP=-d^gnE`o<2V!u*2E9S~wVFL@*)P&X=yv6e=!>y$QF<;{9^#NGCf!!hZ?`*s*xzpZ zTf6;je{XMV-|ucl(eBPxKiKWC{c5RJWaqV86Y#|#=%OY~-wgTDy1G^Y^%15Sag7F4 zUr0+niZN%Mzz{jTgmj~v`{-)S%CT4|oP8mMiH9l=Z@TJ{R|!AewW@FhD}BorRd}Yh z7qnYhP4}1`9McDVxUc~x4>T`m6g&JoMo;8t+#0c|reB`oPpqPLf($?M?W+Wt5PK(+ z)SmGk5!zG%XzVm8Zr~@jLHo?$yyt4^70ZD5i4#`H<;zPL^xn=E>`7Xm4YJkSqH49L zubgYj%~Q2$u4m(9ED>$<=9As~IFV$cNzj?pN)hkNbxg_9md`aj#*vnAY&qwj_X1}vdk<>_we2zNhj>RQox!hNRyDk>HjA$CSRb9*rce5zXwkB|2ucP%JWubZr`uVqxfA7&O4O>%|CNN9c3?G3py`*){)=^AB|={KhNQ?AKjoZh z(_5gh$ezneE-Y+kHb)muvo_1#Mjn%u9>QSb8B5__XaV65%&^GoKRp$+go!lT%Gc59Bj(4*szE~4Q%lY00SVV}25 zo_~gp9UeDTX?;@|KM6DFW_I%ePI+%)d+ zXVWep6_<~@*^FNBSozuM4s}`AJH1k6FT9)^m-7FSNIEdO!f{% z$nRS3jn)M_;zd_;=Fyr8+D zb2v9$83i{0={(KFy*A5PSQ{Ij=3`AkYroFNhBx+s_WfKNs6N=)^#UDA4Z4AW!rAl# z1H^nff&pp{J;5B+U=SPErn~e6S4E?x!Y-KHBw^Q}%V0-%WnO*`(uvzh4~*5S!zs9i zoUG`T#0B3tO8r{yzXGRBD)V|{?V%XGdSYlk>am7a?I~|3Gb(j|Htp_wM*-! zkONbcdVT3N3-}9L!0<|6#Nq;YQ@$>S?CaEiN>hG))UQLTX$6?{GV>}hz|6lA3~+O< z26KcJSAf!C7Z0Pi?vKkCqpK10CYDQV3cNl%(b;4`(CT{%7dOY^y5L zGE>W(9ki}_j+yqH6v_ZNTVwIq`V+Pb;yp0pWPkbBeW84dxr^j5NZwiq>UFKXCY)VQsvYfCZn zc4EG*M5%2=7&I2LxtYJthic&dC5!~k>it4jFTA>2^H@omuUFw|NWLNYassQddns%* zb}!>qWA|bJ8oL)+7P}W0rj607ywOWu`)lQQ;wD6aQSO~vrNc4=zd}!sHOF?NJM3x( z$_qsDi=M9gEGYBTi=-C}$f1#(9E-#i6HKXe>>|+=OXDJvO<75nFo&0;ZJrPva;ro^ z?~>>6V9SbquC1{YC<53h>OMr>D>zHa zZgwM;Y|L|bj$6IFq9f|UmBT&ANS{JS)`^*a=OtBGR5}yHNNQjMvzF)`!JPjXM;B7o z9f5L;`V7UXhncF1Tvc%=61mz zt-CX)wL4`mfOrl0HDo>(D+RvF3u9fEP(T;?DVNyiPsxN|9gtAM!0cWXDG#$CjaVvH zLiu`}u9N3h5*-1J;y!};>w!)2mVEc-wb7XqEYah47DSkBCLouT<*Ix)lz)7H&f@J4 z0ZdD86kP|y9;U((h!F-$l^RE8wb7e`1VST`Vu&FD;a(-I_mE1+Id~bnzfQiLj9}?N z70=9-qvnfir4&`#8pTD!5jPNt7sGXONNIS0S*a;yeTc}5!#AfCDFRf=`gw(EF}2At zh(&h7z;8+F5;tfJk_(nhsgQ!ck46zsDoOw1NzHK2P#u7!&a;V?9+8gP9D^a5OvU1K$PiZIPp1es$A`WP& z%FcZnPgOa*m%oF2x+NUIWaVZC}>{mBcV5z-aKUvr&cpe!m+8TmJUm-k!hJ?sfcbYjfWZgMN3X-EMVuT0Pd^GOef)u&iZF z1-ex!rfSUf1zHyewBRV~zoP{RPU9 zuMSAdED2KFVYGdTwDKkZ3JcP6$auSA%<3vPT62#1*|w78M^kdc5#_{mWEY%5#-sS^ zoIYOpH&4#^pKIg!r07Nh4dUvm)tWY*LSwZmXG37QjgJOY&nyO^6|`nW2k{jwEt#n0 zLQs>akVy`sbqsbA+E_)EG2;&OCC?k8sz|8Z_MI)D8KAc6W%OSCSylAG1B{t7t5^tl z97$A|-r+QS?Jvk?bTo*2xM@wJC@Y-AjsZn)a_|e6gLwx)hl=rQa*K%pnz4N7f4-lXlbxk zP83mOwX4dE`MJ35BUD=M6g6iE9@(OF+(cufHB$YVbd)$yZW1eOIiV|wtG=6-Y)-G| zeBtXK&q@MHYH&OdPDa9()YA^5vq{So3n4c!sp+H#rtbb^0JlxUq5fZT17mImv*ngL z8GPnsp)3*ytrF58CqLv=jy^w+uEt-MnJrJ_FRagSj}>@0?re$jnrmGCLV1^r>FQTv z(%Qwz%?97ZEjd-=h!;V`N-vp~5y>X*`=jwCmZ8%~{60nKj2pMo0yHB(%?2GiA9gyL zzowO0BbSJ&(nC4_OK0 z5hZu3eIz4xK@+2%=_mGZWfPx%!vo@oJFIXA8ahSNcVTT!@0L7qB2Td?wo}!ov%$pfZlJmr$h?3aSQm7b~sB00=Ra)T?zL44Vu|9NDa8 zVK(C~VdM()&v7pY=?%5c7tb=Cw!eu+T=~czyHBAhwBClCtiZ!d`IU0=5IB+^MmGuG zvze~fgNS-vJoAv^TyOQdBy8`uf}N&g?S5w`U;`-A ziX0Ie1mlUU+a0eF_qtL4=^J){)TtO(Rj74fat`uzt>G%b@j~BNu zik<2qx(1XtHxOAh9SkeyhVy*L)cQgoypUb@_*HSW<5zZ#Oa!ks&7Nbr#ObR}UqRYq zua_rvggy%ORE@{e$|7Cq4>VFS%8B{6AF|ohpYrL^A05BaI&v4ODJsfYo#odcXy*yg zZ}?@yFTY5B39F*!WE~Z`K)u>_!vq>8&@h3DOrS|$@@1wkajU5C=T=kUFQcl$Uyizp z#@$ zRtyz(Ka7yIVh_@LmsHcP$<)wwW_yrrd(IFT`*LOOe)hS-UCvu>$jfn;vw@QLo_V>a z@e=*x@-9QRf{SLj#@U`5mexXdj+t^Fb8#1@IuM;nN2dkdJKAVEORDMU-basH(Wyh- zm|s~kAm9et>=>KN3uUL~qLwgO`w#zvZ(p?*JQoDmkxg*_o&`b$wgZS+=D+{LFMs{_ zfB5}>`=8mO#GYtBxCw4a-gJZ8NRGzh5zdbeu7VHIc^Vl;LrbBVS^JTSyig>t9toqg zS6PJsZ9!1ImN*N$beoN|_m*2l_|B;uw4LJKk~oGoaTof5Tj^lEaCG_Zlm>m^&}U6mC2Rq>{e#F!i-d4F&ZXA-}cBS6i0?ny9VQzfB8G|lqbYX$2=*b z$_9FK$Kqp=Bnb7z}DFO!<1 zULWuFezeot3HSZo{$}KFg`K`1Y__-jz5PxYZ11+C?N;OCU8|N=Ry&$s*O*biDr(HB zV3qXo213X(6GwW%8s#D`98T)3?Wn)iZ}{eHLO??=&QE9~uW2HkK5 zQr9yqYMhx4jd3hT_>jIXFdHN2BBS_P?S%E(#995zO5o_ZqGZ(6?zh_A{{HT^zty3$ zy0y2{_4hhqbr%f;eE+5*lCMc{k*xfz^Wx8|5F9Tw`Ep>m=`cIY>HX0U zS4DT^^KyMLKsdTmcHcDPuBYmzr?y?%<2XJSP~y11qBVGc%s`s6fetcnbyKyo0Glwl z2e1?jJVoujmAY& z#o(y9QXZKL@&YM!_@WLyG)5)8tSun6!KTW=h>NKbB}*e=QNF*^kP@c@a~!wNQMFek zxrk<1&Eyn$m5kkKMJ(<2kSQTmya1|qbe4PLr1OJkA52)3Woqnqmi1d|;ouN-cuc-~ zE0#v3%-kX`jW`uZjWje#pIv!zJ&HfZgNU|7kNjUU0ciFTdb{# zJVhzG@bZK?kRazO!IKTT+Q#umR~Od_4wKctgloSB12v}XXg-2BtvPTk1fxXe#6G_c z$mJ;NBfGvFkFV3G8ykZt7!B7IJD}9H5pme^i{ELrH~lcW9wfK0m+&dipxXw#J;}!l z^rB%e^3CFq!wE&$82235>Unn%3_rlPZ{z@=Fj26H2AfFOUvC88=tI%)!*5!WcdWn; zP)JC1tlSqj0?Kyz!SXu04iM(%`0zW1?IAgN!yMPh(W}=Uzm0V!|P{MWjM znnhwQ5*8XkIG-Gg)o8aM3EEN+FQ+s`XeiF!QIg1#?;IAa=kHFb_85mkI2{lc zJA@gE6J!<@Gu?>NdNSGNFddl*nTz#qD6vX+8Wjgm`Rs!j@JUD^Q2Je+%{oY_W{HM5 z&CZ8|{|fAH7PUJZ>|fq$PG)rHY=8sxQCO-@SyF850Q#6&3mzOY?k?fF@4;>yV! zj^1I@uC8EUvXwjDRF}ESgn}M~TxLvQsvN0d+jo6s1$`e~U5{@mDvnTUzM~ry1b>R| z4bMlTWQ4ALZb!0QVVlw6xHJLzhk~&EXH1OMCkB-SoQ)SQi-QuWEaqkt0YAQZs3Jgc zf80Igm1XS|AIn*`yjd8$;O6Wbt``v}%RGdrJ|=c^qlivpL^l#lZ`8;AFa;Rf2FxtR z9GfvNi1PJ*rO?SKO~sU&zE^@Dz>yyd2?OhGc}W;GlCY743y_2zha{}oKj{oI9VsEDsi=}{YP*gmxloHM}wdo-k zrkmVQIp@$%Ld<`YO|8N@IJ>~l?pt*UFWHedMMM|CTfQCa^mEN}(&OFfaWoF%L6t+m zW^dK(tt#@m-W~0&9y@Du?PVOh7_pGOg~a+J%+3}HAi!~e#Go=ChG=E%D{zLlv*irpC{FtwU&lbb)62e@ zbO&*dd`o*k_Zrj7vu%Z0&{giYadhLqhSSHXMW53t7+sGjj}-yBWCd=qf|bn8Kcj>$ zS?0*S>H@+2$VK(1c=*h$50LPN)zs&YeO5j??oQ&t*pG+)C>caPo3UyK#CUrV_%=M_ zpa_8ClaJ@Yav35i&Ug*e{AaH2_}e>M%_n`zr{lqZ%D5QP3Xk9aZkaxn$HKg@UkZXP~Q0ioy|_HF9nzwlO}neFG#+$=Nq#RrXg&Mit~N z9=r)B!=+Hrz4}idY|r)TM-JIp$-wD&Q%@g)$v7#r>Py{1WRnHu!rDvlbd@9%H!`Q83*ue;aobhmc57;%?rMRxr=NwmDz9nZFy zHCk7rb=~!xG+Ngpw63x-tXOHfN!f*anT$umuoVymTn2(k{!=RRLXEnBo}nVx+20QP zoBMuye`nj@+T9QQAZ+#h?pC-Nws-b|fEyUAF<2Q_iH~Pa;?m@1S)QC1k03V-Uv@@@ zmT+gk8-#m)YrnPSZ|&>`{@zZsfq0oKfDDF< zz;jo2YIDh!y43UMr;lVGq?nvgnTvJ2vRfjz;Z92c@YMnNH`4)~<(w^H-wABIs`Xai zcj-f)f5&0KnK>hi0i|>z2BTKRTrNi4Ir6y}a4MyrAo@M(YKa{`-X&IzW-F~Qk?XZ} z7u0?A(PxIV+@+nC7%Vq%rt3*T(s><@*s*He@(hc9n!W6i!H|EyawKSx{Q!Zn>SY&B z+fHj=fHT*iX!R*eSk^km9rMK`PA{YI73&Xc`nyS7ypALcRo<91dDGtk-VI4sDmuJ< zL2K$R){Mbfr%t9miFgmD_M1F9OJBX1E<*>8+2VI+ddP#*DCXCtEZZs7_dQ)R(Tk=L zT;@=Y|NM*qKHI#eY=&i>Q;;TIu&&#-t(mrM+t##g+qR}{TVLC@ZQHhcPXGJtixY9G zB5Flc)ylhCQ7bdw=M`2T9#YewYS>GniCTK!8*S96#~p&k;1p_$X~pZRw_25|1wK;U zCAsrRKspwxzuz=T!lRbXzSz#nA_-ah;b+|RmP)vbGaTp)MF7&`|E5twKdqT&JCKpG z&`lhbU!%!2skpICQofhqO7u*cDOr z_sorUz9=$cg{&ynk$|@-E>YE%T)Of&1U0Y;TwzFOCosQgj=##kO9Z?upMOh zDOWIjuKAduUmQwm)Q3$6>X+uG^eVOEcSVF*+A{l!de4NcE5OXbL~}`r@-7;U^OkaB zIDgDs>#$fYaw-t|+-wh@f*V{o2g_|E(|aZz-EqZrY2CH`u4EH z94ZUU7NEDVzD#1E$~$3|)T4iYi|<|a4S3of8}*o5%1Un`i)$8k3D$4yH?>l&d8R3# zW&-J!X8#RYQO%tppWSbnHVf(2Ih#etfp!#T3OlOF@8;fa&wf#YL#pJxNlg9<~p=clrVz) z(kI-L)BtR{!R9PEgBIg?hO>C% z%aNMdB*g7hoE=o?JH)Fz*ToK@4XR{-ir3v-&Uv|zu9YU6r;96ZgrY%}t`XmvDv_Y} zXSH&A$te{hphJUo>9lsfzyb~=MsSxA3+#MLv_5C0<<)xhsfr#{ZEP)L42Fo4oRg?R zuE~SO3cf7WuO7Y@!0r)>$Dq<``r&0J)Uoz0hi}#JMH_MckzH^4aj{NFWBh>&2hrQS zQ;^5{d+scPGI}~r*Z4_l0N&rZ@DBbkOq;QbdU<6E)hmn*p_-CE!KsLrIIh094UZ@F zcNw%0(fp*B>|S~(zW}Nz*p&xP_K&i7oT3#NEjv?2!%bcx7D-b97nfl3(LFc~Y<YV+lhr*26BBez)gyP%c{wh#ZsXVVyjTbW-$+v z-6RI5QG*rA@}haN&wpCsf4W*#fSs2l>=0t;&3%9iKtCpeRRem^yD&nDEWgM^!hS9A zl!x7#QK21oFg>$ffIGRd=UOaUrD8}g-(?|(JO$1$dzq6srOoc0nIeGpfkc~57Kjp! z88P6Epv6~|gbd4Qkqf(iBJ_5QVNur~Ptw)mmR+~>_Pn(i9;TJ?g=PZKRFxoMa zb7|SL(fwCaB8K+*OVUEM#2tdL&U(U7>5}klT$oolk`yva;@yr$#k4rn!5+8^?A2b6 z!O-Car{Igp>|=yMUhSrfQJe$I3x2Ba!1RvVtqO%7uk!CbE|^#4e{`@__Et;($zZ46 z>ON}sLY+!PrYf))7VKGomWv@Kn82QJ$QVatTR61sM8i(i{G5L3ML1oS61&hs(Q5n;n7bPA+y@pA6nlwkJN{ z>sN0^aa^C6B6(|4p4p~f@aG^dKu^#>yo}8r1!$R~JTfFR73ISWHqCjn>L|6BT=0Km zA(G6sIO97T-9NAGA@^AiJff@W)_Oleqj<)+LvXc@2x+g>({Tkn#)Xh0!I_aS^rNW< zFhS3@UjV)zQdJqfH9C%@eS zH1om55I*Z>*#+_pKH6YH(Q5QHP~A!Zg=^3c=`jUy4$eVKbJs!$5gQ zllto5jz9+Xg~ibJK-t*1hzgHVD@-JrVFu_E4S3|l09lJZ;}QwD0+fZdr9#WE9`I!# z;|ayAGpK#cuXU}e7&VRgg@K=oMwJFCw!0V@722;VC~oVwn>p97yc9lIN3EXogLkB4cSR%WF*uYHw@`F!3*y4`5(>Os_H!G+uZ z(1EVQ==?DjDAmJdRW)6^H)|M@0FRIQ1fdI)1lI#vHdkR`I_cYI^pK%SNSu)BRRL$6 zFE9FM1PLvHS20|_U7hGgra2dbJzd)o^~dS6z0g(!fE6H?Z^-de%X0!ci#+4BfTAeFMUE)beTG z;Fs*r(FP)#c%5;5T#~!S3w1nUt3uqS7*QLK;?Z16PNi9JA&;f-rvCMu2M;)3nsx!X(wOm!>UD<_zL)WeE-!+v z?jc=~QxOb%-VDsVMduja_~8T|9U{_r3FXsaYxOKtVjY?(3>cGV+_4o^qRdtG43c5KUiJY*aAw6gkxI zXb62gG1myh3K>x+o%#Dsl?Nz*G?UuO@$vHUG=YxBoSao|WRcv+jjd?@4(z~{nwuN@ z=1%)XRDu+s0XtRNsWbt!KPZ3kWqS>@Re6kuSnY+9^@W0W+bfA6OpUix-1|-CqC}c@ zqUpPVj+8HTyu&td4$rFcdE|Edcq@Kp;%Nvdej}M=A)&f4wPD{peSgA^?U-qO61RfE zDoqHV80IOMJPBHsqxXrr+Aqb8%S&tbU>XL^v(?PN{g!xhW3Ho%>PkIYf&mmoBP_{y zhNHPuv&U6a)1zqyGhBfRYOhZw7T-&O@wGRSH_avRvNg!V5TRlO7i|PbqT~dUT?Kl) zcaB$YhUJ%Iz|48S%mCu(jdMFDMWyEWi<7TU)U-q5rMFm&lLIB?@jMx4xOmFt=N!1} zMX?UD9>b3D8c2&3(c~Me1?cqTdLwXgftbx=ws0le2Sc1`HtboSc>HvsDSJTA3zLcL zZcTZ()AkzJ_qZF5a?7?kvFmY^7tE)R|JoET@fOq>xYMVY1b-`~Rq&%>NF((`ZCiX7 z>RP>XXoOfJOF=PAuBFICP-eYY<7Te;kKsC{cJLm`38hks)?KLt@VDs(pH;fmB<4hO zjjbayZ_1`j)Oe1{HQXO?rgC7MSf8XK{d37DtPAB(^EvEo`VlDA=fO}tw3P#a+0}-b1kMae25Gv_ zpX)cX6ILt)?^?n}CJQkL)ulFA+%7fvPH(D3$Qu)(c#A(%rp0apim9+kPs6G2O6GCF z2egt+BOu|l z#8UjiXYO7+V*D;0*)i(x_pbM8T{9WRX?&LkK*v(>hQ z4W9~XQJOKiy+@YJ_hS<}OtM@ydRiy{@#9_&+aJ5La}NA<6Y`UYmfN|xzH(`Cd-tl= zb@PIFPhBVCa}~unk1D)&FD2u-7u=ARqKwFP83|ZHFI%y zZOPg7pib9|R0KnA9~oK%g5o0)z-4b++3R;y)&G0{6~1)}!J^GQkiVK;Bp*z$IrvEo z#^AAx{a{w?l`#kTRaXXZ!VgV}t7Dc|&PeMaJFXdocEK-Qc*>GVC@(*EtP2osb>h1PpzS4O;aRnVncoIJyEAomg#%xs*tiwAw7DmS(TDHki0hn{qX$ zDNY3{FOx0Wv57tidMvW$`*u=Gqo2Rb-k4VhFr298!E-QE&p{+bMm8$CA(*UR4)DOZ z&=o=6uye$@Znb)DPb9Gda!S6ZJWjIPJcX{v7H4Q^Q>qR;NK*$rguce9;@VN_@z#xg z72y)=gdDI7z4ys#{wl(xF0w*+qNdhLnP!*^PZ4WW*;9@&_pn!94o~?&rIjtq?H9#j z%lF+Ms=untROlgFyrC2N3Wb(gpP&e_TD}`?fPV9;BKBLIUy~U*L1Z|$BS(EI1-Ug% zqd3#iF$mS?LWpxZhC&9`@yw*50lV7@pGK-ua~Ttt-`Oy{lgf|4QWDQZp{u9-n!ge6 z9j559Z;G#{mN1qFN*!Ym(la;_Y1V@6pWZ0L>=S)g}mbugFjSu_1=hSkdh> z4R)Ayp%{j&fL%-xWJlrQ9H%MqEY^SKnz`U8IAqxm1no|@{(8Puj&_DEFa=3^*QJ51 z%Ef-;#C_v5@@~AWhPLMbetV%k2S3KGfQfyhK>ga5L&ro`>hFMofO1U`<1nc0!vr~D zZufrrPqFaMh%hplXzhebZOqemJrMtW6)z|)-Hg&k=YukD+3VKSRqIYRUcovHSRJ}> z7R~oo^7Fxm-w{Ll1kOU{c1nKt7ykEn)WQC3fM{6vHLzDre`63PH2Q#kj?uwXfu#Du z7k<8X|2i=CdQZCRfmN!`b}=+H=OmT*i_1ZQDSsX43VK6mO=aR$t}cRNBH6_vUy-Ta zP0bVM1tNhgx`dqak&sf$*~@-HrPw^eqB(KSd5tqb{`p$oNhvGP;E8jZY3XeTgzk7B zZwXxm&NB#KE^=kFrrLzNvzcs3WnJ>hs&`n3rFq0r`}9DP8V(B13VP$gxLpusb1zB+ zXZRj`XPEI?J=&h*S+YgHmCg*nz87li828@bp=f(Yme7_5SJVyz?iM|yKuyX%Z$0pQ(I&wz7Q;^b)99%q} z4G$B+hz+<5WuB&3{n}Tl1xCGkfgGC(%>cl+OC{j)BLzK*3w-*4Oq>G!*dyL?S3mQS zI7TypZSdS61nxn;K2H$?5u-o}68Wn|f%I%cb68wY`;DDeC3r<)lD; zO+q3&S|(Z>Z%G~HdNnsL7(c$fDWyOM{a=dj`UJGkAM#?c?tv0P9PNCl~L*P2@TVw7r#epf!K##wh<#NsoCdl7Q24<)b zWvp#_A(yJlVnGc}i^9jRxmp5jw?~?t%Wd!jb73+?*@Dd=DkV(mxgr6ONqN&A9v7wP zr^!bxAm8td_v=xTS-N7xwsOdnuXSzX2ry>_BRzWfU0i?d947a1yM64s4|r3}dLZqw za{Yy2h^f)D4^vi=`gowep&(iSruY7z$OO(c7x&cSf16z{0xSr>)4S%pZ@`i+vzk}- z8m;gY75(4dWhAOyJ`ub79aM+becoT3-ywyevTu@eY2zO~GWtq%wshs#*t&_Y5Gn>2 zrf&Xf6m+Q;-^#ggD{NRm?LU=T3fh>lda#6MECai%wpHK^wOaL>Lf#D;AH5_3Xo9GL za(%glZ1HhwF6ojSYAsJhTg>dW;D%%&DhC5CS6@o}omW9j$ZPoC=Sr>eU+_s@(P}S4pZfl=e6D-uka4 zAW)>cuv0=tWAUk$l2}%64G4j}XV~~I(=2s7X6{I z8vCr+Q$!Cle^TIPGlEa$!d(F3u&+9Jsez(0l0r6(dn+wLN^NI9N-LEx*<>Z9M$*|s z4yB3HCMB*FHV$%s3oy;sHi_BFwau38U#fH*RIL$jxOG?^f90T=J<-?nra+hymTIwr z7s%ca?*AeBIY#s*s$UGEb>a+5F58)Af1bLEjdE)DL|8m*g@aw*YPfYX#C{W&3=Cv_ zBV0Cc?)Mb_@{L*X3xNE(`nu9LBRBu(5S+bhX?AP=v~68`;?B&huKuzw-LY-bteI$> z$9v@e4*JGnMgDsAr9N*NKq&6Z>sothY2QofA-uYL&9>(^w}af%t>vCD5m<=58KAg| z*}tgshvK1%BR840Nnds00OEOd`ugClZb9g-%v$!-411dJa@LBynew3FUMauiB^<}_ zngi8uDe-IW9at+@s{TB?(hh5B$lcohn6sfJZ}EU^fh$Rg)!?=d2BSpTZ<6|}H5*yh z)&Ab`?8US2yHXFoHbersP$qA3pPBn{*~_6|{4%>6+7H9s9VDu^lQW>n>Kae{==}T~ zv^P%%q!2lIh#VGriN*@m$73Xr>l5bKh1$Fm=KPjwws}R_2Nveakk=q`JYorkR(frX zS4$;zMJvBeHQzxw&GVJ3FtdMtJ4PYSPk4#5d~R${dPkD6zs!&Qh@=C~`|A&se8-z$ z4bO_{D3GFsu<>G+fwD-n&RkU{Ng*b)b#(MQt8FY?Ytv~i+&&Li8GL>Qfn{`A7M-O^ zIv@_E_-}^K0;>|LDMhyJ>vCvi(obLD4l2EHy(-HeCsZZfViQi_NfY9RVh?Pg2N{$x zt*4yH^n65dtYzA*7F)Nf3X(G2raTDBB2dfUbNg4GRUdB!u`Km~c$b(eE8{KgdRyY| zazHoqyPy7cc?r0lUTvVE_TcODVYTjJ9$w*(|2%_Y*-YCT*@{&%YUbPD4$g}>877t; z=nR%zQ>exBc){vpZX3nB8Z}@qNySc0QkDeFxU9x|lui!La)uslQHGpk23-HLp@JQn zGQa}c#HlnV`GW`DKLa$LL?A>-5D0od6{~xecd_><@yA}9-IP*?sSrIT?SN$>3Rz7#PX906 z7e;22p83FZcZT1mW`2gCNQoxuFHR&dOQt3rkYR-QUb=%O5hs)@#V;J@oaG?~9 zb;g!RnkwlxI&_^x)5Vy$%;+G zK)Vx+(c8|=gyZ!YTC&vfXi|#({h+i@MvDddp;p7Pd50Hxi#kbxkVsi%?{3eSJQwrH zc|)Ra|HdbjbaRqdFPiacqG?c@y$ZH2U2)@}w33*(Pa-q*>4nEYSb_ja5pKJuO^D*p= zEH<}>+27Uuqrjy=IFYW2^3F^5pA)8FyWF}W!xSZHG+4u8)U}CtYCsTPA&jM48&<8< z46*=Y8loz1P$zPqXeFq23#PQ$e8gXAf316s+0Vh9_2D!Elf{0wb`ymEZDxpY$J#r@ zSqVCW5HF^l<`wm0>crYy2V(#tWW{?K!-c8>t#luxe*`|9_b5D+cQBijp~||&8qp#j zxx6PhJ%jR~yRzguLny3cw9H~g{^vGUJ9-_11dP`x{i%jsaCaj70#Z9_bEI1Trwv6W z6Jxs&nM(5w+FPSI5zoj})?6PIM}ri^)DlS)6^DbArFP@OwK-62^%|{ zapSQgP{!1o8No>I2*#T@OPr^{Ff-G%Z z1qDKuVd>Lye!sIMQ@?`iScE*ajjVW165D`>rEBr`iOd$6#6^{Z_6qTI;q*FEMS0_J z_;`7fSn^o~tzx^)L91@*fhTH_$M{hX=!uak9bbF5 z#59kyp~N%VfY^g+H-VGr9wfG$ys8sG=6+q-}}NVwzT zcFa&?#RY9c=3&8bzk}II?6wOE)p8BKq5(u3I>LZiv9iDd#8o^OZYCGY2K2?oi1@EVhms74;?IvHgh?#DXPF~J zk>OeLYy{QqYad6#RNB?}3yTOquoYnrVYdTJsH0qw76y~gArtVmZMq} z-as0ESb#6KJ{3#vwJHz}43`!w1#cXNA8tz>v${fum?|ew(M?*jSSQQ2f{6r%)_vRR zzvC0oW{<3~=A!v5mSQDhTMj~qq@nwJSfPUT0I=jaO?k@UZBk{VAQQPKBMy^wh0hwSaJ5+ za8$~h@W~aE%A;ZlSejzKPsy zE=?`Th~c=_yI+8zI1T)X#T!vLDUAbhp0HBY1Cu6aUA34*)dS;VVe70axHQX=L^e6K z7(#~w@z2}e+6UsB;jLnWtR%L4$S*^0$jsVFrx9Gau4ul??#L^Sht}w$c&zNYgE5$O zZ=H7}IR=w4m<|V`o9@V|;?m9R2%8!=IP`{YCwOU2=;oc_50PWVOhysIQSSNU)laKM zC)y^<3Wm7!`@>PKcO3TTQrT%REFe%#~`ANfp%rPJ^?7Vh!`UMX2G-VUYh=%U*c`xH97B5j{ctg-d9(<;qjI;ruYE4*K5X$7&HWJdh-~*jYxq2 z-LU{jQ1Io`6I}Pbvv0VboE2b;xgB+;Gy+E zc%%DNK+Y&VFqe6qxyZx{?2wR9&GxGr{W#?i3UG1@;?Z{;2$P3E_wqR$>@$8dtp?v? z$-@$ku(Dpc#T%Oi9IA+SNtX_mBu#kEK7wX4CC#i~NoRKovQFO(uMfGMSxm0FNqHl) zW#pD^1D}k^D7~NWD?Ma>Qf80>I-uHQx275z`xl@t)SIRZ zEn0&EsU$x>-L_0WFq$cm#W2;785vxa!X%cyaItltigEFH1zIwH9U2puL-YmndlOZPiBGs+vQwpY*)Q01WNUQP*UfH)T)V6n_ zU7EBTTBXKL0nw#QeqIE^wOmHsJyvYTl7_|)2f_Nbdy?ragF^NO(D`}YddVhF1`ViO z@uk&=1ym=wpR)R?j)5A9Q^!usFuNklZ)!5is+!C$CymTJR?){3N-VO$Bx7kONBtqZ z$GjD!6o<^WxxV@BAEuOb@_$UJydS2NXbW52e{xRGMQZTs|DaOaqd!oohq}rpM>_c7 zQ>rny!V=;G>2MjtvDY=yPXD4jG*}NS>?xwtn1G#tTK3%;%3FAiupr>F9T5o20{Nyw z;T*6N9{hPN`pcBD`&Nq?6`o1A5L>YzU=z_k#DQ0O`?WI~@v!3D{1IWPOH?(`Z?#9M z%33oF4q}loVuZ1#uv>Lw6X(}bZukf~=SqLZ0r>xkWyqX)@Tb#Y}8J`8f5+WpDJZs8w{fcEW&3)mZo3>A(NJFBKRpm$W!N*1sz~kc;f%y zP|&(STe8C%5v-=JL^Xoa?3#*(JR4PTDqwrEU9DmKX*GqcHQjbIrs@- zmG1W!MFEl++vnFl4WyW4g(oV8&{BT9#RpudW{IDTvuYb0PlvGpqR6aJx^*NoOK(UO zgykLbi|C%7?NV)d!q4i%>0AVUCj?biVRyp{a;AJb^d1${e3=bT*xcJ$)id7B-P$K- zk?NZZWA78!r3Yq_WC~vzfQ6?{?@l&|a){hQNLk*rm3`!iV9PeSGv+SJ27XmsDNy6| zhyDIjdL2@&X;|gFhZ);85TNm1y8^9~c75UeV!elfZ8j&SEL;JxIZIokIcnMs&4ws> z+VOt&2agAx9JU?5{-_G&0@Mj@C#DA<0=iH=@{u0Ql$nznQ!CGcI^%{QNNlp$W>(7r4ztV}2#abdTNtUutoS{4-($Q*dEoR3x* zIp#fStdWdCzrAxJ%qLmYv9{7EZA7__S=u8D*gw`i`hP{_OMw|fWKSnZ6X>`TQV(ii zH-Uk$Vbf16*3jeB{TZI{%C9?yGlHIG*v8Zvy&W_Z6vwBzpx~4P5OLhtGs(S=$ub0P zBD9O{kX!Z7^2yA`u($Qi?~whX`2N@8*41J2OY-{z1(b_}A#w350^O3h6hZ*eOc{?+B@Dzqv8ww%uZ1IFv{5$Lb|aC??p%T^L9OsFFK0?!hi9 zgg#=}9@-wE`JCGoB30|0e#P*ufH6M#0g&i$R-zoPN3GN|6F)FCfD=xPs1|0qRV6-~ zpRkudY;G#}&opb5sID5QF3Gu#^yy;43}e_%9e|TZbEg2U<_?Q3Vrs{QSp7%f<}It9PYUwMYiI<_Sf6)ellI`b2( zL6WdB-A|qaq>w~4or^@1syYrt#}+ma2P^DYPHL@ChwM%YzQ}`dDKj|CpY!H=qI|a4 zXVjM|rSM?s3v97m=B4Nsw$-S%OEN|ZN$urO@fdA`Oe;LY}wy&^tB1vvaQ{qH*v$| zd6~Z5tZ*yX56Fie7C;G}=Rd^|@h$a~sT3rF~q>ib$}0h{tW zRMoTg^ew3%`UP=Ss<&8h#N`@jE@Ax5ld(E3w2<=X$=jA!CruVZn!bv>2Isf-!XW^5L=o!@pv4dToC1kVY?OS@ZZ>Ts!FoAwRF+n+9R z6=hA~)X7#^#ulazDwNxvmI%6)5LKs@2c?yZ-b9SXvnS8=7)d*s_bZ5)^nno{K_jMt zaw{Ai^bms!4@&8#qCBaX zbYb;=iow%+qR4_uc=!5N?(w#Kc=LPNATm#_g>}uo;qm9f4p`tbcqA8^iwnzuejYn(lc6K_*2tl;}pMGii<5q*w`4JR;6 zBvA-}UG_L%@&vEs8R=G-c=V?*Pp9Jun`+YS)TlI|1T%QO=ywK5_ee=~PA%*O{34FXV6Az^he+NdgmFtLH(lY|7%U4O^`a+RvR}J(IHXz)<0JU}{0L3=c?AX)W%j z>MD8Mc>*QAmh*z=luJ#k%4zRYwfHpZG6LzxEMAh1kd9lHikg7Iyo5m~qurV!K?;99 z?)%e4JgM7K`Gm)r>#04wU%r7WvmrA)J41>;N`ehEo+$xmyI>BiaCg@z}X@r$vQ*TAQY=;qu1O7uxcop(OY-m{25eZ zkhanH^L^TRM`6PDp3Th9AR2TaH3lLJuwmLp4rI!%&;yAfM4Y~VP;NfpW|L5jK@pwE z$`{6?=ynF8?*pbYVZis^=0lH@(1QT%%?5u`N=hinKUWPp>NZw= z`pr#eF4ccUv+Rj**vnMtTbA09tD{pT82R+?pMl%Ka2`#QR(`hS$I@l%4YqMgJOWtp zcOX*7k#iikUh41bXbg%1))1@cAdfn+g+>Z)lZV+}7xP~DU|@r0b2Ao;+*dX6jZ9|H zKv|JkWG!!u`k-4^D%%HzXf8Ad(djv0R zBkP)d@Ze=@ABc3)k-5a}Sik{Z%di3~_>ubCsxRo)aj9Y(9wp0-tZyvA0n`r42ReCFGh6#lmL-I|*yPgx1*6$hH33 zim&mvR9GUW=!Bwg%4JikNJ(>8pn7i-<1geXbA9QMrCT(qX&2)QSGvE!jy&wEw=R^! zZYt4Tb;&s2A&Lyq$a*WfhSbOyFH#?vE?YRm9Aq+C7ic)_Czr#zte?o^7%}+AM{R`S zuuXrULEgGKpuYTd#I+Klf8U$ZV3dU^|HsDuez z8%2Y~Ob}xFT}Q= zs@2!D#>?l;A~Mu9Mmen_>0W^QmP~nvjSlz?T&!$KT4S}Nog~Rsw4VYO3GyXHgaF=k zQ&VXGZYQxNfDI7YFxAn8g$?Qv_4_-Lg^qq_xxT)}kew^)mX2vq@q4`a8}2$<&lel< zkX-Qe<=K@!WleWCbv9o*Mvi!Ou z<88Q6h8UMa0X@V8(;%b3iB5c0x-1*DAJdM6Kyo3nb4ESNdwlQTQ@kpn4gWGnU+`+} z5Wa++B_<)u(tKC=KjLbQk0kL@;~}Rw{A2&%s6+o`h%l)ZDK+Xc1pm8XncO3kBg-nc zj6%jopPCn1(Wb2n<2cGNF3YCilju1wf12YQVSow!czJZ_H1TSW-F=V+?S7PG9`t^l292&fM zMS<9pFA`Y>pbus=;A5+P>B$1bzWRjeDd~X9qnc0_r`FN@>N>Z+BlFGLmcLG^t+VX( z>2Ph%Ymc=_^IB#hnm}wy42=okt8%)FTwsQ3BSFeDm4bfg*VO-xmQx@($>qEAN6Yp7 z&Wd{C_fe|eeJ~qP5pRSfIp>}(57}SRTxwt2CpC(oH?Zdi&J3|%Wu#`1kMb~Kj`Yq3 z-_RJ1HIvpncC|HaBr-@YwmV8%>Vh~~u!fHUy0bHkBvr06{fXOunVN1 zhHfQtZnKmMGQp12X19>Wxo>zlVk$}kTZ7+j>*KE6&wj|NdUpclR}IchaU&7c7(W$G zk$jyJEv|UTPN1mO6RT7!ZG)hvEcdxORr5kb z+~HnTZIn=~`vM5OXn}RCitlv_aIO!zMbs>2De_J`n^4~2oT>1K-!|m2*Szr!q!6;aN;Qu^cz;|KnNpaBr^^?e5J+{2PkCG zzP*}Kb`GjnF*xD}W=qlgBiqDU7@X1^CE(YmJOmSZ2g||qs_}k1yU`Gkqo4(pc8J-> z?2VyDq#s@D=*y?`!nAB$3NBy9{=qSPy8GR>rsk7LK@_Ls6p|aB{K09)=+^j-EgzS_sHf_!N#bO+J>MRHphyN0W|IIXb4CR;W=T7&;TzWq2fO*4w2! zgkD$g0^Bq3aiNzF30Z)Ig{T>X%A}+7RHSIl=NC6D-XzBlSy5xgIqT%+G6967^g1wi ztz+@aEH+{oK=zq0V(>DUA zF7Yd;_<+(yk>J|5;UGPr2Tl}A?y1E$tD^=*M9fP+m}2>^I~1Da{eiTbwfpSIZSQ}^ zSWKoA>2lig`3k?r$r@71gs2yA<;~Xc)u3t-n>2Dqn2EtZObs(8Ra`GJ14CpjpR~5-7sez@c@L zj&XR(icCd>R#?1FD%Qqs$HR(!C+;~|Qem2;7VpIpREgEku9L-0XX))!A_w9Cyyj8a zj^QBvd)n+p%yNH3mq)2sLhoF*10Uvs>KGZ;Cm58jNA0h$>3oYxOa`N9XZ)|-g$7m?#f!e(P&LcZ#wYU zUzxiW|*|u1v0KLYHs1G?66x za-5}|zs$U6JH`Nbx$t99m5Z`}tGLsGiOIU_U`%OH zQurwEj^DRgbqWFG^ev&rD^ez`k&U|Ts5>H%I}uiS#zUC4fo`|AcGkxHQh1)v6#hdj zTfU~Vd4GxqRsXGys{BjC|2Vx{L(a}s*5HmA@#}-#1~6LCXj<U+Iv-iy|+CO(|D5v3@BFZF-A`efXLGuKOA`r41zkk}4pPhjZ7T1w`79}v2xkzP+ zFtEsjh_{u?$fv-d2qYxapm6s@_Wus>w>2&(NTFE1j=37kDL1@%EbA$?a3I*gv1R@z zi2VR#E0#pf7|oLo$=gL2>j{4`GcaeZHR_2Hi9=h+&cKx5vlRw!k3yyH>tb2)N!5E8 zIq>>I*NE@7$cso$><&>FRKOTXM??a25Nd)RIT-v#FceO(DropfK0m#bU{V*Wr-l*z zSK^r|i)wp+>TH+wMaFIu)&zuNnx|`fx6EtZOHlNOZ7DL$!;jx*2qBbnR~cbMKAesq zt*H?`<_KYPg!f|YV&VOnDMw|D^@iXD+6O7@@v#6K-V0D*=aj7HV2&D)DlbZD+E7%M zbVE*P?uq^T=u*Q^4i!&(QXaHg=l&0G;z#=-#z%ZKiz^$X$1U2QE3zJy^^t7@@S4WdTne4agq(#gWx zGK?tt%F9EjO{}-*!{OuMUEc6}cCOT|BN7reA`)CTJy%U%AEY0skv_va33+a3W*xWPqh2WCnvwF4#kZt;5~bO(kXmHM@i2$hWx{`g6 z%o1n$o85|=cXO4(Zsn=}iOm^56iYJ|>^d013GON11<(EZEHaS$>$EP%(rkBI5MK}W z4B5dLn|a@_MQQa(48;$@BM&1xOF!&q2n%O3_Y5*mT(K6Fo>VhUcBG4yn!F>i28O|! zB7)5PZ`1o4pui~AV4KggYzJ7rWqFByZzWHNWn9-p8FCB4(nKG~9?PtL6I0zp#xwhr zI`9ff&3tDs3$~WXI)FfhlQAe$`oqX9FRDMQKJI7e=U>1kZHL_1w`Jq8Ad6PvVn~HB zLZ>?bb0n~G4j()TUg`X6?IdT~{!Q-I;T+sTo?~X6{mxOdhtfMWMBWER!)6DB8^Q=U z==7n*81`o~U(9V;rbqJb49jN4eQ#;~3Qm_;6yi7zzdy^51Ur_G`3{HAa%&-sd)xbx zQ_wAadBH~{MRND=kKu(qDjqA?lWZ^@ZJqQch!5A^$f~179BSi3D8GK=Sw!Xt!= zI^8fYep#J8&WPDlQr`;LGA3Fte3eBNI;e#cap--82rOB)pVVd4t38S@*pAQ9JKv}y zPYi0UH44eXTa(#DrIV=3^S!bCbnJT<)5O&5Os2>8{Fa78OWe5(#`y;F^y&D-*JW`h zx4chRYFCP;k8eY}Qc3k+2~e{qAGY7Ju`y_rUAPpdoK!h6bLeZBwQ|a0fX8*?#ede% z$(#x01J3>VvEJuT%%T@$d+GXfJT&`V#swO+{i*@Ul?Wd8w_WT6bsRWUmH`rNedI#X z(cr`nSrjD$CwmmpnMWV3JIj2Ya*p7SgxB)EA!^!>RA)1#TvIe)=IOf+*s70E_jrfy zHsN>s5)KHli@ydQkoL|c>;a6R_uPng**xTdQEEm0-OD|8e%^9t2`@$ZCW?d?? z=KW3D!;yLoX+N0}pzkB|aE2aLh=-FK!ggARb?T^vZuxy@HH=cH+`&1$jP7s_uNTRz zujHY%9{GK|Dw^p&AC!~5@qM07`F);0npxtN;R8nZqK9b;F_*PG|FXvmy9$O!!)U*S>6DG*Xd!KdWsZ2 zMDw3hF~>h`lCkM(oP)j%4J`Iz-;zn@pKg0J@c!)j6(c$Ge$r#OW4!879&021ixSNM z|5k@#IO`YeQ+zk?>QGLwHOoy^Q}3w zk;3Ia!J!pDx(?r4>H2nrtKgT#-J6D>2@v^I9p6h@Ea%S zQLc=TiIx`IVWJCEM^2CA^v*{\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20On-Premises/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Windows Event logs collection, including MS Exchange Management Event logs](https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-windows-events)\n\nb. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)\n\n**Data Connectors:** 2, **Parsers:** 4, **Workbooks:** 4, **Analytic Rules:** 2, **Watchlists:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20On-Premises/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Windows Event logs collection, including MS Exchange Management Event logs](https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-windows-events)\n\nb. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)\n\n**Data Connectors:** 8, **Parsers:** 5, **Workbooks:** 4, **Analytic Rules:** 2, **Watchlists:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,7 +60,7 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs two (2) data connectors for ingesting Microsoft Exchange on-premises events to provide security insights. Each of these data connectors help ingest a different set of logs/events." + "text": "This solution installs eight (8) data connectors for ingesting Microsoft Exchange on-premises events to provide security insights. Each of these data connectors help ingest a different set of logs/events." } }, { @@ -93,6 +93,20 @@ }, { "name": "dataconnectors6-text", + "type": "Microsoft.Common.Section", + "label": "3. Exchange Audit Event logs ESI-Opt* for Azure Monitor Agent", + "elements": [ + { + "name": "dataconnectors7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "6 data connectors using exclusively Azure Monitor Agent to collect MSExchange Management Eventlogs, Exchange Security logs, Domain Controllers Security logs, IIS Logs, Exchange logs. Not all logs are required but it depends on your needs and on what you want to collect and secure for hunting in case of compromise. The first important logs consumed by this solution are “MSExchange Management” Event logs (Option 1)." + } + } + ] + }, + { + "name": "dataconnectors8-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "After installing the solution, configure and enable the data connector that’s most relevant to your Exchange environment by following guidance in Manage solution view." @@ -107,7 +121,7 @@ "name": "dataconnectors-parser-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The solution installs four (4) parsers that transform ingested data. The transformed logs can be accessed using the ExchangeConfiguration, ExchangeAdminAuditLogs, MESCheckVIP and ExchangeEnvironmentList Kusto Function aliases." + "text": "The solution installs five (5) parsers that transform ingested data. The transformed logs can be accessed using the ExchangeConfiguration, ExchangeAdminAuditLogs, MESCheckVIP, MESCompareDataOnPMRA and ExchangeEnvironmentList Kusto Function aliases." } } ] diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json index 60760e6924a..f539311ecbb 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json @@ -81,7 +81,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Microsoft Exchange Security - Exchange On-Premises", - "_solutionVersion": "3.1.5", + "_solutionVersion": "3.3.0", "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-exchangesecurityinsights", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "ESI-ExchangeAdminAuditLogEvents", @@ -91,7 +91,7 @@ "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "2.2.1", + "dataConnectorVersion1": "2.2.2", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "uiConfigId2": "ESI-ExchangeOnPremisesCollector", "_uiConfigId2": "[variables('uiConfigId2')]", @@ -100,8 +100,62 @@ "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", "_dataConnectorId2": "[variables('dataConnectorId2')]", "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.2.1", + "dataConnectorVersion2": "1.2.2", "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", + "uiConfigId3": "ESI-Opt1ExchangeAdminAuditLogsByEventLogs", + "_uiConfigId3": "[variables('uiConfigId3')]", + "dataConnectorContentId3": "ESI-Opt1ExchangeAdminAuditLogsByEventLogs", + "_dataConnectorContentId3": "[variables('dataConnectorContentId3')]", + "dataConnectorId3": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", + "_dataConnectorId3": "[variables('dataConnectorId3')]", + "dataConnectorTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId3'))))]", + "dataConnectorVersion3": "1.0.0", + "_dataConnectorcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId3'),'-', variables('dataConnectorVersion3'))))]", + "uiConfigId4": "ESI-Opt2ExchangeServersEventLogs", + "_uiConfigId4": "[variables('uiConfigId4')]", + "dataConnectorContentId4": "ESI-Opt2ExchangeServersEventLogs", + "_dataConnectorContentId4": "[variables('dataConnectorContentId4')]", + "dataConnectorId4": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", + "_dataConnectorId4": "[variables('dataConnectorId4')]", + "dataConnectorTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId4'))))]", + "dataConnectorVersion4": "1.0.0", + "_dataConnectorcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId4'),'-', variables('dataConnectorVersion4'))))]", + "uiConfigId5": "ESI-Opt34DomainControllersSecurityEventLogs", + "_uiConfigId5": "[variables('uiConfigId5')]", + "dataConnectorContentId5": "ESI-Opt34DomainControllersSecurityEventLogs", + "_dataConnectorContentId5": "[variables('dataConnectorContentId5')]", + "dataConnectorId5": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]", + "_dataConnectorId5": "[variables('dataConnectorId5')]", + "dataConnectorTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId5'))))]", + "dataConnectorVersion5": "1.0.0", + "_dataConnectorcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId5'),'-', variables('dataConnectorVersion5'))))]", + "uiConfigId6": "ESI-Opt5ExchangeIISLogs", + "_uiConfigId6": "[variables('uiConfigId6')]", + "dataConnectorContentId6": "ESI-Opt5ExchangeIISLogs", + "_dataConnectorContentId6": "[variables('dataConnectorContentId6')]", + "dataConnectorId6": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId6'))]", + "_dataConnectorId6": "[variables('dataConnectorId6')]", + "dataConnectorTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId6'))))]", + "dataConnectorVersion6": "1.0.0", + "_dataConnectorcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId6'),'-', variables('dataConnectorVersion6'))))]", + "uiConfigId7": "ESI-Opt6ExchangeMessageTrackingLogs", + "_uiConfigId7": "[variables('uiConfigId7')]", + "dataConnectorContentId7": "ESI-Opt6ExchangeMessageTrackingLogs", + "_dataConnectorContentId7": "[variables('dataConnectorContentId7')]", + "dataConnectorId7": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId7'))]", + "_dataConnectorId7": "[variables('dataConnectorId7')]", + "dataConnectorTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId7'))))]", + "dataConnectorVersion7": "1.0.0", + "_dataConnectorcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId7'),'-', variables('dataConnectorVersion7'))))]", + "uiConfigId8": "ESI-Opt7ExchangeHTTPProxyLogs", + "_uiConfigId8": "[variables('uiConfigId8')]", + "dataConnectorContentId8": "ESI-Opt7ExchangeHTTPProxyLogs", + "_dataConnectorContentId8": "[variables('dataConnectorContentId8')]", + "dataConnectorId8": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId8'))]", + "_dataConnectorId8": "[variables('dataConnectorId8')]", + "dataConnectorTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId8'))))]", + "dataConnectorVersion8": "1.0.0", + "_dataConnectorcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId8'),'-', variables('dataConnectorVersion8'))))]", "parserObject1": { "_parserName1": "[concat(parameters('workspace'),'/','ExchangeAdminAuditLogs Data Parser')]", "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ExchangeAdminAuditLogs Data Parser')]", @@ -130,11 +184,19 @@ "parserVersion4": "1.0.0", "parserContentId4": "MESCheckVIP-Parser" }, + "parserObject5": { + "_parserName5": "[concat(parameters('workspace'),'/','MESCompareDataOnPMRA')]", + "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataOnPMRA')]", + "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCompareDataOnPMRA-Parser')))]", + "parserVersion5": "1.0.0", + "parserContentId5": "MESCompareDataOnPMRA-Parser" + }, "workbookVersion1": "1.0.1", "workbookContentId1": "MicrosoftExchangeLeastPrivilegewithRBAC", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "workbookVersion2": "1.0.1", "workbookContentId2": "MicrosoftExchangeSearchAdminAuditLog", @@ -148,7 +210,7 @@ "workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))))]", "_workbookContentId3": "[variables('workbookContentId3')]", "_workbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId3'),'-', variables('workbookVersion3'))))]", - "workbookVersion4": "1.0.1", + "workbookVersion4": "2.0.0", "workbookContentId4": "MicrosoftExchangeSecurityReview", "workbookId4": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId4'))]", "workbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId4'))))]", @@ -184,7 +246,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.1.5", + "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -200,9 +262,9 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId1')]", - "title": "Microsoft Exchange Logs and Events", + "title": "[Deprecated] Microsoft Exchange Logs and Events", "publisher": "Microsoft", - "descriptionMarkdown": "You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", + "descriptionMarkdown": "Deprecated, use the 'ESI-Opt' dataconnectors. You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", "graphQueries": [ { "metricName": "Total data received", @@ -300,35 +362,14 @@ "customs": [ { "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" } ] }, "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", - "instructions": [ - { - "parameters": { - "title": "Parser deployment (When using Microsoft Exchange Security Solution, Parsers are automatically deployed)", - "instructionSteps": [ - { - "title": "1. Download the Parser file", - "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" - }, - { - "title": "2. Create Parser **ExchangeAdminAuditLogs** function", - "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" - }, - { - "title": "3. Save Parser **ExchangeAdminAuditLogs** function", - "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, { "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)" }, @@ -408,7 +449,7 @@ "instructionSteps": [ { "title": "A. Create DCR, Type Event log", - "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MS Exchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." } ] }, @@ -428,7 +469,7 @@ }, { "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used", - "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MS Exchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.", + "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MSExchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.", "instructions": [ { "parameters": { @@ -889,15 +930,52 @@ } ], "title": "2. Deploy log injestion following choosed options" + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "instructions": [ + { + "parameters": { + "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below", + "instructionSteps": [ + { + "title": "Manual Parser Deployment", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" + }, + { + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" + }, + { + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } ], "metadata": { "id": "5738bef7-b6c0-4fec-ba0b-ac728bef83a9", - "version": "2.2.1", + "version": "2.2.2", "kind": "dataConnector", "source": { "kind": "solution", - "name": "ESI - Exchange Security Configuration Analyzer" + "name": "Microsoft Exchange Security - Exchange On-Premises" }, "support": { "name": "Community", @@ -945,7 +1023,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_dataConnectorContentId1')]", "contentKind": "DataConnector", - "displayName": "Microsoft Exchange Logs and Events", + "displayName": "[Deprecated] Microsoft Exchange Logs and Events", "contentProductId": "[variables('_dataConnectorcontentProductId1')]", "id": "[variables('_dataConnectorcontentProductId1')]", "version": "[variables('dataConnectorVersion1')]" @@ -988,9 +1066,9 @@ "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "Microsoft Exchange Logs and Events", + "title": "[Deprecated] Microsoft Exchange Logs and Events", "publisher": "Microsoft", - "descriptionMarkdown": "You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", + "descriptionMarkdown": "Deprecated, use the 'ESI-Opt' dataconnectors. You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", "graphQueries": [ { "metricName": "Total data received", @@ -1088,35 +1166,14 @@ "customs": [ { "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" } ] }, "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", - "instructions": [ - { - "parameters": { - "title": "Parser deployment (When using Microsoft Exchange Security Solution, Parsers are automatically deployed)", - "instructionSteps": [ - { - "title": "1. Download the Parser file", - "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" - }, - { - "title": "2. Create Parser **ExchangeAdminAuditLogs** function", - "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" - }, - { - "title": "3. Save Parser **ExchangeAdminAuditLogs** function", - "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, { "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)" }, @@ -1196,7 +1253,7 @@ "instructionSteps": [ { "title": "A. Create DCR, Type Event log", - "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MS Exchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." } ] }, @@ -1216,7 +1273,7 @@ }, { "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used", - "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MS Exchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.", + "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MSExchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.", "instructions": [ { "parameters": { @@ -1677,6 +1734,43 @@ } ], "title": "2. Deploy log injestion following choosed options" + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "instructions": [ + { + "parameters": { + "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below", + "instructionSteps": [ + { + "title": "Manual Parser Deployment", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" + }, + { + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" + }, + { + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } ], "id": "[variables('_uiConfigId1')]" @@ -1692,7 +1786,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.1.5", + "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -1727,7 +1821,7 @@ "dataTypes": [ { "name": "ESIExchangeConfig_CL", - "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)" + "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time" } ], "connectivityCriterias": [ @@ -1769,40 +1863,14 @@ { "name": "Service Account with Organization Management role", "description": "The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information." + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" } ] }, "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : [**ExchangeConfiguration**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)", - "instructions": [ - { - "parameters": { - "title": "Parsers deployment", - "instructionSteps": [ - { - "title": "1. Download the Parser files", - "description": "The latest version of the 2 files [**ExchangeConfiguration.yaml**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList.yaml**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)" - }, - { - "title": "2. Create Parser **ExchangeConfiguration** function", - "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" - }, - { - "title": "3. Save Parser **ExchangeConfiguration** function", - "description": "Click on save button.\n Define the parameters as asked on the header of the parser file.\nClick save again." - }, - { - "title": "4. Reproduce the same steps for Parser **ExchangeEnvironmentList**", - "description": "Reproduce the step 2 and 3 with the content of 'ExchangeEnvironmentList.yaml' file" - } - ] - }, - "type": "InstructionStepsGroup" - } - ], - "title": "Parser deployment **(When using Microsoft Exchange Security Solution, Parsers are automatically deployed)**" - }, { "description": "This is the script that will collect Exchange Information to push content in Microsoft Sentinel.\n ", "instructions": [ @@ -1860,11 +1928,48 @@ { "description": "The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel.\n We recommend to schedule the script once a day.\n The account used to launch the Script needs to be member of the group Organization Management", "title": "3. Schedule the ESI Collector Script (If not done by the Install Script due to lack of permission or ignored during installation)" + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "instructions": [ + { + "parameters": { + "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below", + "instructionSteps": [ + { + "title": "Manual Parser Deployment", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" + }, + { + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" + }, + { + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } ], "metadata": { "id": "ed950fd7-e457-4a59-88f0-b9c949aa280d", - "version": "1.2.1", + "version": "1.2.2", "kind": "dataConnector", "source": { "kind": "solution", @@ -1972,7 +2077,7 @@ "dataTypes": [ { "name": "ESIExchangeConfig_CL", - "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)" + "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time" } ], "connectivityCriterias": [ @@ -2020,40 +2125,14 @@ { "name": "Service Account with Organization Management role", "description": "The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information." + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" } ] }, "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : [**ExchangeConfiguration**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)", - "instructions": [ - { - "parameters": { - "title": "Parsers deployment", - "instructionSteps": [ - { - "title": "1. Download the Parser files", - "description": "The latest version of the 2 files [**ExchangeConfiguration.yaml**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList.yaml**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)" - }, - { - "title": "2. Create Parser **ExchangeConfiguration** function", - "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" - }, - { - "title": "3. Save Parser **ExchangeConfiguration** function", - "description": "Click on save button.\n Define the parameters as asked on the header of the parser file.\nClick save again." - }, - { - "title": "4. Reproduce the same steps for Parser **ExchangeEnvironmentList**", - "description": "Reproduce the step 2 and 3 with the content of 'ExchangeEnvironmentList.yaml' file" - } - ] - }, - "type": "InstructionStepsGroup" - } - ], - "title": "Parser deployment **(When using Microsoft Exchange Security Solution, Parsers are automatically deployed)**" - }, { "description": "This is the script that will collect Exchange Information to push content in Microsoft Sentinel.\n ", "instructions": [ @@ -2111,6 +2190,43 @@ { "description": "The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel.\n We recommend to schedule the script once a day.\n The account used to launch the Script needs to be member of the group Organization Management", "title": "3. Schedule the ESI Collector Script (If not done by the Install Script due to lack of permission or ignored during installation)" + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "instructions": [ + { + "parameters": { + "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below", + "instructionSteps": [ + { + "title": "Manual Parser Deployment", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" + }, + { + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" + }, + { + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } ], "id": "[variables('_uiConfigId2')]" @@ -2120,76 +2236,2822 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject1').parserTemplateSpecName1]", + "name": "[variables('dataConnectorTemplateSpecName3')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeAdminAuditLogs Data Parser with template version 3.1.5", + "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject1').parserVersion1]", + "contentVersion": "[variables('dataConnectorVersion3')]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[variables('parserObject1')._parserName1]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", + "kind": "GenericUI", "properties": { - "eTag": "*", - "displayName": "Parser for ExchangeAdminAuditLogs", - "category": "Microsoft Sentinel Parser", - "functionAlias": "ExchangeAdminAuditLogs", - "query": "let CmdletCheck = externaldata (Cmdlet:string, UserOriented:string, RestrictToParameter:string, Parameters:string)[h\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/CmdletWatchlist.csv\"]with(format=\"csv\",ignoreFirstRecord=true);\nlet SensitiveCmdlets = CmdletCheck | project tostring(Cmdlet) ;\nlet Check = (T:(*)) {\n let fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [\n \"NONE\",\"NONE\",\"NONE\",\"NONE\",\"00000001-0000-1000-0000-100000000000\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != \"00000001-0000-1000-0000-100000000000\" | project-away TableName;\n let SearchUserDisplayName = T | join Watchlist on $left.TargetObject == $right.displayName | project TargetObject,SearchKey;\n let SearchUserUPN = T | join Watchlist on $left.TargetObject == $right.userPrincipalName | project TargetObject,SearchKey;\n let SearchUserCanonicalName = T | join Watchlist on $left.TargetObject == $right.canonicalName | project TargetObject,SearchKey;\n let SearchUserSAMAccountName = T | join Watchlist on $left.TargetObject == $right.sAMAccountName | project TargetObject,SearchKey;\n let SearchUserObjectSID = T | join Watchlist on $left.TargetObject == $right.objectSID | project TargetObject,SearchKey;\n let SearchUserObjectGUID = T | join (Watchlist | extend objectGuidString = tostring(objectGUID)) on $left.TargetObject == $right.objectGuidString | project TargetObject,SearchKey;\n let SearchUserDistinguishedName = T | join Watchlist on $left.TargetObject == $right.distinguishedName | project TargetObject,SearchKey;\n union isfuzzy=true withsource=TableName \n SearchUserDisplayName, \n SearchUserUPN, \n SearchUserCanonicalName, \n SearchUserSAMAccountName,\n SearchUserObjectSID,\n SearchUserObjectGUID,\n SearchUserDistinguishedName\n };\nlet Env = ExchangeConfiguration(SpecificSectionList=\"ESIEnvironment\")\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\n| project DomainFQDN_, ESIEnvironment;\nlet EventList = Event\n | where EventLog == 'MSExchange Management'\n | where EventID in (1,6) // 1 = Success, 6 = Failure\n | parse ParameterXml with '' CmdletName '' CmdletParameters '' Caller '' *\n | extend TargetObject = iif( CmdletParameters has \"-Identity \", split(split(CmdletParameters,'-Identity ')[1],'\"')[1], iif( CmdletParameters has \"-Name \", split(split(CmdletParameters,'-Name ')[1],'\"')[1], \"\"));\nlet MSExchange_Management = (){\nEventList\n | extend Status = case( EventID == 1, 'Success', 'Failure')\n | join kind=leftouter (EventList | project TargetObject | invoke Check()) on TargetObject\n | extend IsVIP = iif(SearchKey == \"\", false, true)\n | join kind=leftouter ( \n MESCheckVIP() ) on SearchKey\n | extend CmdletNameJoin = tolower(CmdletName)\n | join kind=leftouter ( \n CmdletCheck\n | extend CmdletNameJoin = tolower(Cmdlet)\n ) on CmdletNameJoin\n | extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\n | join kind=leftouter ( \n Env\n ) on $left.DomainEnv == $right.DomainFQDN_\n | extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\"Unknown-\",DomainEnv))\n | extend IsSenstiveCmdlet = iif( isnotempty(CmdletNameJoin1) , true, false) \n | extend IsRestrictedCmdLet = iif(IsSenstiveCmdlet == true, iif( RestrictToParameter == \"Yes\", true, false), dynamic(null))\n | extend RestrictedParameters = iif(IsSenstiveCmdlet == true, split(tolower(Parameters),';'), dynamic(null))\n | extend ExtractedParameters = iif(IsSenstiveCmdlet == true,extract_all(@\"\\B(-\\w+)\", tolower(CmdletParameters)), dynamic(null))\n | extend IsSenstiveCmdletParameters = iif(IsSenstiveCmdlet == true,iif( array_length(set_difference(ExtractedParameters,RestrictedParameters)) == array_length(ExtractedParameters), false, true ) , false)\n | extend IsSensitive = iif( ( IsSenstiveCmdlet == true and IsRestrictedCmdLet == false ) or (IsSenstiveCmdlet == true and IsRestrictedCmdLet == true and IsSenstiveCmdletParameters == true ), true, false )\n | project TimeGenerated,Computer,Status,Caller,TargetObject,IsVIP,canonicalName,displayName,distinguishedName,objectGUID,objectSID,sAMAccountName,userPrincipalName,CmdletName,CmdletParameters,IsSenstiveCmdlet,IsRestrictedCmdLet,ExtractedParameters,RestrictedParameters,IsSenstiveCmdletParameters,IsSensitive,UserOriented, ESIEnvironment\n};\nMSExchange_Management\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", - "dependsOn": [ - "[variables('parserObject1')._parserId1]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ExchangeAdminAuditLogs Data Parser')]", - "contentId": "[variables('parserObject1').parserContentId1]", - "kind": "Parser", - "version": "[variables('parserObject1').parserVersion1]", - "source": { - "name": "Microsoft Exchange Security - Exchange On-Premises", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Community", - "tier": "Community", - "link": "https://github.com/Azure/Azure-Sentinel/issues" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject1').parserContentId1]", + "connectorUiConfig": { + "id": "[variables('_uiConfigId3')]", + "title": "Microsoft Exchange Admin Audit Logs by Event Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 1] - Using Azure Monitor Agent - You can stream all Exchange Audit events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "ExchangeAuditLogs", + "baseQuery": "Event | where EventLog == 'MSExchange Management'" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "Event | where EventLog == 'MSExchange Management' | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "Event", + "lastDataReceivedQuery": "Event | where EventLog == 'MSExchange Management' | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Event | where EventLog == 'MSExchange Management' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 1** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "The MS Exchange Admin Audit event logs are collected using Data Collection Rules (DCR) and allow to store all Administrative Cmdlets executed in an Exchange environment.", + "instructions": [ + { + "parameters": { + "title": "", + "instructionSteps": [ + { + "title": "Data Collection Rules Deployment", + "description": "**Enable data collection rule**\n> Microsoft Exchange Admin Audit Events logs are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered)", + "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption1-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCR, Type Event log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. [Option 1] MS Exchange Management Log collection - MS Exchange Admin Audit event logs by Data Collection Rules" + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "instructions": [ + { + "parameters": { + "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below", + "instructionSteps": [ + { + "title": "Manual Parser Deployment", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" + }, + { + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" + }, + { + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "metadata": { + "id": "dfa2e270-b24f-4d76-b9a5-cd4a878596bf", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", + "contentId": "[variables('_dataConnectorContentId3')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion3')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId3')]", + "contentKind": "DataConnector", + "displayName": "Microsoft Exchange Admin Audit Logs by Event Logs", + "contentProductId": "[variables('_dataConnectorcontentProductId3')]", + "id": "[variables('_dataConnectorcontentProductId3')]", + "version": "[variables('dataConnectorVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId3')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", + "contentId": "[variables('_dataConnectorContentId3')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion3')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Microsoft Exchange Admin Audit Logs by Event Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 1] - Using Azure Monitor Agent - You can stream all Exchange Audit events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "ExchangeAuditLogs", + "baseQuery": "Event | where EventLog == 'MSExchange Management'" + } + ], + "dataTypes": [ + { + "name": "Event", + "lastDataReceivedQuery": "Event | where EventLog == 'MSExchange Management' | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Event | where EventLog == 'MSExchange Management' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "Event | where EventLog == 'MSExchange Management' | sort by TimeGenerated" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 1** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "The MS Exchange Admin Audit event logs are collected using Data Collection Rules (DCR) and allow to store all Administrative Cmdlets executed in an Exchange environment.", + "instructions": [ + { + "parameters": { + "title": "", + "instructionSteps": [ + { + "title": "Data Collection Rules Deployment", + "description": "**Enable data collection rule**\n> Microsoft Exchange Admin Audit Events logs are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered)", + "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption1-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCR, Type Event log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. [Option 1] MS Exchange Management Log collection - MS Exchange Admin Audit event logs by Data Collection Rules" + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "instructions": [ + { + "parameters": { + "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below", + "instructionSteps": [ + { + "title": "Manual Parser Deployment", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" + }, + { + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" + }, + { + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "id": "[variables('_uiConfigId3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion4')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId4'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId4')]", + "title": "Microsoft Exchange Logs and Events", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 2] - Using Azure Monitor Agent - You can stream all Exchange Security & Application Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange Eventlogs", + "baseQuery": "Event | where EventLog == 'Application'" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "Event | where EventLog == 'Application' | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "Event", + "lastDataReceivedQuery": "Event | where EventLog == 'Application' | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Event | where EventLog == 'Application' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 2** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "The Security/Application/System logs of Exchange Servers are collected using Data Collection Rules (DCR).", + "instructions": [ + { + "parameters": { + "title": "Security Event log collection", + "instructionSteps": [ + { + "title": "Data Collection Rules - Security Event logs", + "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add Exchange Servers on *Resources* tab.\n2. Select Security log level\n\n> **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.", + "instructions": [ + { + "parameters": { + "linkType": "OpenCreateDataCollectionRule", + "dataCollectionRuleType": 0 + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "title": "Application and System Event log collection", + "instructionSteps": [ + { + "title": "Enable data collection rule", + "description": "> Application and System Events logs are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered method)", + "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption2-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCR, Type Event log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Basic' option.\n6. For Application, select 'Critical', 'Error' and 'Warning'. For System, select Critical/Error/Warning/Information. \n7. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. [Option 2] Security/Application/System logs of Exchange Servers" + } + ], + "metadata": { + "id": "22e0234b-278d-40f4-8be8-c2968faeaf91", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", + "contentId": "[variables('_dataConnectorContentId4')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion4')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId4')]", + "contentKind": "DataConnector", + "displayName": "Microsoft Exchange Logs and Events", + "contentProductId": "[variables('_dataConnectorcontentProductId4')]", + "id": "[variables('_dataConnectorcontentProductId4')]", + "version": "[variables('dataConnectorVersion4')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId4')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", + "contentId": "[variables('_dataConnectorContentId4')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion4')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId4'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Microsoft Exchange Logs and Events", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 2] - Using Azure Monitor Agent - You can stream all Exchange Security & Application Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange Eventlogs", + "baseQuery": "Event | where EventLog == 'Application'" + } + ], + "dataTypes": [ + { + "name": "Event", + "lastDataReceivedQuery": "Event | where EventLog == 'Application' | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Event | where EventLog == 'Application' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "Event | where EventLog == 'Application' | sort by TimeGenerated" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 2** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "The Security/Application/System logs of Exchange Servers are collected using Data Collection Rules (DCR).", + "instructions": [ + { + "parameters": { + "title": "Security Event log collection", + "instructionSteps": [ + { + "title": "Data Collection Rules - Security Event logs", + "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add Exchange Servers on *Resources* tab.\n2. Select Security log level\n\n> **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.", + "instructions": [ + { + "parameters": { + "linkType": "OpenCreateDataCollectionRule", + "dataCollectionRuleType": 0 + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "title": "Application and System Event log collection", + "instructionSteps": [ + { + "title": "Enable data collection rule", + "description": "> Application and System Events logs are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered method)", + "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption2-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCR, Type Event log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Basic' option.\n6. For Application, select 'Critical', 'Error' and 'Warning'. For System, select Critical/Error/Warning/Information. \n7. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. [Option 2] Security/Application/System logs of Exchange Servers" + } + ], + "id": "[variables('_uiConfigId4')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion5')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId5'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId5')]", + "title": " Microsoft Active-Directory Domain Controllers Security Event Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 3 & 4] - Using Azure Monitor Agent -You can stream a part or all Domain Controllers Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Domain Controllers Security Logs", + "baseQuery": "SecurityEvent" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "SecurityEvent | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "SecurityEvent", + "lastDataReceivedQuery": "SecurityEvent | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "SecurityEvent | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 3 and 4** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "Select how to stream Security logs of Domain Controllers. If you want to implement Option 3, you just need to select DC on same site as Exchange Servers. If you want to implement Option 4, you can select all DCs of your forest.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "[Option 3] List only Domain Controllers on the same site as Exchange Servers for next step", + "description": "**This limits the quantity of data injested but some incident can't be detected.**" + }, + { + "title": "[Option 4] List all Domain Controllers of your Active-Directory Forest for next step", + "description": "**This allows collecting all security events**" + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "title": "Security Event log collection", + "instructionSteps": [ + { + "title": "Data Collection Rules - Security Event logs", + "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add chosen DCs on *Resources* tab.\n2. Select Security log level\n\n> **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.", + "instructions": [ + { + "parameters": { + "linkType": "OpenCreateDataCollectionRule", + "dataCollectionRuleType": 0 + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "Security logs of Domain Controllers" + } + ], + "metadata": { + "id": "036e16af-5a27-465a-8662-b7ac385a8d45", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId5'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]", + "contentId": "[variables('_dataConnectorContentId5')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion5')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId5')]", + "contentKind": "DataConnector", + "displayName": " Microsoft Active-Directory Domain Controllers Security Event Logs", + "contentProductId": "[variables('_dataConnectorcontentProductId5')]", + "id": "[variables('_dataConnectorcontentProductId5')]", + "version": "[variables('dataConnectorVersion5')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId5'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId5')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]", + "contentId": "[variables('_dataConnectorContentId5')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion5')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId5'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": " Microsoft Active-Directory Domain Controllers Security Event Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 3 & 4] - Using Azure Monitor Agent -You can stream a part or all Domain Controllers Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Domain Controllers Security Logs", + "baseQuery": "SecurityEvent" + } + ], + "dataTypes": [ + { + "name": "SecurityEvent", + "lastDataReceivedQuery": "SecurityEvent | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "SecurityEvent | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "SecurityEvent | sort by TimeGenerated" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 3 and 4** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "Select how to stream Security logs of Domain Controllers. If you want to implement Option 3, you just need to select DC on same site as Exchange Servers. If you want to implement Option 4, you can select all DCs of your forest.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "[Option 3] List only Domain Controllers on the same site as Exchange Servers for next step", + "description": "**This limits the quantity of data injested but some incident can't be detected.**" + }, + { + "title": "[Option 4] List all Domain Controllers of your Active-Directory Forest for next step", + "description": "**This allows collecting all security events**" + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "title": "Security Event log collection", + "instructionSteps": [ + { + "title": "Data Collection Rules - Security Event logs", + "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add chosen DCs on *Resources* tab.\n2. Select Security log level\n\n> **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.", + "instructions": [ + { + "parameters": { + "linkType": "OpenCreateDataCollectionRule", + "dataCollectionRuleType": 0 + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "Security logs of Domain Controllers" + } + ], + "id": "[variables('_uiConfigId5')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName6')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion6')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId6'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId6')]", + "title": "IIS Logs of Microsoft Exchange Servers", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 5] - Using Azure Monitor Agent - You can stream all IIS Logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange IIS logs", + "baseQuery": "W3CIISLog" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "W3CIISLog | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "W3CIISLog", + "lastDataReceivedQuery": "W3CIISLog | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "W3CIISLog | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 5** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "Select how to stream IIS logs of Exchange Servers", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Enable data collection rule", + "description": "> IIS logs are collected only from **Windows** agents.", + "instructions": [ + { + "type": "AdminAuditEvents" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Preferred Method)", + "description": "Use this method for automated deployment of the DCE and DCR.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy." + }, + { + "title": "B. Deploy Data Connection Rule", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption5-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create DCR, Type IIS log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. Select the created DCE. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'IIS logs' (Do not enter a path if IIS Logs path is configured by default). Click on 'Add data source'\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "[Option 5] IIS logs of Exchange Servers" + } + ], + "metadata": { + "id": "4b1075ed-80f5-4930-bfe1-877e86b48dc1", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId6'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId6'))]", + "contentId": "[variables('_dataConnectorContentId6')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion6')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId6')]", + "contentKind": "DataConnector", + "displayName": "IIS Logs of Microsoft Exchange Servers", + "contentProductId": "[variables('_dataConnectorcontentProductId6')]", + "id": "[variables('_dataConnectorcontentProductId6')]", + "version": "[variables('dataConnectorVersion6')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId6'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId6')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId6'))]", + "contentId": "[variables('_dataConnectorContentId6')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion6')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId6'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "IIS Logs of Microsoft Exchange Servers", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 5] - Using Azure Monitor Agent - You can stream all IIS Logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange IIS logs", + "baseQuery": "W3CIISLog" + } + ], + "dataTypes": [ + { + "name": "W3CIISLog", + "lastDataReceivedQuery": "W3CIISLog | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "W3CIISLog | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "W3CIISLog | sort by TimeGenerated" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 5** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "Select how to stream IIS logs of Exchange Servers", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Enable data collection rule", + "description": "> IIS logs are collected only from **Windows** agents.", + "instructions": [ + { + "type": "AdminAuditEvents" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Preferred Method)", + "description": "Use this method for automated deployment of the DCE and DCR.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy." + }, + { + "title": "B. Deploy Data Connection Rule", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption5-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create DCR, Type IIS log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. Select the created DCE. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'IIS logs' (Do not enter a path if IIS Logs path is configured by default). Click on 'Add data source'\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "[Option 5] IIS logs of Exchange Servers" + } + ], + "id": "[variables('_uiConfigId6')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName7')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion7')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId7'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId7')]", + "title": "Microsoft Exchange Message Tracking Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 6] - Using Azure Monitor Agent - You can stream all Exchange Message Tracking from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. Those logs can be used to track the flow of messages in your Exchange environment. This data connector is based on the option 6 of the [Microsoft Exchange Security wiki](https://aka.ms/ESI_DataConnectorOptions).", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange Message Tracking logs", + "baseQuery": "MessageTrackingLog_CL" + } + ], + "sampleQueries": [ + { + "description": "Exchange Message Tracking logs", + "query": "MessageTrackingLog_CL | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "MessageTrackingLog_CL", + "lastDataReceivedQuery": "MessageTrackingLog_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "MessageTrackingLog_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 6** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "Select how to stream Message Tracking of Exchange Servers", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Data Collection Rules - When Azure Monitor Agent is used", + "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the DCE and DCR.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy." + }, + { + "title": "B. Deploy Data Connection Rule and Custom Table", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption6-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Create Custom Table - Explanation", + "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)." + }, + { + "title": "Create Custom Table using an ARM Template", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-MessageTrackingCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3. Click **Create** to deploy." + }, + { + "title": "Create Custom Table using PowerShell in Cloud Shell", + "description": "1. From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t\"schema\": {\n\t\t\t\t\t \"name\": \"MessageTrackingLog_CL\",\n\t\t\t\t\t \"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"directionality\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"reference\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"source\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientIP\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"connectorId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"customData\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"eventId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"internalMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"logId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageSubject\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"networkMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalClientIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalServerIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientCount\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"relatedRecipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"returnPath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"serverIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"sourceContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"schemaVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageTrackingTenantId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"totalBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"transportTrafficType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t'@\n3. Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4. Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/MessageTrackingLog_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams" + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE, like ESI-ExchangeServers. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create a DCR, Type Custom log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option6-MessageTrackingLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\*.log' in file pattern, 'MessageTrackingLog_CL' in Table Name.\n6.in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend TimeGenerated =todatetime(d[0]) ,clientIP =tostring(d[1]) ,clientHostname =tostring(d[2]) ,serverIp=tostring(d[3]) ,senderHostname=tostring(d[4]) ,sourceContext=tostring(d[5]) ,connectorId =tostring(d[6]) ,source=tostring(d[7]) ,eventId =tostring(d[8]) ,internalMessageId =tostring(d[9]) ,messageId =tostring(d[10]) ,networkMessageId =tostring(d[11]) ,recipientAddress=tostring(d[12]) ,recipientStatus=tostring(d[13]) ,totalBytes=tostring(d[14]) ,recipientCount=tostring(d[15]) ,relatedRecipientAddress=tostring(d[16]) ,reference=tostring(d[17]) ,messageSubject =tostring(d[18]) ,senderAddress=tostring(d[19]) ,returnPath=tostring(d[20]) ,messageInfo =tostring(d[21]) ,directionality=tostring(d[22]) ,messageTrackingTenantId =tostring(d[23]) ,originalClientIp =tostring(d[24]) ,originalServerIp =tostring(d[25]) ,customData=tostring(d[26]) ,transportTrafficType =tostring(d[27]) ,logId =tostring(d[28]) ,schemaVersion=tostring(d[29]) | project-away d,RawData\n and click on 'Destination'.\n6. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n7. Click on 'Add data source'.\n8. Fill other required parameters and tags and create the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. Message Tracking of Exchange Servers" + } + ], + "metadata": { + "id": "ababbb06-b977-4259-ab76-87874d353039", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId7'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId7'))]", + "contentId": "[variables('_dataConnectorContentId7')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion7')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId7')]", + "contentKind": "DataConnector", + "displayName": "Microsoft Exchange Message Tracking Logs", + "contentProductId": "[variables('_dataConnectorcontentProductId7')]", + "id": "[variables('_dataConnectorcontentProductId7')]", + "version": "[variables('dataConnectorVersion7')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId7'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId7')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId7'))]", + "contentId": "[variables('_dataConnectorContentId7')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion7')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId7'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Microsoft Exchange Message Tracking Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 6] - Using Azure Monitor Agent - You can stream all Exchange Message Tracking from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. Those logs can be used to track the flow of messages in your Exchange environment. This data connector is based on the option 6 of the [Microsoft Exchange Security wiki](https://aka.ms/ESI_DataConnectorOptions).", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange Message Tracking logs", + "baseQuery": "MessageTrackingLog_CL" + } + ], + "dataTypes": [ + { + "name": "MessageTrackingLog_CL", + "lastDataReceivedQuery": "MessageTrackingLog_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "MessageTrackingLog_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "sampleQueries": [ + { + "description": "Exchange Message Tracking logs", + "query": "MessageTrackingLog_CL | sort by TimeGenerated" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 6** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "Select how to stream Message Tracking of Exchange Servers", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Data Collection Rules - When Azure Monitor Agent is used", + "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the DCE and DCR.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy." + }, + { + "title": "B. Deploy Data Connection Rule and Custom Table", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption6-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Create Custom Table - Explanation", + "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)." + }, + { + "title": "Create Custom Table using an ARM Template", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-MessageTrackingCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3. Click **Create** to deploy." + }, + { + "title": "Create Custom Table using PowerShell in Cloud Shell", + "description": "1. From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t\"schema\": {\n\t\t\t\t\t \"name\": \"MessageTrackingLog_CL\",\n\t\t\t\t\t \"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"directionality\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"reference\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"source\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientIP\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"connectorId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"customData\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"eventId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"internalMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"logId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageSubject\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"networkMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalClientIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalServerIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientCount\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"relatedRecipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"returnPath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"serverIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"sourceContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"schemaVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageTrackingTenantId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"totalBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"transportTrafficType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t'@\n3. Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4. Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/MessageTrackingLog_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams" + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE, like ESI-ExchangeServers. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create a DCR, Type Custom log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option6-MessageTrackingLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\*.log' in file pattern, 'MessageTrackingLog_CL' in Table Name.\n6.in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend TimeGenerated =todatetime(d[0]) ,clientIP =tostring(d[1]) ,clientHostname =tostring(d[2]) ,serverIp=tostring(d[3]) ,senderHostname=tostring(d[4]) ,sourceContext=tostring(d[5]) ,connectorId =tostring(d[6]) ,source=tostring(d[7]) ,eventId =tostring(d[8]) ,internalMessageId =tostring(d[9]) ,messageId =tostring(d[10]) ,networkMessageId =tostring(d[11]) ,recipientAddress=tostring(d[12]) ,recipientStatus=tostring(d[13]) ,totalBytes=tostring(d[14]) ,recipientCount=tostring(d[15]) ,relatedRecipientAddress=tostring(d[16]) ,reference=tostring(d[17]) ,messageSubject =tostring(d[18]) ,senderAddress=tostring(d[19]) ,returnPath=tostring(d[20]) ,messageInfo =tostring(d[21]) ,directionality=tostring(d[22]) ,messageTrackingTenantId =tostring(d[23]) ,originalClientIp =tostring(d[24]) ,originalServerIp =tostring(d[25]) ,customData=tostring(d[26]) ,transportTrafficType =tostring(d[27]) ,logId =tostring(d[28]) ,schemaVersion=tostring(d[29]) | project-away d,RawData\n and click on 'Destination'.\n6. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n7. Click on 'Add data source'.\n8. Fill other required parameters and tags and create the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. Message Tracking of Exchange Servers" + } + ], + "id": "[variables('_uiConfigId7')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName8')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion8')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId8'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId8')]", + "title": "Microsoft Exchange HTTP Proxy Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 7] - Using Azure Monitor Agent - You can stream HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you create custom alerts, and improve investigation. [Learn more](https://aka.ms/ESI_DataConnectorOptions)", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange HTTPProxy logs", + "baseQuery": "ExchangeHttpProxy_CL" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "ExchangeHttpProxy_CL | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "ExchangeHttpProxy_CL", + "lastDataReceivedQuery": "ExchangeHttpProxy_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "ExchangeHttpProxy_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 7** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "Select how to stream HTTP Proxy of Exchange Servers", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Data Collection Rules - When Azure Monitor Agent is used", + "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered Method)", + "description": "Use this method for automated deployment of the DCE and DCR.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy." + }, + { + "title": "B. Deploy Data Connection Rule", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption7-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Create Custom Table - Explanation", + "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)." + }, + { + "title": "Create Custom Table using an ARM Template", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-HTTPProxyCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3. Click **Create** to deploy." + }, + { + "title": "Create Custom Table using PowerShell in Cloud Shell", + "description": "1. From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t \"schema\": {\n\t\t\t\t\t\t\"name\": \"ExchangeHttpProxy_CL\",\n\t\t\t\t\t\t\"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AccountForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ActivityContextLifeTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ADLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AnchorMailbox\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticatedUser\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticationType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthModulePerfContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndCookie\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndGenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendProcessingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BuildVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CalculateTargetBackEndLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientIpAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CoreLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"DatabaseGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"EdgeTraceId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ErrorCode\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericErrors\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GlsLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerCompletionLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerToModuleSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpPipelineLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpProxyOverhead\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"IsAuthenticated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"KerberosAuthHeaderLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MajorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Method\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MinorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ModuleToHandlerSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Organization\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"PartitionEndpointLookupLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Protocol\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProtocolAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestHandlerLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResourceForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResponseBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RevisionVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RouteRefresherLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingHint\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerHostName\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"SharedCacheLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetOutstandingRequests\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServer\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServerVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalAccountForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalGlsLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalRequestTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalResourceForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalSharedCacheLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlQuery\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlStem\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserADObjectGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserAgent\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t }\n\t\t\t }\n\t\t }\n\t\t '@\n3. Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4. Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/ExchangeHttpProxy_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams" + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create a DCR, Type Custom log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option7-HTTPProxyLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter the following file pattern : \n\t\t'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Autodiscover\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Eas\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ecp\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ews\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Mapi\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Oab\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Owa\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\OwaCalendar\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\PowerShell\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\RpcHttp\\*.log'\n6. Put 'ExchangeHttpProxy_CL' in Table Name.\n7. in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend DateTime=todatetime(d[0]),RequestId=tostring(d[1]) ,MajorVersion=tostring(d[2]) ,MinorVersion=tostring(d[3]) ,BuildVersion=tostring(d[4]) ,RevisionVersion=tostring(d[5]) ,ClientRequestId=tostring(d[6]) ,Protocol=tostring(d[7]) ,UrlHost=tostring(d[8]) ,UrlStem=tostring(d[9]) ,ProtocolAction=tostring(d[10]) ,AuthenticationType=tostring(d[11]) ,IsAuthenticated=tostring(d[12]) ,AuthenticatedUser=tostring(d[13]) ,Organization=tostring(d[14]) ,AnchorMailbox=tostring(d[15]) ,UserAgent=tostring(d[16]) ,ClientIpAddress=tostring(d[17]) ,ServerHostName=tostring(d[18]) ,HttpStatus=tostring(d[19]) ,BackEndStatus=tostring(d[20]) ,ErrorCode=tostring(d[21]) ,Method=tostring(d[22]) ,ProxyAction=tostring(d[23]) ,TargetServer=tostring(d[24]) ,TargetServerVersion=tostring(d[25]) ,RoutingType=tostring(d[26]) ,RoutingHint=tostring(d[27]) ,BackEndCookie=tostring(d[28]) ,ServerLocatorHost=tostring(d[29]) ,ServerLocatorLatency=tostring(d[30]) ,RequestBytes=tostring(d[31]) ,ResponseBytes=tostring(d[32]) ,TargetOutstandingRequests=tostring(d[33]) ,AuthModulePerfContext=tostring(d[34]) ,HttpPipelineLatency=tostring(d[35]) ,CalculateTargetBackEndLatency=tostring(d[36]) ,GlsLatencyBreakup=tostring(d[37]) ,TotalGlsLatency=tostring(d[38]) ,AccountForestLatencyBreakup=tostring(d[39]) ,TotalAccountForestLatency=tostring(d[40]) ,ResourceForestLatencyBreakup=tostring(d[41]) ,TotalResourceForestLatency=tostring(d[42]) ,ADLatency=tostring(d[43]) ,SharedCacheLatencyBreakup=tostring(d[44]) ,TotalSharedCacheLatency=tostring(d[45]) ,ActivityContextLifeTime=tostring(d[46]) ,ModuleToHandlerSwitchingLatency=tostring(d[47]) ,ClientReqStreamLatency=tostring(d[48]) ,BackendReqInitLatency=tostring(d[49]) ,BackendReqStreamLatency=tostring(d[50]) ,BackendProcessingLatency=tostring(d[51]) ,BackendRespInitLatency=tostring(d[52]) ,BackendRespStreamLatency=tostring(d[53]) ,ClientRespStreamLatency=tostring(d[54]) ,KerberosAuthHeaderLatency=tostring(d[55]) ,HandlerCompletionLatency=tostring(d[56]) ,RequestHandlerLatency=tostring(d[57]) ,HandlerToModuleSwitchingLatency=tostring(d[58]) ,ProxyTime=tostring(d[59]) ,CoreLatency=tostring(d[60]) ,RoutingLatency=tostring(d[61]) ,HttpProxyOverhead=tostring(d[62]) ,TotalRequestTime=tostring(d[63]) ,RouteRefresherLatency=tostring(d[64]) ,UrlQuery=tostring(d[65]) ,BackEndGenericInfo=tostring(d[66]) ,GenericInfo=tostring(d[67]) ,GenericErrors=tostring(d[68]) ,EdgeTraceId=tostring(d[69]) ,DatabaseGuid=tostring(d[70]) ,UserADObjectGuid=tostring(d[71]) ,PartitionEndpointLookupLatency=tostring(d[72]) ,RoutingStatus=tostring(d[73]) | extend TimeGenerated = DateTime | project-away d,RawData,DateTime | project-away d,RawData,DateTime\n and click on 'Destination'.\n8. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n9. Click on 'Add data source'.\n10. Fill other required parameters and tags and create the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. [Option 7] HTTP Proxy of Exchange Servers" + } + ], + "metadata": { + "id": "2e63ad0e-84e3-4f01-b210-9db0bc42b8ff", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId8'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId8'))]", + "contentId": "[variables('_dataConnectorContentId8')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion8')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId8')]", + "contentKind": "DataConnector", + "displayName": "Microsoft Exchange HTTP Proxy Logs", + "contentProductId": "[variables('_dataConnectorcontentProductId8')]", + "id": "[variables('_dataConnectorcontentProductId8')]", + "version": "[variables('dataConnectorVersion8')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId8'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId8')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId8'))]", + "contentId": "[variables('_dataConnectorContentId8')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion8')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId8'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Microsoft Exchange HTTP Proxy Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 7] - Using Azure Monitor Agent - You can stream HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you create custom alerts, and improve investigation. [Learn more](https://aka.ms/ESI_DataConnectorOptions)", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange HTTPProxy logs", + "baseQuery": "ExchangeHttpProxy_CL" + } + ], + "dataTypes": [ + { + "name": "ExchangeHttpProxy_CL", + "lastDataReceivedQuery": "ExchangeHttpProxy_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "ExchangeHttpProxy_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "ExchangeHttpProxy_CL | sort by TimeGenerated" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 7** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "Select how to stream HTTP Proxy of Exchange Servers", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Data Collection Rules - When Azure Monitor Agent is used", + "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered Method)", + "description": "Use this method for automated deployment of the DCE and DCR.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy." + }, + { + "title": "B. Deploy Data Connection Rule", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption7-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Create Custom Table - Explanation", + "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)." + }, + { + "title": "Create Custom Table using an ARM Template", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-HTTPProxyCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3. Click **Create** to deploy." + }, + { + "title": "Create Custom Table using PowerShell in Cloud Shell", + "description": "1. From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t \"schema\": {\n\t\t\t\t\t\t\"name\": \"ExchangeHttpProxy_CL\",\n\t\t\t\t\t\t\"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AccountForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ActivityContextLifeTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ADLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AnchorMailbox\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticatedUser\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticationType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthModulePerfContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndCookie\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndGenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendProcessingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BuildVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CalculateTargetBackEndLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientIpAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CoreLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"DatabaseGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"EdgeTraceId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ErrorCode\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericErrors\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GlsLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerCompletionLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerToModuleSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpPipelineLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpProxyOverhead\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"IsAuthenticated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"KerberosAuthHeaderLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MajorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Method\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MinorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ModuleToHandlerSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Organization\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"PartitionEndpointLookupLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Protocol\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProtocolAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestHandlerLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResourceForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResponseBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RevisionVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RouteRefresherLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingHint\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerHostName\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"SharedCacheLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetOutstandingRequests\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServer\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServerVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalAccountForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalGlsLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalRequestTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalResourceForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalSharedCacheLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlQuery\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlStem\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserADObjectGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserAgent\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t }\n\t\t\t }\n\t\t }\n\t\t '@\n3. Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4. Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/ExchangeHttpProxy_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams" + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create a DCR, Type Custom log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option7-HTTPProxyLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter the following file pattern : \n\t\t'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Autodiscover\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Eas\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ecp\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ews\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Mapi\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Oab\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Owa\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\OwaCalendar\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\PowerShell\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\RpcHttp\\*.log'\n6. Put 'ExchangeHttpProxy_CL' in Table Name.\n7. in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend DateTime=todatetime(d[0]),RequestId=tostring(d[1]) ,MajorVersion=tostring(d[2]) ,MinorVersion=tostring(d[3]) ,BuildVersion=tostring(d[4]) ,RevisionVersion=tostring(d[5]) ,ClientRequestId=tostring(d[6]) ,Protocol=tostring(d[7]) ,UrlHost=tostring(d[8]) ,UrlStem=tostring(d[9]) ,ProtocolAction=tostring(d[10]) ,AuthenticationType=tostring(d[11]) ,IsAuthenticated=tostring(d[12]) ,AuthenticatedUser=tostring(d[13]) ,Organization=tostring(d[14]) ,AnchorMailbox=tostring(d[15]) ,UserAgent=tostring(d[16]) ,ClientIpAddress=tostring(d[17]) ,ServerHostName=tostring(d[18]) ,HttpStatus=tostring(d[19]) ,BackEndStatus=tostring(d[20]) ,ErrorCode=tostring(d[21]) ,Method=tostring(d[22]) ,ProxyAction=tostring(d[23]) ,TargetServer=tostring(d[24]) ,TargetServerVersion=tostring(d[25]) ,RoutingType=tostring(d[26]) ,RoutingHint=tostring(d[27]) ,BackEndCookie=tostring(d[28]) ,ServerLocatorHost=tostring(d[29]) ,ServerLocatorLatency=tostring(d[30]) ,RequestBytes=tostring(d[31]) ,ResponseBytes=tostring(d[32]) ,TargetOutstandingRequests=tostring(d[33]) ,AuthModulePerfContext=tostring(d[34]) ,HttpPipelineLatency=tostring(d[35]) ,CalculateTargetBackEndLatency=tostring(d[36]) ,GlsLatencyBreakup=tostring(d[37]) ,TotalGlsLatency=tostring(d[38]) ,AccountForestLatencyBreakup=tostring(d[39]) ,TotalAccountForestLatency=tostring(d[40]) ,ResourceForestLatencyBreakup=tostring(d[41]) ,TotalResourceForestLatency=tostring(d[42]) ,ADLatency=tostring(d[43]) ,SharedCacheLatencyBreakup=tostring(d[44]) ,TotalSharedCacheLatency=tostring(d[45]) ,ActivityContextLifeTime=tostring(d[46]) ,ModuleToHandlerSwitchingLatency=tostring(d[47]) ,ClientReqStreamLatency=tostring(d[48]) ,BackendReqInitLatency=tostring(d[49]) ,BackendReqStreamLatency=tostring(d[50]) ,BackendProcessingLatency=tostring(d[51]) ,BackendRespInitLatency=tostring(d[52]) ,BackendRespStreamLatency=tostring(d[53]) ,ClientRespStreamLatency=tostring(d[54]) ,KerberosAuthHeaderLatency=tostring(d[55]) ,HandlerCompletionLatency=tostring(d[56]) ,RequestHandlerLatency=tostring(d[57]) ,HandlerToModuleSwitchingLatency=tostring(d[58]) ,ProxyTime=tostring(d[59]) ,CoreLatency=tostring(d[60]) ,RoutingLatency=tostring(d[61]) ,HttpProxyOverhead=tostring(d[62]) ,TotalRequestTime=tostring(d[63]) ,RouteRefresherLatency=tostring(d[64]) ,UrlQuery=tostring(d[65]) ,BackEndGenericInfo=tostring(d[66]) ,GenericInfo=tostring(d[67]) ,GenericErrors=tostring(d[68]) ,EdgeTraceId=tostring(d[69]) ,DatabaseGuid=tostring(d[70]) ,UserADObjectGuid=tostring(d[71]) ,PartitionEndpointLookupLatency=tostring(d[72]) ,RoutingStatus=tostring(d[73]) | extend TimeGenerated = DateTime | project-away d,RawData,DateTime | project-away d,RawData,DateTime\n and click on 'Destination'.\n8. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n9. Click on 'Add data source'.\n10. Fill other required parameters and tags and create the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. [Option 7] HTTP Proxy of Exchange Servers" + } + ], + "id": "[variables('_uiConfigId8')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject1').parserTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "ExchangeAdminAuditLogs Data Parser with template version 3.3.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject1').parserVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject1')._parserName1]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for ExchangeAdminAuditLogs", + "category": "Microsoft Sentinel Parser", + "functionAlias": "ExchangeAdminAuditLogs", + "query": "let CmdletCheck = externaldata (Cmdlet:string, UserOriented:string, RestrictToParameter:string, Parameters:string)[h\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/CmdletWatchlist.csv\"]with(format=\"csv\",ignoreFirstRecord=true);\nlet SensitiveCmdlets = CmdletCheck | project tostring(Cmdlet) ;\nlet Check = (T:(*)) {\n let fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [\n \"NONE\",\"NONE\",\"NONE\",\"NONE\",\"00000001-0000-1000-0000-100000000000\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != \"00000001-0000-1000-0000-100000000000\" | project-away TableName;\n let SearchUserDisplayName = T | join Watchlist on $left.TargetObject == $right.displayName | project TargetObject,SearchKey;\n let SearchUserUPN = T | join Watchlist on $left.TargetObject == $right.userPrincipalName | project TargetObject,SearchKey;\n let SearchUserCanonicalName = T | join Watchlist on $left.TargetObject == $right.canonicalName | project TargetObject,SearchKey;\n let SearchUserSAMAccountName = T | join Watchlist on $left.TargetObject == $right.sAMAccountName | project TargetObject,SearchKey;\n let SearchUserObjectSID = T | join Watchlist on $left.TargetObject == $right.objectSID | project TargetObject,SearchKey;\n let SearchUserObjectGUID = T | join (Watchlist | extend objectGuidString = tostring(objectGUID)) on $left.TargetObject == $right.objectGuidString | project TargetObject,SearchKey;\n let SearchUserDistinguishedName = T | join Watchlist on $left.TargetObject == $right.distinguishedName | project TargetObject,SearchKey;\n union isfuzzy=true withsource=TableName \n SearchUserDisplayName, \n SearchUserUPN, \n SearchUserCanonicalName, \n SearchUserSAMAccountName,\n SearchUserObjectSID,\n SearchUserObjectGUID,\n SearchUserDistinguishedName\n };\nlet Env = ExchangeConfiguration(SpecificSectionList=\"ESIEnvironment\")\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\n| project DomainFQDN_, ESIEnvironment;\nlet EventList = Event\n | where EventLog == 'MSExchange Management'\n | where EventID in (1,6) // 1 = Success, 6 = Failure\n | parse ParameterXml with '' CmdletName '' CmdletParameters '' Caller '' *\n | extend TargetObject = iif( CmdletParameters has \"-Identity \", split(split(CmdletParameters,'-Identity ')[1],'\"')[1], iif( CmdletParameters has \"-Name \", split(split(CmdletParameters,'-Name ')[1],'\"')[1], \"\"));\nlet MSExchange_Management = (){\nEventList\n | extend Status = case( EventID == 1, 'Success', 'Failure')\n | join kind=leftouter (EventList | project TargetObject | invoke Check()) on TargetObject\n | extend IsVIP = iif(SearchKey == \"\", false, true)\n | join kind=leftouter ( \n MESCheckVIP() ) on SearchKey\n | extend CmdletNameJoin = tolower(CmdletName)\n | join kind=leftouter ( \n CmdletCheck\n | extend CmdletNameJoin = tolower(Cmdlet)\n ) on CmdletNameJoin\n | extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\n | join kind=leftouter ( \n Env\n ) on $left.DomainEnv == $right.DomainFQDN_\n | extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\"Unknown-\",DomainEnv))\n | extend IsSenstiveCmdlet = iif( isnotempty(CmdletNameJoin1) , true, false) \n | extend IsRestrictedCmdLet = iif(IsSenstiveCmdlet == true, iif( RestrictToParameter == \"Yes\", true, false), dynamic(null))\n | extend RestrictedParameters = iif(IsSenstiveCmdlet == true, split(tolower(Parameters),';'), dynamic(null))\n | extend ExtractedParameters = iif(IsSenstiveCmdlet == true,extract_all(@\"\\B(-\\w+)\", tolower(CmdletParameters)), dynamic(null))\n | extend IsSenstiveCmdletParameters = iif(IsSenstiveCmdlet == true,iif( array_length(set_difference(ExtractedParameters,RestrictedParameters)) == array_length(ExtractedParameters), false, true ) , false)\n | extend IsSensitive = iif( ( IsSenstiveCmdlet == true and IsRestrictedCmdLet == false ) or (IsSenstiveCmdlet == true and IsRestrictedCmdLet == true and IsSenstiveCmdletParameters == true ), true, false )\n | project TimeGenerated,Computer,Status,Caller,TargetObject,IsVIP,canonicalName,displayName,distinguishedName,objectGUID,objectSID,sAMAccountName,userPrincipalName,CmdletName,CmdletParameters,IsSenstiveCmdlet,IsRestrictedCmdLet,ExtractedParameters,RestrictedParameters,IsSenstiveCmdletParameters,IsSensitive,UserOriented, ESIEnvironment\n};\nMSExchange_Management\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ExchangeAdminAuditLogs Data Parser')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "name": "Microsoft Exchange Security - Exchange On-Premises", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", "displayName": "Parser for ExchangeAdminAuditLogs", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.3.0')))]", @@ -2256,7 +5118,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeConfiguration Data Parser with template version 3.1.5", + "description": "ExchangeConfiguration Data Parser with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject2').parserVersion2]", @@ -2386,7 +5248,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeEnvironmentList Data Parser with template version 3.1.5", + "description": "ExchangeEnvironmentList Data Parser with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject3').parserVersion3]", @@ -2516,7 +5378,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MESCheckVIP Data Parser with template version 3.1.5", + "description": "MESCheckVIP Data Parser with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject4').parserVersion4]", @@ -2637,6 +5499,136 @@ } } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject5').parserTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MESCompareDataOnPMRA Data Parser with template version 3.3.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject5').parserVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject5')._parserName5]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for MRA Configuration Data Comparison On-Premises", + "category": "Microsoft Sentinel Parser", + "functionAlias": "MESCompareDataOnPMRA", + "query": "// Version: 1.0.0\n// Last Updated: 30/08/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n//| extend WhenChanged = case(Actiontype == \"Modif\" , tostring(bin(WhenChanged,1m)), Actiontype == \"Add\",tostring(bin(WhenChanged,1m)),Actiontype == \"Remove\",\"NoInformation\",\"N/A\")\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope, \n RecipientWriteScope, \n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n", + "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", + "dependsOn": [ + "[variables('parserObject5')._parserId5]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataOnPMRA')]", + "contentId": "[variables('parserObject5').parserContentId5]", + "kind": "Parser", + "version": "[variables('parserObject5').parserVersion5]", + "source": { + "name": "Microsoft Exchange Security - Exchange On-Premises", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject5').parserContentId5]", + "contentKind": "Parser", + "displayName": "Parser for MRA Configuration Data Comparison On-Premises", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", + "version": "[variables('parserObject5').parserVersion5]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject5')._parserName5]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for MRA Configuration Data Comparison On-Premises", + "category": "Microsoft Sentinel Parser", + "functionAlias": "MESCompareDataOnPMRA", + "query": "// Version: 1.0.0\n// Last Updated: 30/08/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n//| extend WhenChanged = case(Actiontype == \"Modif\" , tostring(bin(WhenChanged,1m)), Actiontype == \"Add\",tostring(bin(WhenChanged,1m)),Actiontype == \"Remove\",\"NoInformation\",\"N/A\")\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope, \n RecipientWriteScope, \n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n", + "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", + "dependsOn": [ + "[variables('parserObject5')._parserId5]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataOnPMRA')]", + "contentId": "[variables('parserObject5').parserContentId5]", + "kind": "Parser", + "version": "[variables('parserObject5').parserVersion5]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -2646,7 +5638,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Least Privilege with RBAC Workbook with template version 3.1.5", + "description": "Microsoft Exchange Least Privilege with RBAC Workbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -2666,7 +5658,7 @@ "displayName": "[parameters('workbook1-name')]", "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"743317e2-ebcf-4958-861d-4ff97fc7cce1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"On-Premises\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":1,\"content\":{\"json\":\"This workbook displayed the custom RBAC delegations: on default groups, on Custom Roles groups, Using custom roles.
\\r\\nSelect your Exchange Organization and adjust the time range.\\r\\nBy default, the Help won't be displayed. To display the help, choose Yes on the toogle buttom \\\"Show Help\\\"\",\"style\":\"info\"},\"name\":\"text - 8\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"e59f0f7f-fd05-4ec8-9f59-e4d9c3b589f2\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Current RBAC Delegation\",\"subTarget\":\"RBACDelegation\",\"preText\":\"RBAC Delegation\",\"postText\":\"\",\"style\":\"link\"},{\"id\":\"67739913-b364-4071-864d-faf4d94c9ad6\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Custom Roles\",\"subTarget\":\"CustomRole\",\"style\":\"link\"},{\"id\":\"8def944a-53fe-4544-bc8f-5b3ca66eda34\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Default Groups content\",\"subTarget\":\"DefaultGroup\",\"preText\":\"Default Group\",\"style\":\"link\"},{\"id\":\"5eeebe10-be67-4f8a-9d91-4bc6c70c3e16\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"start\",\"style\":\"link\"}]},\"name\":\"links - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegations\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The current delegations are compared to an export of default delegations done on Exchange 2019.\\r\\nTo find which is used for the comparaison please follow this link.\\r\\nThe export is located on the public GitHub of the project.\\r\\n\\r\\ncheck this link : https://aka.ms/esiwatchlist\\r\\n\\r\\nIt will be updated by the team project.\\r\\n\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegations on User Accounts\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays custom delegations set directly on User Accounts.\"},\"name\":\"text - 2 - Copy\"},{\"type\":1,\"content\":{\"json\":\"This section displays all the nonstandard delegations done directly to a user account.\\r\\n\\r\\nDetailed information for the user accounts will be displayed.\\r\\n\\r\\nThis status is done by comparing current delegation with the default delegations for latest export of default Exchange 2019 delegation located in the public GitHub of the project.\\r\\n\\r\\nThese types of delegations are not visible on the Exchange Admin Center.\\r\\n\\r\\nUsual results :\\r\\n\\r\\n - Delegations done directly to service account. Being able to see this delegation will help to sanityze the environment as some delegations may be no more necessary\\r\\n\\r\\n - Delegation done by mistake directly to Administrator Accounts\\r\\n\\r\\n - Suspicious delegations\\r\\n\\r\\nDetailed information for the user accounts will be displayed in the sections below.\\r\\n\\r\\nView RBAC effective permissions\\r\\n\\r\\nGet-ManagementRoleAssignment\\r\\n\\r\\nUnderstanding Role Based Access Control\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d9d4e0a2-b75d-4825-9f4e-7606516500e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/StandardMRA.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"0\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"46c608de-033d-4c4f-99e6-2784439cfa18\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Role\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n|extend Role=tostring (CmdletResultValue.Role.Name)\\r\\n| distinct Role\\r\\n| sort by Role asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/StandardMRA.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.RoleAssigneeName endswith \\\"{RoleAssignee}\\\" \\r\\n| where CmdletResultValue.Role.Name contains \\\"{Role}\\\"\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"0\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Role = tostring(CmdletResultValue.Role.Name)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\")\\r\\n| project Name,Role,RoleAssigneeName, RoleAssignmentDelegationType,Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope,WhenCreated, WhenChanged\\r\\n| sort by RoleAssigneeName asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Custom Delegations on User Accounts\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation on Groups\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays custom delegations set on groups.\"},\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"This section displays all the nonstandard delegations done for standard and nonstandard groups. Indeed, default groups have a list of default delegations but an Exchange administrators can add also new roles to the default groups.\\r\\n\\r\\nThis status is done by comparing current delegation with the default delegations for latest export of default Exchange 2019 delegation located in the public GitHub of the project.\\r\\n\\r\\n\\r\\nUsual results :\\r\\n\\r\\n - Delegations done for role group Organization Management to role like Mailbox Import Export or Mailbox Search (by default this delegation is not configured)\\r\\n\\r\\n - Delegation done by mistake\\r\\n\\r\\n - Suspicious delegations\\r\\n\\r\\nDetailed information for the user accounts present in the groups will be displayed in the sections below.\\r\\n\\r\\nView RBAC effective permissions\\r\\n\\r\\nGet-ManagementRoleAssignment\\r\\n\\r\\nUnderstanding Role Based Access Control \\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c548eb09-54e3-41bf-a99d-be3534f7018b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/StandardMRA.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"10\\\" or CmdletResultValue.RoleAssigneeType == \\\"2\\\" or CmdletResultValue.RoleAssigneeType == \\\"12\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"rowLimit\":10000},{\"id\":\"4194717a-4a09-4c73-b02d-b1ac8587619d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Role\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n|extend Role=tostring (CmdletResultValue.Role.Name)\\r\\n| distinct Role\\r\\n| sort by Role asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/StandardMRA.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nlet RoleG = ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| project RoleAssigneeName=tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.RoleAssigneeName endswith \\\"{RoleAssignee}\\\" \\r\\n| where CmdletResultValue.Role.Name contains \\\"{Role}\\\"\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"10\\\" or CmdletResultValue.RoleAssigneeType == \\\"2\\\" or CmdletResultValue.RoleAssigneeType == \\\"12\\\"\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Role = tostring(CmdletResultValue.Role.Name)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend LinkedGroup = iff(tostring(CmdletResultValue.RoleAssigneeType)==\\\"12\\\", \\\"Yes\\\",\\\"No\\\")\\r\\n|lookup RoleG on RoleAssigneeName \\r\\n//| extend LinkedGroup = iff(tostring(LinkedGroup)==\\\"12\\\", \\\"Yes\\\",\\\"No\\\")\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| project Name,Role,RoleAssigneeName,LinkedGroup, RoleAssignmentDelegationType,Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope,WhenCreated, WhenChanged\\r\\n| sort by RoleAssigneeName asc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Custom Delegation on Groups\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"RBACDelegation\"},\"name\":\"Custom Delegation\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Information for Role Assignee\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Information for Role Assignee User account\",\"items\":[{\"type\":1,\"content\":{\"json\":\"In the previous section, custom delegations for user have been displayed.\\r\\n\\r\\nThis section display detailed information for the accounts found in the previous. Once you know that an account has a high privilege delegations, you may want to have additional information like Last Logon, Password Last Set...\\r\\n\\r\\nSelect a user un the dropdown list.\\r\\n\\r\\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 366 days\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"This section displays details information for user accounts found with non standard delegations :\\r\\n - Last logon\\r\\n - Last Password changed\\r\\n - Account enabled\\r\\n\\r\\nYou may find old service accounts that are no more used, or with a last password set very old...\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"27e4c2e9-d113-4bf9-808f-0f8f68b5152e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"isRequired\":true,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/StandardMRA.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"0\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"10c2eb2f-2cf2-4650-a9f1-3ee646acaebb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"6f7128ee-2f2c-421d-bc9f-37aee85fb214\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"DirectRoleAssignments\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.SamAccountName contains \\\"{RoleAssignee}\\\"\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| project CmdletResultValue\\r\\n| extend ManagementRoleAssignment = tostring(CmdletResultValue.Parentgroup)\\r\\n| extend Account = tostring(CmdletResultValue.SamAccountName)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\", iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ Never logged\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ Password never set\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Account asc\",\"size\":1,\"showAnalytics\":true,\"color\":\"green\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ManagementRoleAssignment\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ManagementRoleAssignment\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Information for Role Assignee User account\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Information for Role Assignee group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Details information for Group delegation\\r\\nIn the previous section, custom delegations for groups have been displayed.\\r\\n\\r\\nThis section display detailed information for the accounts found in the group displayed in the previuos section. Once you know that an account has a high privilege delegations, you may want to have additional information like Last Logon, Password Last Set...\\r\\n\\r\\nSelect a group un the dropdown list.\\r\\n\\r\\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 366 days\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"This section displays details information for user accounts included in the found groups with non standard delegation : \\r\\n\\r\\n - Last logon\\r\\n - Last Password changed\\r\\n - Account enabled\\r\\n\\r\\nYou may find old service accounts that are no more used, or with a last password set very old...\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"75c3cdf3-d0c3-46c3-83ae-429979774234\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"isRequired\":true,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/StandardMRA.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"10\\\" or CmdletResultValue.RoleAssigneeType == \\\"2\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1a3b374c-0467-4fd9-b2fc-edebd0a97302\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"170db194-195f-4991-b726-6c0658562616\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.Parentgroup contains \\\"{RoleAssignee}\\\"\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| project CmdletResultValue\\r\\n| extend Level_ = tostring(CmdletResultValue.Level)\\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\", iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ Never logged\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ Password never set\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| project-away CmdletResultValue, Level_,Parentgroup\\r\\n| sort by MemberPath asc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Information for Role Assignee group\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"RBACDelegation\"},\"name\":\"Information for Role Assignee\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Linked Groups information\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Information for Linked Groups\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Display associated remote forest's group for Linked Group\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.RoleGroupType == \\\"1\\\"\\r\\n//| extend ManagementRoleAssignment = tostring(CmdletResultValue.Name)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.Name)\\r\\n| extend LinkedGroup = tostring(CmdletResultValue.LinkedGroup)\\r\\n//| extend LinkedGroup = iff(tostring(CmdletResultValue.RoleAssigneeType)==\\\"12\\\", \\\"Yes\\\",\\\"No\\\")\\r\\n//|lookup RoleG on RoleAssigneeName \\r\\n//| extend LinkedGroup = iff(tostring(LinkedGroup)==\\\"12\\\", \\\"Yes\\\",\\\"No\\\")\\r\\n| project RoleAssigneeName, LinkedGroup, WhenCreated, WhenChanged\\r\\n| sort by RoleAssigneeName asc\",\"size\":1,\"showAnalytics\":true,\"color\":\"green\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Information for Linked Groups\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"RBACDelegation\"},\"name\":\"Linked Groups information\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Compliance Management\\\", \\\"Delegated Setup\\\",\\\"Discovery Management\\\",\\\"Help Desk\\\",\\\"Hygiene Management\\\",\\\"Organization Management\\\",\\\"Public Folder Management\\\",\\\"Recipient Management\\\",\\\"Records Management\\\",\\\"Security Administrator\\\",\\\"Security Reader\\\",\\\"Server Management\\\",\\\"UM Management\\\",\\\"View-Only Organization Management\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.Parentgroup in (StandardGroup)\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| summarize Total = count()-1 by Parentgroup\\r\\n| extend Comment = case (Total>0 and Parentgroup contains \\\"Discovery Management\\\", \\\"❌ This group should be empty Just in time should be used\\\", Total>5 and Parentgroup contains \\\"Organization Management\\\", \\\"❌ The content of this group should limited to only Level 3 Administrators\\\", Total>0 and Parentgroup contains \\\"Hygiene Management\\\", \\\"❌ This group should be empty or only contains Exchange server and/or Exchange antivirus Spam accounts\\\", \\\"Remember to regularly review the content of the group\\\")\\r\\n| sort by Parentgroup asc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Numbers of members for high privileges groups\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"All the default Exchange groups located in the default Exchange OU : Microsoft Exchange Security Groups are displayed with their number of members.\\r\\n\\r\\nIt is very important to monitor the content of Exchange groups and raise an alert when a new member is added.\\r\\n\\r\\nFor critical groups, a warning is display if the number exceeded a define thresold :\\r\\n - Discovery Management: This group should be empty, so a warning is displayed when the group is not empty\\r\\n\\r\\n - Organization Management : This group should only contain only Exchange expert. No service account should be member of this groupe. A warning is display when the total numer of member exceeded 5\\r\\n - Hygiene Management : This group can acces and moidify the content of all mailboxes using EWS. A warning is display when the group is not empty. This warning can be ignored if the accounts are the Antispam service account or Exchange servers Computer accounts\"},\"name\":\"text - 0\"}]},\"name\":\"group - 1\"}]},\"name\":\"Summarize Number of Member Per Group\"},{\"type\":1,\"content\":{\"json\":\"❌ : for last logon displayed when user logged or the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 366 days\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7c281d60-8434-4636-b85e-aef6296f1107\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"e122a0de-1395-4002-96f9-cc057c257518\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Compliance Management\\\", \\\"Delegated Setup\\\",\\\"Discovery Management\\\",\\\"Help Desk\\\",\\\"Hygiene Management\\\",\\\"Organization Management\\\",\\\"Public Folder Management\\\",\\\"Recipient Management\\\",\\\"Records Management\\\",\\\"Security Administrator\\\",\\\"Security Reader\\\",\\\"Server Management\\\",\\\"UM Management\\\",\\\"View-Only Organization Management\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.Parentgroup in (StandardGroup)\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| where Level !=0\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\", iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ Never logged\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ Password never set\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| project-away CmdletResultValue\\r\\n| sort by MemberPath asc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Default Exchange groups content\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"$gen_group\",\"formatter\":1},{\"columnMatch\":\"ParentGroup\",\"formatter\":1},{\"columnMatch\":\"Parentgroup\",\"formatter\":5},{\"columnMatch\":\"Group\",\"formatter\":1}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Parentgroup\"],\"finalBy\":\"Parentgroup\"},\"labelSettings\":[{\"columnId\":\"Parentgroup\",\"label\":\"ParentGroup\"}]}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section the content of the groups with details informations.\\r\\n\\r\\nIt is recommended to check the Last logon and last password change informations.\"},\"name\":\"text - 0\"}]},\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"DefaultGroup\"},\"name\":\"group - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Let start with Least Privileges with RBAC\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\nThe goals of this workbook is to show you the current RBAC delegation\\r\\n\\r\\n\\r\\nThis workbook will display :\\r\\n\\r\\n - NonStandrd RBAC delegation\\r\\n\\r\\n - Exchange default group content\\r\\n\\r\\n - Analysis of the actions performed by Organization Management members to remove them from the groups\\r\\n\\r\\n----\\r\\n\\r\\n## Tabs\\r\\n\\r\\n### Current RBAC Delegation\\r\\n\\r\\nThis tab will show all the nonstandard RBAC delegation.\\r\\n\\r\\n**Most of the time RBAC are done and forgotten... This tab will provide a clear statut of the delegation and help with the remediation.**\\r\\n\\r\\nBy nonstandard, it means that the current delegation are compared to the delegation from Exchange 2019 CU11.\\r\\n\\r\\nNonstandard delegation for standard groups like Organization Management will also be displayed.\\r\\n\\r\\nDetail information for found will be displayed : Last logon, last password changed...\\r\\n\\r\\n### Default Group content\\r\\n\\r\\nThis tab will show the number of members for default Exchange groups and their content.\\r\\n\\r\\nMost of the time, the content of common Exchange groups but Exchange is shipped with many groups that have very high privileges and its interesting to see that they are not empty as expected.\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"start\"},\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Role details\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"List of Custom Roles\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows the Custom management roles that exist in your environnment and the name of the parent's role\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"Liste of existing Custom roles\"},\"customWidth\":\"50\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"List of Custom with a Management Role Assignement (associated with a group or a user). Display the target account and scope if set\"},\"customWidth\":\"50\",\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| extend ParentRole = CmdletResultValue.Parent.Name\\r\\n| extend WhenCreated = WhenCreated\\r\\n| project Identity, ParentRole, WhenCreated, WhenChanged\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Role.Parent.Parent == \\\"Roles\\\"\\r\\n| where CmdletResultValue.RoleAssignmentDelegationType <> 6\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Role = tostring(CmdletResultValue.Role.Name)\\r\\n//| extend Scope = tostring(CmdletResultValue.RecipientWriteScope)\\r\\n| extend Scope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n//| project Role = tostring(CmdletResultValue.Role.Name)\\r\\n| distinct Role,RoleAssigneeName,Scope\\r\\n| project Role,RoleAssigneeName,Scope\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Role.Parent.Parent == \\\"Roles\\\"\\r\\n| where CmdletResultValue.RoleAssignmentDelegationType <> 6\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Scope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| project Role = tostring(CmdletResultValue.Role.Name), Scope, RoleAssigneeName\\r\\n| join kind=fullouter (MRcustomRoles) on Role\\r\\n| project Role = Role1, Scope, RoleAssigneeName,Comment = iff(Role == \\\"\\\", \\\"⚠️ No existing delegation for this role\\\", \\\"✅ This role is delegated with a Management Role Assignment\\\")\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n | project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Role.Parent.Parent == \\\"Roles\\\"\\r\\n| where CmdletResultValue.RoleAssignmentDelegationType <> 6\\r\\n| project Role = tostring(CmdletResultValue.Role.Name)\\r\\n| join kind=fullouter (MRcustomRoles) on Role\\r\\n| summarize acount = count() by iff( Role==\\\"\\\",\\\"Number of non assigned roles\\\", Role)\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"name\":\"List of Custom Roles\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Roles delegation on group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows delegation associated with the Custom Roles\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Role.Parent.Parent == \\\"Roles\\\"\\r\\n| where CmdletResultValue.RoleAssignmentDelegationType <> 6\\r\\n| extend Role = tostring(CmdletResultValue.Role.Name)\\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, Role, RoleAssigneeType, CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\\r\\n\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Details for Custom Roles Cmdlets \",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays for the chosen custom management roles all Cmdlets and their parameters associated with this custom role.\\r\\nRemember that for a cmdlet, some parameters can be removed.\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"07c8ac83-371d-4702-ab66-72aeb2a20053\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CustomRole\",\"type\":2,\"isRequired\":true,\"query\":\" ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| project Identity\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedRole = toscalar ( ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| where Identity contains \\\"{CustomRole}\\\"\\r\\n| extend ParentRole = CmdletResultValue.Parent.Name\\r\\n| project ParentRole);\\r\\nlet DefMRA = externaldata (Role:string,CmdletCount:string,Parameters:string )[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/RBACRoleCmdlet.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| where Role == SelectedRole | summarize CmdletCount=count() by Role;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRCustomDetails\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where (replace_string(replace_string(tostring(split(CmdletResultValue.Role.DistinguishedName,\\\",\\\",0)),\\\"[\\\\\\\"CN=\\\",\\\"\\\"),\\\"\\\\\\\"]\\\",\\\"\\\")) contains \\\"{CustomRole}\\\"\\r\\n| extend CustomRoleName = replace_string(replace_string(tostring(split(CmdletResultValue.Role.DistinguishedName,\\\",\\\",0)),\\\"[\\\\\\\"CN=\\\",\\\"\\\"),\\\"\\\\\\\"]\\\",\\\"\\\")\\r\\n| extend CmdletName = CmdletResultValue.Name\\r\\n| extend Parameters = CmdletResultValue.Parameters\\r\\n| project CmdletName,Parameters,ParentRole = SelectedRole\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Parameters\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100ch\"}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"70\",\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedRole = toscalar ( ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| where Identity contains \\\"{CustomRole}\\\"\\r\\n| extend ParentRole = CmdletResultValue.Parent.Name\\r\\n| project ParentRole);\\r\\nlet DefMRA = externaldata (Role:string,CmdletCount:string,Parameters:string )[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/RBACRoleCmdlet.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| where Role == SelectedRole | summarize CmdletCount=count() by Role;\\r\\nlet MRCustomD = ExchangeConfiguration(SpecificSectionList=\\\"MRCustomDetails\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where (replace_string(replace_string(tostring(split(CmdletResultValue.Role.DistinguishedName,\\\",\\\",0)),\\\"[\\\\\\\"CN=\\\",\\\"\\\"),\\\"\\\\\\\"]\\\",\\\"\\\")) contains \\\"{CustomRole}\\\"\\r\\n| extend Role = replace_string(replace_string(tostring(split(CmdletResultValue.Role.DistinguishedName,\\\",\\\",0)),\\\"[\\\\\\\"CN=\\\",\\\"\\\"),\\\"\\\\\\\"]\\\",\\\"\\\")\\r\\n| extend CmdletName = CmdletResultValue.Name\\r\\n| extend ParentRole = tostring(SelectedRole)\\r\\n| summarize CmdletCount = count() by Role, ParentRole\\r\\n| project Role,CmdletCount;\\r\\nunion MRCustomD, DefMRA\",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"List of Cmdlets ( Get- command have been removed to clarify the information) with :\\r\\nCustomParamCount : number of parameters for the Cmdlet in the custom role\\r\\nDefaultCmdletNumberofParam : number of parameters for the Cmdlet in the default role\\r\\n\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SelectedRole = toscalar ( ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| where Identity contains \\\"{CustomRole}\\\"\\r\\n| extend ParentRole = CmdletResultValue.Parent.Name\\r\\n| project ParentRole);\\r\\nlet DefMRA = externaldata (Role:string,Name:string,Parameters:string )[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/RBACRoleCmdlet.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| where Role == SelectedRole | mv-expand split(todynamic(Parameters),\\\";\\\")| summarize ParamCount = count() by Name;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRCustomDetails\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where (replace_string(replace_string(tostring(split(CmdletResultValue.Role.DistinguishedName,\\\",\\\",0)),\\\"[\\\\\\\"CN=\\\",\\\"\\\"),\\\"\\\\\\\"]\\\",\\\"\\\")) contains \\\"{CustomRole}\\\"\\r\\n| extend CustomRoleName = replace_string(replace_string(tostring(split(CmdletResultValue.Role.DistinguishedName,\\\",\\\",0)),\\\"[\\\\\\\"CN=\\\",\\\"\\\"),\\\"\\\\\\\"]\\\",\\\"\\\")\\r\\n| extend CmdletName = tostring(CmdletResultValue.Name)\\r\\n| where CmdletName !contains \\\"get-\\\"\\r\\n| extend Parameters = CmdletResultValue.Parameters\\r\\n| extend ParentRole = tostring(SelectedRole)\\r\\n| mv-expand split(todynamic(Parameters),\\\";\\\")\\r\\n| summarize ParamCount = count() by CmdletName, ParentRole\\r\\n| join (DefMRA) on $left.CmdletName == $right.Name\\r\\n| project CmdletName, CustomParamCount = ParamCount , DefaultCmdletNumberofParam = ParamCount1\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"DefaultCmdletNumberofParam\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"DefaultCmdletNumberofParam\",\"sortOrder\":1}]},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Details for Custom Roles Cmdlets \"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"CustomRole\"},\"name\":\"Custom Role\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeLeastPrivilegewithRBAC\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", - "sourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" } }, @@ -2737,7 +5729,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Search AdminAuditLog Workbook with template version 3.1.5", + "description": "Microsoft Exchange Search AdminAuditLog Workbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -2757,7 +5749,7 @@ "displayName": "[parameters('workbook2-name')]", "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Admin Audit Log\\r\\n\\r\\n** This workbook requires Option 1**\"},\"name\":\"text - 6\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"79f1e435-df12-4c83-9967-501ab5f6ad6a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"59486bcb-db99-43b3-97dc-a63b271a91d1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"query\":\"ExchangeAdminAuditLogs | where TimeGenerated {TimeRange}\\r\\n | summarize by ESIEnvironment\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"9d830b00-95f4-4fd5-8cfb-95c2e63f5d0b\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cmdlets Analysis\",\"subTarget\":\"CmdletAna\",\"style\":\"link\"},{\"id\":\"944a83ef-377f-4374-83e8-46816b6ce570\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Admin Audit Log - All Admins\",\"subTarget\":\"AllAAL\",\"style\":\"link\"},{\"id\":\"beb06fb7-fd78-4048-a0d9-01960cbd0c66\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Admin Audit Log - Members of Organization Management\",\"subTarget\":\"AALOM\",\"preText\":\"AdminAuditLog Org Mgmt\",\"style\":\"link\"},{\"id\":\"cdab541f-8d91-4882-ba46-7c04cdff257b\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Search in AdminAudit log focused on Organization Management members\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"How to understand the data\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"These information are extracted from the log MSExchange Management.\\r\\n\\r\\nEach entry is analyzed regarding the following conditions :\\r\\n\\r\\n - Check if the Target Object is a VIP. The VIP list is based on the watchlist \\\"Exchange VIP\\\".\\r\\n\\r\\n - Check if the Cdmlet is a Sensitive Cmdlet. The Sensitive Cmdlet list is based on the watchlist \\\"Monitored Exchange Cmdlets\\\". \\r\\n - This list contains the list of Cmdlet that are considered as Sensitive. \\r\\n - Some Cmdlet will be considered as Sensitive only if some specific parameters defined in the \\\"Monitored Exchange Cmdlets\\\" watchlist are used.\\r\\n\\r\\nColumn explainatations : \\r\\n - Caller : Named of the Administrators that used this cmdlet\\r\\n - TargetObject : Object modified by the cmdlet\\r\\n - IsVIP : If the Target Object part of the \\\"Exchange VIP\\\" watchlist\\r\\n - CmdletName : Name of the cmdlet that was used\\r\\n - CmdletParameters : Cmdlet parameters used with the command\\r\\n - IsSenstiveCmdlet : \\r\\n - true : the Cmdlet is part of the \\\"Monitored Exchange Cmdlets\\\" watchlist\\r\\n - false : the Cmdlet is not part of the \\\"Monitored Exchange Cmdlets\\\" watchlist\\r\\n - IsRestrictedCmdLet : This cmdlet is considered as sentisitve only when some specifc parameters are used\\r\\n - ExtractedParameters : List of parameters used by the cmdlet\\r\\n - IsSenstiveCmdletParameters :\\r\\n - true : Sensitive parameters have been used\\r\\n - false : Sensitive parameters have not been used\\r\\n - RestrictedParameters : List of restricted parameters used\\r\\n - IsSensitive :\\r\\n - true : This cmdlet is Sensitive because it was part of the list of the \\\"Monitored Exchange Cmdlets\\\" watchlist and Sensitive parameters have been used for cmdlet with specifc sensitive parameters \\r\\n - UserOriented : The Sensitive cmdlet used is a user cmdlet and not a general configuration cmdlet. This information is part of the list of the \\\"Monitored Exchange Cmdlets\\\" watchlist\\r\\n\\r\\n\"},\"name\":\"text - 0\"}]},\"name\":\"group - 2\"},{\"type\":1,\"content\":{\"json\":\"If needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d9d4e0a2-b75d-4825-9f4e-7606516500e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"OrgMAdm\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"lastdate\\\",SpecificConfigurationEnv=\\\"{EnvironmentList:Value}\\\")\\r\\n| where CmdletResultValue.Parentgroup == \\\"Organization Management\\\" and CmdletResultValue.Level != 0\\r\\n| where TimeGenerated {TimeRange}\\r\\n| project CmdletResultValue\\r\\n| extend Members = tostring(CmdletResultValue.SamAccountName)\\r\\n| distinct Members\\r\\n| sort by Members asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b11b4ca7-2ce0-4116-b9ed-d3a514db354d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Cmdlet\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExcludedCmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nExchangeAdminAuditLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where Status == \\\"Success\\\"\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| distinct CmdletName\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExcludedCmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nExchangeAdminAuditLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Caller contains \\\"{OrgMAdm}\\\" and CmdletName contains \\\"{Cmdlet}\\\"\\r\\n| where Status == \\\"Success\\\"\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend IsVIP = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",tostring(IsVIP)), tostring(IsVIP ))\\r\\n| extend IsSensitive = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",tostring(IsSenstiveCmdlet)), tostring(IsSenstiveCmdlet))\\r\\n| project TimeGenerated, Caller,IsVIP,TargetObject,IsSensitive,CmdletName,CmdletParameters,ExtractedParameters,IsSenstiveCmdlet,IsRestrictedCmdLet,IsSenstiveCmdletParameters,RestrictedParameters,UserOriented\\r\\n| sort by TimeGenerated desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"To manually search in AdminAuditLog action perfrom by Organization Management members. The list of user is only members of Organization Mangement\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section display all the information of the Admin Audit Log for the defined time range.\\r\\n\\r\\nUsing the dropdownlist you are able to tack which Cmdlet has been used, by whom and on which object.\\r\\n\\r\\nSensitive Cmdlet or a VIP user, will be displayed\"},\"name\":\"text - 0\"}]},\"name\":\"group - 3\"}]},\"name\":\"Manual Search AAL\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"AALOM\"},\"name\":\"Search Admin Audit Log\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Global Admin Audit Log Search\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e100ee8b-d63b-4c49-9004-6555b56051aa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Admin\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExcludedCmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nExchangeAdminAuditLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Status == \\\"Success\\\"\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend admin = tostring(split(Caller,\\\"/\\\")[countof(Caller,\\\"/\\\")])\\r\\n| distinct admin\\r\\n\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0d7c1223-d108-4d10-bb24-50891a3415fd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdLet\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExcludedCmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nExchangeAdminAuditLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where Status == \\\"Success\\\"\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| distinct CmdletName\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"How to understand the data\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"These information are extracted from the log MSExchange Management.\\r\\n\\r\\nEach entry is analyzed regarding the following conditions :\\r\\n\\r\\n - Check if the Target Object is a VIP. The VIP list is based on the watchlist \\\"Exchange VIP\\\".\\r\\n\\r\\n - Check if the Cdmlet is a Sensitive Cmdlet. The Sensitive Cmdlet list is based on the watchlist \\\"Monitored Exchange Cmdlets\\\". \\r\\n - This list contains the list of Cmdlet that are considered as Sensitive. \\r\\n - Some Cmdlet will be considered as Sensitive only if some specific parameters defined in the \\\"Monitored Exchange Cmdlets\\\" watchlist are used.\\r\\n\\r\\nColumn explainatations : \\r\\n - Caller : Named of the Administrators that used this cmdlet\\r\\n - TargetObject : Object modified by the cmdlet\\r\\n - IsVIP : If the Target Object part of the \\\"Exchange VIP\\\" watchlist\\r\\n - CmdletName : Name of the cmdlet that was used\\r\\n - CmdletParameters : Cmdlet parameters used with the command\\r\\n - IsSenstiveCmdlet : \\r\\n - true : the Cmdlet is part of the \\\"Monitored Exchange Cmdlets\\\" watchlist\\r\\n - false : the Cmdlet is not part of the \\\"Monitored Exchange Cmdlets\\\" watchlist\\r\\n - IsRestrictedCmdLet : This cmdlet is considered as sentisitve only when some specifc parameters are used\\r\\n - ExtractedParameters : List of parameters used by the cmdlet\\r\\n - IsSenstiveCmdletParameters :\\r\\n - true : Sensitive parameters have been used\\r\\n - false : Sensitive parameters have not been used\\r\\n - RestrictedParameters : List of restricted parameters used\\r\\n - IsSensitive :\\r\\n - true : This cmdlet is Sensitive because it was part of the list of the \\\"Monitored Exchange Cmdlets\\\" watchlist and Sensitive parameters have been used for cmdlet with specifc sensitive parameters \\r\\n - UserOriented : The Sensitive cmdlet used is a user cmdlet and not a general configuration cmdlet. This information is part of the list of the \\\"Monitored Exchange Cmdlets\\\" watchlist\\r\\n\\r\\n\"},\"name\":\"text - 0\"}]},\"name\":\"group - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExcludedCmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nExchangeAdminAuditLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Caller contains \\\"{Admin}\\\" and CmdletName contains \\\"{CmdLet}\\\"\\r\\n| where Status == \\\"Success\\\"\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend IsVIP = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",tostring(IsVIP)), tostring(IsVIP ))\\r\\n| extend IsSensitive = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",tostring(IsSenstiveCmdlet)), tostring(IsSenstiveCmdlet))\\r\\n| project TimeGenerated, Caller,IsVIP,TargetObject,IsSensitive,CmdletName,CmdletParameters,ExtractedParameters,IsSenstiveCmdlet,IsRestrictedCmdLet,IsSenstiveCmdletParameters,RestrictedParameters,UserOriented\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section display all the information of the Admin Audit Log for the defined time range.\\r\\n\\r\\nUsing the dropdownlist you are able to tack which Cmdlet has been used, by whom and on which object.\\r\\n\\r\\nSensitive Cmdlet or a VIP user, will be displayed\"},\"name\":\"text - 0\"}]},\"name\":\"group - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"AllAAL\"},\"name\":\"Global Admin Audit Log\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Analysis of Administrators actions\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Total Cmdlets for the Time Range\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExcludedCmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nExchangeAdminAuditLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Status == \\\"Success\\\"\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Caller\\r\\n| extend CmdletName\\r\\n| summarize Count=count() by CmdletName\",\"size\":2,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExcludedCmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nExchangeAdminAuditLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Status == \\\"Success\\\"\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Account = tostring(split(Caller,\\\"/\\\")[countof(Caller,\\\"/\\\")])\\r\\n| extend CmdletName\\r\\n| summarize Count=dcount(CmdletName) by Account,CmdletName\",\"size\":2,\"showAnalytics\":true,\"title\":\"Total Unique Cmdlet per Account for the Time Range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Account\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExcludedCmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nExchangeAdminAuditLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Status == \\\"Success\\\"\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Caller\\r\\n| extend CmdletName\\r\\n| summarize Count=count() by CmdletName\\r\\n| sort by CmdletName asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Total List of Cmdlets\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExcludedCmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nExchangeAdminAuditLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Status == \\\"Success\\\"\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Account = tostring(split(Caller,\\\"/\\\")[countof(Caller,\\\"/\\\")])\\r\\n| extend CmdletName\\r\\n| summarize Count=count() by CmdletName, Account\\r\\n| sort by Count asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"List of Cmdlet per Account\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displayed the list of Cmdlet used in your environment for the defined period of time with the number of time they have been used.\"},\"name\":\"text - 0\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section will display the list of Cmdlet launch by Administrators for the defined period of time and the number of time they have been used\"},\"name\":\"text - 0\"}]},\"customWidth\":\"50\",\"name\":\"group - 3\"}]},\"name\":\"Result Analysis\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"CmdletAna\"},\"name\":\"Analysis of actions performed\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\nThe goals of this workbook is to allow search in the Exchange Admin Audit log.\\r\\n\\r\\nThe source of this workbook is not an export of the Admin Audit log mailbox but an export of the MSExchange Management for each Exchange servers.\\r\\n\\r\\nIf the Admin Audit Log is bypassed, the information won't be displayed in this workbook as there is no method to track this data.\\r\\n\\r\\n## Tabs\\r\\n\\r\\nLet quicly review the content of each tab\\r\\n\\r\\n### Cmdlets Analysis\\r\\n\\r\\nThis tab will show for the defined time range :\\r\\n - A summary of all cmdets used\\r\\n\\r\\n - A summary of all cmdlets used by each Account\\r\\n\\r\\n### Global Admin Audit Log\\r\\n\\r\\nThis tab allow to globally search in the exported Admin Audit log content.\\r\\n\\r\\nWhen Sensitive Cmdlets and/or Sensitive parameters are used, specific informations will be displayed.\\r\\n\\r\\nWhen VIP user are manipulated, specific informations will be displayed.\\r\\n\\r\\nFor more informations on how to understand each Column, refer to \\\"How to understand the data\\\"\\r\\n\\r\\n\\r\\n### AdminAuditLog for Org Mgmt\\r\\n\\r\\nThis tab allow to globally search in the exported Admin Audit log content for only account members on the Organization Management groups.\\r\\n\\r\\nWhen Sensitive Cmdlets and/or Sensitive parameters are used, specific informations will be displayed.\\r\\n\\r\\nWhen VIP user are manipulated, specific informations will be displayed.\\r\\n\\r\\nFor more informations on how to understand each Column, refer to \\\"How to understand the data\\\"\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"group - 5\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSearchAdminAuditLog\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", - "sourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" } }, @@ -2828,7 +5820,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Admin Activity Workbook with template version 3.1.5", + "description": "Microsoft Exchange Admin Activity Workbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion3')]", @@ -2848,7 +5840,7 @@ "displayName": "[parameters('workbook3-name')]", "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Admin Activity\\r\\n\\r\\nThis workbook helps you visualize what is happening in your Exchange environment.\\r\\nResults removed :\\r\\n\\t- All Test-* and Set-AdServerSetting Cmdlets\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3792117c-d924-4ec7-a327-1e8d5e9f291a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"value\":{\"durationMs\":2592000000}},{\"id\":\"743317e2-ebcf-4958-861d-4ff97fc7cce1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"query\":\"ExchangeAdminAuditLogs | where TimeGenerated {TimeRange}\\r\\n | summarize by ESIEnvironment\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cmdlet Analysis\",\"subTarget\":\"Cmdlet\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true},{\"id\":\"be02c735-6150-4b6e-a386-b2b023e754e5\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Active Directory Modifications\",\"subTarget\":\"AD\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Cmdlet summary\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab parses the events from Admin Audit logs :\\r\\n\\r\\n- list of cmdlets\\r\\n- filter on a VIP and/or Sensitive objects (based on Watchlist \\\"Exchange VIP\\\" and \\\" Monitored Exchange Cmdlets\\\")\\r\\n- anomalies detections are based on the KQL function series_decompose_anomalies\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"CmdletGroupHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5a942eba-c991-4b84-9a94-c153bca86e12\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"VIPOnly\",\"label\":\"Show VIP Only\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"83befa26-eee0-49ab-9785-72653943bc6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SensitiveOnly\",\"label\":\"Sensitive CmdLet Only\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\\r\\n\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"a6046096-a14b-4023-af1a-ab47f4e2dff1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CallerFilter1\",\"label\":\"Caller\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeAdminAuditLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Status == \\\"Success\\\"\\r\\n| distinct Caller\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4c896211-577a-4390-b85a-6f9ac18f2824\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdletFilter1\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExcludedCmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nExchangeAdminAuditLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Status == \\\"Success\\\"\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| distinct CmdletName\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"This section show all the Cmdlets executed in the selected time range. Possible filters are: \\r\\n- **VIP Only selected** Cmdlets used against VIP objects (based on the \\\"Exchange VIP\\\" watchlist)\\r\\n- **Sensitive Cmdlets** Cmdlets considered as Sensitive (based on the \\\"Monitored Exchange Cmdlets\\\" watchlist)\\r\\n\\r\\nThese informations can be useful to detect unexpected behaviors or to determine what are the action performed by the accounts (ie. service accounts).\\r\\n\\r\\nℹ️ It is recommended to delegated only the necessary privileges to an account.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"CmdtListHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExcludedCmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nExchangeAdminAuditLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Status == \\\"Success\\\"\\r\\n//| where TargetObject !contains \\\"Health\\\"\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize count() by CmdletName\\r\\n| sort by count_\",\"size\":2,\"showAnalytics\":true,\"title\":\"List of all executed cmdlets during the last 90 days (based on Sentinel retention)\",\"exportFieldName\":\"CmdletName\",\"exportParameterName\":\"CmdletFilter\",\"exportDefaultValue\":\"\\\"\\\"\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"CmdletName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"CmdletName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":20}},\"customWidth\":\"45\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExcludedCmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nExchangeAdminAuditLogs\\r\\n | where TimeGenerated {TimeRange}\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Status == \\\"Success\\\"\\r\\n//| where TargetObject !contains \\\"Health\\\"\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize count() by CmdletName\\r\\n| join kind=leftouter ( ExchangeAdminAuditLogs \\r\\n | where TimeGenerated > ago(30d)\\r\\n | where ESIEnvironment in ('{EnvironmentList}')\\r\\n | where Status == \\\"Success\\\"\\r\\n //| where TargetObject !contains \\\"Health\\\"\\r\\n | where CmdletName !in (ExcludedCmdlet)\\r\\n | where IsVIP in ({VIPOnly})\\r\\n | where IsSensitive in ({SensitiveOnly})\\r\\n | make-series Count=count() on TimeGenerated from ago(30d) to now() step 1d by CmdletName\\r\\n | extend Anomalies=series_decompose_anomalies(Count)\\r\\n) on CmdletName\\r\\n| project CmdletName, Total=count_, Count, Anomalies\\r\\n| sort by Total\",\"size\":2,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"rowLimit\":10000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"CmdletName\",\"label\":\"Cmdlet\"},{\"columnId\":\"Count\",\"label\":\"Count for the last 30 days\"}]}},\"customWidth\":\"55\",\"name\":\"CmdletTrends\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExcludedCmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nExchangeAdminAuditLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Status == \\\"Success\\\"\\r\\n//| where TargetObject !contains \\\"Health\\\"\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize Total = count() by Caller\\r\\n| join kind=leftouter ( ExchangeAdminAuditLogs \\r\\n | where TimeGenerated > ago(30d)\\r\\n | where ESIEnvironment in ('{EnvironmentList}')\\r\\n | where Status == \\\"Success\\\"\\r\\n | where IsVIP in ({VIPOnly})\\r\\n | where IsSensitive in ({SensitiveOnly})\\r\\n | make-series Count=count() on TimeGenerated from ago(30d) to now() step 1d by Caller\\r\\n | extend Anomalies=series_decompose_anomalies(Count)\\r\\n) on Caller\\r\\n| project Caller, Total, Count, Anomalies\\r\\n| sort by Total desc\",\"size\":1,\"showAnalytics\":true,\"exportFieldName\":\"Caller\",\"exportParameterName\":\"CallerFilter\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Caller\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70ch\"}},{\"columnMatch\":\"Total\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"125px\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"300px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"300px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_Total_1\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Count\",\"label\":\"Count for the last 30 days\"}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_Total_1\",\"sortOrder\":2}],\"chartSettings\":{\"createOtherGroup\":20}},\"name\":\"query - 4\"},{\"type\":1,\"content\":{\"json\":\"## List of Cmdlets\\r\\nYou can pick a tile in the list of all executed cmdlets above to filter the list.\\r\\n\\r\\nBy default all accounts found in the log are displayed.\\r\\n\\r\\nSelect an account in the previous section, to display on Cmdlets launched by this user\\r\\n\\r\\n> **Legend** \\r\\n> \\r\\n> 👑 VIP user \\r\\n> 💥 Sensitive action\\r\\n\\r\\nIf needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"008273d1-a013-4d86-9e23-499e5175a85e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CallerFilter\",\"label\":\"Caller\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExcludedCmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nExchangeAdminAuditLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Status == \\\"Success\\\"\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| distinct Caller\\r\\n| sort by Caller asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"21bd4e45-65ca-4b9b-a19c-177d6b37d807\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TargetObjectFilter\",\"label\":\"Target Object\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExcludedCmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nExchangeAdminAuditLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Status == \\\"Success\\\"\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| distinct TargetObject\\r\\n| sort by TargetObject asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9e93d5c3-0fcb-4ece-b2a0-fc3ff44a0b04\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdletFilter\",\"label\":\"Cmdlet Filter\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExcludedCmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nExchangeAdminAuditLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Status == \\\"Success\\\"\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| distinct CmdletName\\r\\n| sort by CmdletName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExcludedCmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nlet CallerF = toscalar(split(\\\"{CallerFilter}\\\",\\\",\\\"));\\r\\nExchangeAdminAuditLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Status == \\\"Success\\\"\\r\\n//| where TargetObject !contains \\\"Health\\\"\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n//| parse \\\"{CallerFilter}\\\" with \\\",\\\" CallerF\\r\\n//| where Caller contains {CallerFilter} and TargetObject contains \\\"{TargetObjectFilter}\\\" and CmdletName contains \\\"{CmdletFilter}\\\"\\r\\n| where (Caller in ({CallerFilter}) or Caller == \\\"ALL\\\") and TargetObject contains \\\"{TargetObjectFilter}\\\" and CmdletName contains \\\"{CmdletFilter}\\\"\\r\\n| extend ActualCmdLet = strcat( CmdletName, \\\" \\\", CmdletParameters)\\r\\n| extend TargetObject = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",TargetObject), TargetObject )\\r\\n| extend ActualCmdLet = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",ActualCmdLet), ActualCmdLet )\\r\\n| project TimeGenerated, Caller, TargetObject, ActualCmdLet\\r\\n| sort by TimeGenerated desc\",\"size\":2,\"showAnalytics\":true,\"title\":\"History\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ActualCmdLet\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"120ch\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Cmdlet\"},\"name\":\"Cmdlet Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## VIP modifications\\r\\n\\r\\nThis view allows you to quickly see what is happening on VIP accounts.\\r\\n**This tab needs Option 2 or 3**\"},\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"This section displays the modifications on VIP Active Directory objects for the selected Time Range.\\r\\n\\r\\nIt is based on the security events 4725, 4726, 4738, 4740 and 4767.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"HelpTotalModifVIP\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ImportantADActivities = dynamic([4725,4726,4738,4740,4767]);\\r\\nlet Env = ExchangeConfiguration(SpecificSectionList=\\\"ESIEnvironment\\\")\\r\\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\\r\\n| project DomainFQDN_, ESIEnvironment;\\r\\nlet VIPUsers = _GetWatchlist('ExchangeVIP') | summarize make_list(tostring(sAMAccountName)) ;\\r\\nSecurityEvent\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where EventID in (ImportantADActivities)\\r\\n| extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\\r\\n | join kind=leftouter ( \\r\\n Env\\r\\n ) on $left.DomainEnv == $right.DomainFQDN_\\r\\n| extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\\\"Unknown-\\\",DomainEnv))\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where SubjectUserName in (VIPUsers) or TargetUserName in (VIPUsers)\\r\\n| extend Activity = tostring(split(Activity,\\\"- \\\")[1])\\r\\n| summarize Count=count() by Activity\",\"size\":3,\"noDataMessage\":\"Sections related to Option 2 or 3\",\"noDataMessageStyle\":2,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Activity\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"size\":\"auto\"}},\"name\":\"QueryVIPModif\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ImportantADActivities = dynamic([4725,4726,4738,4740,4767]);\\r\\nlet Env = ExchangeConfiguration(SpecificSectionList=\\\"ESIEnvironment\\\")\\r\\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\\r\\n| project DomainFQDN_, ESIEnvironment;\\r\\nlet VIPUsers = _GetWatchlist('ExchangeVIP') | summarize make_list(tostring(sAMAccountName)) ;\\r\\nSecurityEvent\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where EventID in (ImportantADActivities)\\r\\n| extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\\r\\n | join kind=leftouter ( \\r\\n Env\\r\\n ) on $left.DomainEnv == $right.DomainFQDN_\\r\\n| extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\\\"Unknown-\\\",DomainEnv))\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where SubjectUserName in (VIPUsers) or TargetUserName in (VIPUsers)\\r\\n| extend Activity = split(Activity,\\\"- \\\")[1]\\r\\n| extend SubjectUserName = iif( SubjectUserName in (VIPUsers), strcat(SubjectUserName, \\\" 👑\\\"), SubjectUserName)\\r\\n| extend SubjectUserName = iif( SubjectUserName hassuffix \\\"$\\\", strcat(\\\"💻 \\\", SubjectUserName), strcat(\\\"👨‍💼 \\\", SubjectUserName))\\r\\n| extend TargetUserName = iif( TargetUserName in (VIPUsers), strcat(TargetUserName, \\\" 👑\\\"), TargetUserName)\\r\\n| project TimeGenerated, Activity, SubjectUserName,TargetUserName\\r\\n| order by TimeGenerated desc\",\"size\":0,\"showAnalytics\":true,\"noDataMessage\":\"Sections related to Option 2 or 3\",\"noDataMessageStyle\":2,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Activity\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"75ch\"}}],\"rowLimit\":10000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"SubjectUserName\",\"label\":\"Operator\"},{\"columnId\":\"TargetUserName\",\"label\":\"Target\"}]}},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"AD\"},\"name\":\"AdModifSummary\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Server activity summary\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"04d09365-30ba-4bb1-9e76-06fc7b97ea71\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ComputerFilter\",\"type\":1,\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":1,\"content\":{\"json\":\"This tab parses the events from the System and Security event logs of the Exchange servers. You can use it for the following activities:\\r\\n\\r\\n- Track the Exchange services status (based on the event 7036 and on the watchlist \\\"Exchange Services Monitoring\\\")\\r\\n- Track logons on the servers (this excludes network logons)\\r\\n- Track creations, modifications and delegation actions of local user accounts\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ServersHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Env = ExchangeConfiguration(SpecificSectionList=\\\"ESIEnvironment\\\")\\r\\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\\r\\n| project DomainFQDN_, ESIEnvironment;\\r\\nSecurityEvent\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n| extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\\r\\n | join kind=leftouter ( \\r\\n Env\\r\\n ) on $left.DomainEnv == $right.DomainFQDN_\\r\\n| extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\\\"Unknown-\\\",DomainEnv))\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| summarize count() by Computer\",\"size\":4,\"title\":\"Security Events per Exchange Servers\",\"exportFieldName\":\"Computer\",\"exportParameterName\":\"ComputerFilter\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Computer\"},\"subtitleContent\":{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"min\":2000,\"palette\":\"blue\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true,\"sortCriteriaField\":\"Computer\",\"sortOrderField\":1,\"size\":\"auto\"}},\"customWidth\":\"100\",\"name\":\"ExServersListTiles\"},{\"type\":1,\"content\":{\"json\":\"## List of monitored services changes\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Env = ExchangeConfiguration(SpecificSectionList=\\\"ESIEnvironment\\\")\\r\\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\\r\\n| project DomainFQDN_, ESIEnvironment;\\r\\nlet ExchangeServices = _GetWatchlist('ExchangeServicesMonitoring') | summarize make_list(DisplayName);\\r\\nEvent \\r\\n| where TimeGenerated {TimeRange:value}\\r\\n| where EventID == 7036\\r\\n| extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\\r\\n | join kind=leftouter ( \\r\\n Env\\r\\n ) on $left.DomainEnv == $right.DomainFQDN_\\r\\n| extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\\\"Unknown-\\\",DomainEnv))\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Computer like \\\"{ComputerFilter}\\\"\\r\\n| where WindowsService_CF in (ExchangeServices)\\r\\n| extend ServiceNewState_CF = iif( ServiceNewState_CF == \\\"stopped\\\", strcat(\\\"🔴 \\\",ServiceNewState_CF), strcat(\\\"🟢 \\\",ServiceNewState_CF))\\r\\n| project TimeGenerated, Computer, WindowsService_CF, ServiceNewState_CF\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"showExpandCollapseGrid\":true,\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"WindowsService_CF\",\"label\":\"Service\"},{\"columnId\":\"ServiceNewState_CF\",\"label\":\"State\"}]}},\"name\":\"ListServicesState\"},{\"type\":1,\"content\":{\"json\":\"Details of logon on the Exchange servers (or the selected server from the tiles above).\\r\\n\\r\\nThis parses the security event 4624 on Exchange servers.\\r\\n\\r\\nThis uses the following filters:\\r\\n- LogonType <> 3 (Network)\\r\\n- AccountType <> \\\"Machine\\\"\\r\\n- TargetUserName !hasprefix \\\"HealthMailbox\\\"\\r\\n- Account !hasprefix \\\"Window Manager\\\"\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ServerLogonHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Env = ExchangeConfiguration(SpecificSectionList=\\\"ESIEnvironment\\\")\\r\\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\\r\\n| project DomainFQDN_, ESIEnvironment;\\r\\nSecurityEvent\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n| extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\\r\\n | join kind=leftouter ( \\r\\n Env\\r\\n ) on $left.DomainEnv == $right.DomainFQDN_\\r\\n| extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\\\"Unknown-\\\",DomainEnv))\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Computer like \\\"{ComputerFilter}\\\"\\r\\n| where EventID == 4624\\r\\n| where LogonType <> 3\\r\\n| where AccountType <> \\\"Machine\\\" \\r\\n| where TargetUserName !hasprefix \\\"HealthMailbox\\\"\\r\\n| where Account !hasprefix \\\"Window Manager\\\"\\r\\n| summarize count() by LogonTypeName\",\"size\":0,\"title\":\"Logon Type statistics\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"DetailsLogonEventsPie\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Env = ExchangeConfiguration(SpecificSectionList=\\\"ESIEnvironment\\\")\\r\\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\\r\\n| project DomainFQDN_, ESIEnvironment;\\r\\nSecurityEvent\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n| extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\\r\\n | join kind=leftouter ( \\r\\n Env\\r\\n ) on $left.DomainEnv == $right.DomainFQDN_\\r\\n| extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\\\"Unknown-\\\",DomainEnv))\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Computer like \\\"{ComputerFilter}\\\"\\r\\n| where EventID == 4624\\r\\n| where LogonType <> 3\\r\\n| where AccountType <> \\\"Machine\\\" \\r\\n| where TargetUserName !hasprefix \\\"HealthMailbox\\\"\\r\\n| where Account !hasprefix \\\"Window Manager\\\"\\r\\n| project TimeGenerated, Computer, Account, IpAddress, LogonTypeName\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"75\",\"name\":\"DetailsLogonEvents\"},{\"type\":1,\"content\":{\"json\":\"Details of local account activities on the Exchange servers (or the selected server from the tiles above). It parses the following security events:\\r\\n- 4720 Account creation\\r\\n- 4724 Password reset\\r\\n- 4722 Account enabled\\r\\n- 4725 Account disabled\\r\\n- 4726 Account deleted\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"LocalAccountActivityHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Env = ExchangeConfiguration(SpecificSectionList=\\\"ESIEnvironment\\\")\\r\\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\\r\\n| project DomainFQDN_, ESIEnvironment;\\r\\nSecurityEvent\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n| extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\\r\\n | join kind=leftouter ( \\r\\n Env\\r\\n ) on $left.DomainEnv == $right.DomainFQDN_\\r\\n| extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\\\"Unknown-\\\",DomainEnv))\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Computer like \\\"{ComputerFilter}\\\"\\r\\n| where EventID in (4720,4724,4722,4725,4726)\\r\\n| extend Action = case(EventID == 4720, \\\"🆕 Account creation\\\", EventID == 4724, \\\"🔄 Password reset\\\", EventID == 4722, \\\"🟢 Account enabled\\\", EventID == 4725, \\\"🔴 Account disabled\\\",\\\"❌ Account deleted\\\")\\r\\n| summarize count() by Action\",\"size\":0,\"showAnalytics\":true,\"showExportToExcel\":true,\"title\":\"List of local account activities\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"LocalAccountActivity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Env = ExchangeConfiguration(SpecificSectionList=\\\"ESIEnvironment\\\")\\r\\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\\r\\n| project DomainFQDN_, ESIEnvironment;\\r\\nSecurityEvent\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n| extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\\r\\n | join kind=leftouter ( \\r\\n Env\\r\\n ) on $left.DomainEnv == $right.DomainFQDN_\\r\\n| extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\\\"Unknown-\\\",DomainEnv))\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| where Computer like \\\"{ComputerFilter}\\\"\\r\\n| where EventID in (4720,4724,4722,4725,4726)\\r\\n| extend Action = case(EventID == 4720, \\\"🆕 Account creation\\\", EventID == 4724, \\\"🔄 Password reset\\\", EventID == 4722, \\\"🟢 Account enabled\\\", EventID == 4725, \\\"🔴 Account disabled\\\",\\\"❌ Account deleted\\\")\\r\\n| project TimeGenerated, Computer, Action, SubjectAccount, TargetAccount\",\"size\":0,\"showAnalytics\":true,\"showExportToExcel\":true,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"75\",\"name\":\"LocalActivityGrid\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Server\"},\"name\":\"ServerSummaryGroup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mail flow\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This is an experimental tab to search for information from the Message Tracking logs.\",\"style\":\"warning\"},\"name\":\"WarningMessagetracking\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MessageTracking\\r\\n| where TimeGenerated > ago(7d)\\r\\n| summarize Max = max(TimeGenerated) by Computer\\r\\n| extend Age = strcat( datetime_diff( \\\"Hour\\\", now(), Max) , \\\" hours ago\\\")\",\"size\":4,\"noDataMessage\":\"No message tracking data for more than 7 days\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Computer\"},\"leftContent\":{\"columnMatch\":\"Max\"},\"rightContent\":{\"columnMatch\":\"Age\"},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"query - 1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"69b3412d-8984-42a7-8b5a-c238462097b7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Filter\",\"type\":1,\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MessageTracking\\r\\n| search \\\"*{Filter}\\\"\\r\\n| project-away $table\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"showAnalytics\":true,\"showExportToExcel\":true,\"noDataMessage\":\"No message tracking information found.\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Mail\"},\"name\":\"MailFlowGroup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Data Statistics\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## 90-day statistics\"},\"name\":\"text - 4\"},{\"type\":1,\"content\":{\"json\":\"This tabs show the data ingestions of logs used to monitor Exchange Servers activities.\\r\\n\\r\\nNote that the Event table contains all Windows event log events but the security event logs.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"showPin\":false,\"name\":\"StatsHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Env = ExchangeConfiguration(SpecificSectionList=\\\"ESIEnvironment\\\")\\r\\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\\r\\n| project DomainFQDN_, ESIEnvironment;\\r\\nEvent \\r\\n| where TimeGenerated > ago(90d)\\r\\n| extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\\r\\n | join kind=leftouter ( \\r\\n Env\\r\\n ) on $left.DomainEnv == $right.DomainFQDN_\\r\\n| extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\\\"Unknown-\\\",DomainEnv))\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| summarize Total=count() by Computer\\r\\n| join (Event\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\\r\\n | join kind=leftouter ( \\r\\n Env\\r\\n ) on $left.DomainEnv == $right.DomainFQDN_\\r\\n | extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\\\"Unknown-\\\",DomainEnv))\\r\\n | where ESIEnvironment in ('{EnvironmentList}')\\r\\n | make-series EventCount=count() on TimeGenerated from ago(90d) to now() step 1d by Computer\\r\\n | extend EventAnomalies=series_decompose_anomalies(EventCount)\\r\\n) on Computer\\r\\n| extend Computer = strcat(\\\"💻 \\\", Computer)\\r\\n| project-away TimeGenerated, Computer1\\r\\n| sort by Total desc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"title\":\"Event table\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":4,\"formatOptions\":{\"min\":1000,\"palette\":\"blue\",\"customColumnWidthSetting\":\"70px\"}},{\"columnMatch\":\"EventCount\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"200px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"EventAnomalies\",\"formatter\":9,\"formatOptions\":{\"min\":-1,\"max\":1,\"palette\":\"redDark\",\"customColumnWidthSetting\":\"200px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Count\"},{\"columnId\":\"EventAnomalies\",\"label\":\"Anomalies\"}]}},\"customWidth\":\"50\",\"name\":\"EventTable\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Env = ExchangeConfiguration(SpecificSectionList=\\\"ESIEnvironment\\\")\\r\\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\\r\\n| project DomainFQDN_, ESIEnvironment;\\r\\nW3CIISLog \\r\\n| where TimeGenerated > ago(90d)\\r\\n| extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\\r\\n | join kind=leftouter ( \\r\\n Env\\r\\n ) on $left.DomainEnv == $right.DomainFQDN_\\r\\n| extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\\\"Unknown-\\\",DomainEnv))\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| summarize Total=count() by Computer\\r\\n| join (W3CIISLog\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\\r\\n | join kind=leftouter ( \\r\\n Env\\r\\n ) on $left.DomainEnv == $right.DomainFQDN_\\r\\n | extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\\\"Unknown-\\\",DomainEnv))\\r\\n | where ESIEnvironment in ('{EnvironmentList}')\\r\\n | make-series EventCount=count() on TimeGenerated from ago(90d) to now() step 1d by Computer\\r\\n | extend EventAnomalies=series_decompose_anomalies(EventCount)\\r\\n) on Computer\\r\\n| extend Computer = strcat(\\\"💻 \\\", Computer)\\r\\n| project-away TimeGenerated, Computer1\\r\\n| sort by Total desc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"title\":\"W3CIISLog table\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":4,\"formatOptions\":{\"min\":1000,\"palette\":\"blue\",\"customColumnWidthSetting\":\"70px\"}},{\"columnMatch\":\"EventCount\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"200px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"EventAnomalies\",\"formatter\":9,\"formatOptions\":{\"min\":-1,\"max\":1,\"palette\":\"redDark\",\"customColumnWidthSetting\":\"200px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Count\"},{\"columnId\":\"EventAnomalies\",\"label\":\"Anomalies\"}]}},\"customWidth\":\"50\",\"name\":\"IISLogs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Env = ExchangeConfiguration(SpecificSectionList=\\\"ESIEnvironment\\\")\\r\\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\\r\\n| project DomainFQDN_, ESIEnvironment;\\r\\nSecurityEvent \\r\\n| where TimeGenerated > ago(90d)\\r\\n| extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\\r\\n | join kind=leftouter ( \\r\\n Env\\r\\n ) on $left.DomainEnv == $right.DomainFQDN_\\r\\n| extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\\\"Unknown-\\\",DomainEnv))\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| summarize Total=count() by Computer\\r\\n| join (SecurityEvent\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\\r\\n | join kind=leftouter ( \\r\\n Env\\r\\n ) on $left.DomainEnv == $right.DomainFQDN_\\r\\n | extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\\\"Unknown-\\\",DomainEnv))\\r\\n | where ESIEnvironment in ('{EnvironmentList}')\\r\\n | make-series EventCount=count() on TimeGenerated from ago(90d) to now() step 1d by Computer\\r\\n | extend EventAnomalies=series_decompose_anomalies(EventCount)\\r\\n) on Computer\\r\\n| extend Computer = strcat(\\\"💻 \\\", Computer)\\r\\n| project-away TimeGenerated, Computer1\\r\\n| sort by Total desc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"title\":\"SecurityEvent table\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":4,\"formatOptions\":{\"min\":1000,\"palette\":\"blue\",\"customColumnWidthSetting\":\"70px\"}},{\"columnMatch\":\"EventCount\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"200px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"EventAnomalies\",\"formatter\":9,\"formatOptions\":{\"min\":-1,\"max\":1,\"palette\":\"redDark\",\"customColumnWidthSetting\":\"200px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Count\"},{\"columnId\":\"EventAnomalies\",\"label\":\"Anomalies\"}]}},\"customWidth\":\"50\",\"name\":\"SecurityEventTable\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let EHP = union isfuzzy=true withsource=TableName ExchangeHttpProxy, blabla*, Event | where TableName != \\\"Event\\\";\\r\\nlet Env = ExchangeConfiguration(SpecificSectionList=\\\"ESIEnvironment\\\")\\r\\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\\r\\n| project DomainFQDN_, ESIEnvironment;\\r\\nEHP \\r\\n| where TimeGenerated > ago(90d)\\r\\n| extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\\r\\n | join kind=leftouter ( \\r\\n Env\\r\\n ) on $left.DomainEnv == $right.DomainFQDN_\\r\\n| extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\\\"Unknown-\\\",DomainEnv))\\r\\n| where ESIEnvironment in ('{EnvironmentList}')\\r\\n| summarize Total=count() by Computer\\r\\n| join (EHP\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\\r\\n | join kind=leftouter ( \\r\\n Env\\r\\n ) on $left.DomainEnv == $right.DomainFQDN_\\r\\n | extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\\\"Unknown-\\\",DomainEnv))\\r\\n | where ESIEnvironment in ('{EnvironmentList}')\\r\\n | make-series EventCount=count() on TimeGenerated from ago(90d) to now() step 1d by Computer\\r\\n | extend EventAnomalies=series_decompose_anomalies(EventCount)\\r\\n) on Computer\\r\\n| extend Computer = strcat(\\\"💻 \\\", Computer)\\r\\n| project-away TimeGenerated, Computer1\\r\\n| sort by Total desc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"title\":\"ExchangeHttpProxy table\",\"noDataMessage\":\"No Exchange HTTP Proxy Data\",\"noDataMessageStyle\":2,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":4,\"formatOptions\":{\"min\":1000,\"palette\":\"blue\",\"customColumnWidthSetting\":\"70px\"}},{\"columnMatch\":\"EventCount\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"200px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"EventAnomalies\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redDark\",\"customColumnWidthSetting\":\"200px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Count\"},{\"columnId\":\"EventAnomalies\",\"label\":\"Anomalies\"}]}},\"customWidth\":\"50\",\"name\":\"ExchangeHttpProxyTable\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Stats\"},\"name\":\"group - 7\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityMonitoring\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", - "sourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" } }, @@ -2919,7 +5911,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Security Review Workbook with template version 3.1.5", + "description": "Microsoft Exchange Security Review Workbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion4')]", @@ -2937,9 +5929,9 @@ }, "properties": { "displayName": "[parameters('workbook4-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Security Review\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"743317e2-ebcf-4958-861d-4ff97fc7cce1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"On-Premises\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":1,\"content\":{\"json\":\"This workbook helps review your Exchange Security configuration.\\r\\nSelect your Exchange Organization and adjust the time range.\\r\\nBy default, the Help won't be displayed. To display the help, choose Yes on the toogle buttom \\\"Show Help\\\"\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Mailbox Access\",\"subTarget\":\"Delegation\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true},{\"id\":\"be02c735-6150-4b6e-a386-b2b023e754e5\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Exchange & AD Groups\",\"subTarget\":\"ExchAD\",\"style\":\"link\"},{\"id\":\"30dc6820-339d-4fa9-ad79-5d79816a5cab\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Local Administrators\",\"subTarget\":\"Server\",\"style\":\"link\"},{\"id\":\"571fa2a4-1f1e-44a2-ada0-ccfb31b9abbb\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Exchange Security Configuration\",\"subTarget\":\"SecConf\",\"style\":\"link\"},{\"id\":\"26c68d90-925b-4c3c-a837-e3cecd489b2d\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Transport Configuration\",\"subTarget\":\"Transport\",\"style\":\"link\"},{\"id\":\"eb2888ca-7fa6-4e82-88db-1bb3663a801e\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Summary\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"TopMenuTabs\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\n\\r\\nThe goal of this workbook is to outline key security configurations of your Exchange On-Premises environment.\\r\\n\\r\\nMost of Exchange organizations have were installed years ago (sometimes more than 10 years). Many configurations have been done and might not have been documented. For most environments, the core commitment was maintaining a high availability of the users’ mailboxes putting aside other consideration (even security considerations). Recommended security practices have also evolved since the first released and a regular review is necessary.\\r\\n\\r\\nThis workbook is designed to show your Exchange organization is configured with a security point of view. Indeed, some configurations easy to display as there are no UI available.\\r\\n\\r\\nFor each configuration, you will find explanations and recommendations when applicable.\\r\\n\\r\\n- This workbook does not pretend to show you every weak Security configurations, but the most common issues and known to be used by attackers. \\r\\n- It will not show you if you have been comprised, but will help you identify unexpected configuration.\\r\\n\\r\\n----\\r\\n\\r\\n## Quick reminder of how Exchange works\\r\\n\\r\\nDuring Exchange installation two very important groups are created :\\r\\n- Exchange Trusted Subsystem : Contain all the computer accounts for Exchange Server\\r\\n- Exchange Windows Permissions : Contain the group Exchange trusted Subsystem\\r\\n\\r\\nThese groups have :\\r\\n- Very high privileges in ALL AD domains including the root domain\\r\\n- Right on any Exchange including mailboxes\\r\\n\\r\\nAs each Exchange server computer account is member of Exchange Trusted Subsystem, it means by taking control of the computer account or being System on an Exchange server you will gain access to all the permissions granted to Exchange Trusted Subsystem and Exchange Windows Permissions.\\r\\n\\r\\nTo protect AD and Exchange, it is very important to ensure the following:\\r\\n- There is a very limited number of persons that are local Administrator on Exchange server\\r\\n- To protect user right like : Act part of the operating System, Debug\\r\\n\\r\\nEvery service account or application that have high privileges on Exchange need to be considered as sensitive\\r\\n\\r\\n** 💡 Exchange servers need to be considered as very sensitive servers**\\r\\n\\r\\n-----\\r\\n\\r\\n\\r\\n## Tabs\\r\\n\\r\\n### Mailbox Access\\r\\n\\r\\nThis tab will show you several top sensitive delegations that allow an account to access, modify, act as another user, search, export the content of a mailbox.\\r\\n\\r\\n### Exchange & AD Groups\\r\\n\\r\\nThis tab will show you the members of Exchange groups and Sensitive AD groups.\\r\\n\\r\\n### Local Administrators\\r\\n\\r\\nThis tab will show you the non standard content of the local Administrators group. Remember that a member of the local Administrators group can take control of the computer account of the server and then it will have all the permissions associated with Exchange Trusted Subsytem and Exchange Windows Permissions\\r\\n\\r\\nThe information is displayed with different views : \\r\\n- List of nonstandard users\\r\\n- Number of servers with a nonstandard a user\\r\\n- Nonstandard groups content\\r\\n- For each user important information are displayed like last logon, last password set, enabled\\r\\n\\r\\n### Exchange Security configuration\\r\\n\\r\\nThis tab will show you some important configuration for your Exchange Organization\\r\\n- Status of Admin Audit Log configuration\\r\\n- Status of POP and IMAP configuration : especially, is Plaintext Authentication configured ?\\r\\n- Nonstandard permissions on the Exchange container in the Configuration Partition\\r\\n\\r\\n### Transport Configuration\\r\\n\\r\\nThis tab will show you the configuration of the main Transport components\\r\\n- Receive Connectors configured with Anonymous and/or Open Relay\\r\\n- Remote Domain Autoforward configuration\\r\\n- Transport Rules configured with BlindCopyTo, SendTo, RedirectTo\\r\\n- Journal Rule and Journal Recipient configurations\\r\\n- Accepted Domains with *\\r\\n\\r\\n\"},\"name\":\"WorkbookInfo\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"InformationTab\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Security Configuration for the Exchange environment\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays several security information regarding the organization or server's configuration.\"},\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"This section display the Exchange version and the CU installed.\\r\\n\\r\\nFor the latest build number, check this link : Exchange Build Numbers\\r\\n\\r\\nThis section is built from a file located in the public github repository.\\r\\nThe repository is manually updated by the team project when new CU/SU are released.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ServerVersionCheckHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExchBuildNumber.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\\r\\n//ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| extend VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Minor,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Build)\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExchVersion\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend VersionNumber = tostring(CmdletResultValue.ProductVersion)\\r\\n| extend Server = tostring(ProcessedByServer_s)\\r\\n| extend CmdletResultType = tostring(CmdletResultType)\\r\\n| join kind= leftouter (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\\r\\n| distinct Server,VersionNumber,Productname,CU,SU,CmdletResultType\\r\\n| extend Server = strcat(\\\"💻 \\\",Server)\\r\\n| extend Productname = case ( VersionNumber startswith \\\"15.02\\\", \\\"Exchange 2019\\\", VersionNumber startswith \\\"15.01\\\", \\\"Exchange 2016\\\", VersionNumber startswith \\\"15.00\\\",\\\"Exchange 2013\\\", \\\"Exchange 2010\\\")\\r\\n| extend CU = iff(CmdletResultType <>\\\"Success\\\", \\\"Unable to retrieve information from server\\\", iff(CU <> \\\"\\\", CU, \\\"New CU or SU not yet in the List\\\"))\\r\\n| extend SU = iff(CmdletResultType <>\\\"Success\\\", \\\"Unable to retrieve information from server\\\", iff( SU <> \\\"\\\", SU, \\\"New CU or SU not yet in the List\\\"))\\r\\n|project-away CmdletResultType\\r\\n| sort by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange servers CU-SU level\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersList\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExchBuildNumber.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExchVersion\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| extend VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Minor,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Build)\\r\\n| extend VersionNumber = tostring(CmdletResultValue.ProductVersion)\\r\\n| extend Server = tostring(CmdletResultValue.Server)\\r\\n| join kind= leftouter (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\\r\\n| extend CU = iff( CU <> \\\"\\\", CU, \\\"New CU/SU not yet in the CU List\\\")\\r\\n| extend Version =strcat (VersionNumber,\\\"-\\\",CU,\\\"-\\\",SU)\\r\\n| summarize dcount(Server) by Version\",\"size\":0,\"showAnalytics\":true,\"title\":\"Version break down\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"ExchangeServerVersionPie\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Admin Audit Log configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The Admin Audit log stores all the actions performed on Exchange Servers (except read actions such as Get/Test).\\r\\n\\r\\nAdmin Audit Log \\r\\n\\r\\nManage Admin Audit Log \\r\\n\\r\\n\\r\\nThis can be used to track \\r\\n- Unexpected behaviors\\r\\n- Who did a modification\\r\\n- Real actions performed by an account (the output could be used with to identify the necessary privileges)\\r\\n\\r\\nℹ️ Recommendations\\r\\n- Ensure that Admin Audit Log is not disabled\\r\\n- Ensure that critical Cmdlets have not been excluded\\r\\n- Ensure that AdminAuditLogCmdlets is set to * (list of audited Cmdlets)\\r\\n- Review the retention configuration for the Admin Audit Log content\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AdminAuditHelp\"},{\"type\":1,\"content\":{\"json\":\"Here the main settings for the Admin Audit Log. Remember that AdminAudit log need to be enabled and no cmdlet should be excluded. Also check the retention limit.\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/CmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\\r\\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\\r\\n| project AdminAuditLogExcludedCmdlets);\\r\\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend AdminAuditLogEnabled = iff(CmdletResultValue.AdminAuditLogEnabled == \\\"FALSE\\\", \\\" ❌ Disabled, High Risk\\\", \\\"✅ Enabled\\\")\\r\\n| extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\\r\\n| extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit,8)\\r\\n| extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit,0,indexof(AdminAuditLogAgeLimit, ','))\\r\\n| extend AdminAuditLogAgeLimit = iff(toint(AdminAuditLogAgeLimit) == 0,strcat(\\\"❌ No AdminAuditlog recorded \\\",AdminAuditLogAgeLimit), iff(toint(AdminAuditLogAgeLimit) <=30,strcat(\\\"⚠️ Value to low except if exported \\\",AdminAuditLogAgeLimit), strcat(\\\"✅\\\",AdminAuditLogAgeLimit)))\\r\\n| extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\\r\\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,2)\\r\\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,0,indexof(AdminAuditLogCmdlets, '\\\"]') )\\r\\n| extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets,'\\\"',\\\"\\\")\\r\\n| extend Comment_AdminAuditLogCmdlets = iff( AdminAuditLogCmdlets == \\\"*\\\",\\\"✅ Default configuration\\\",\\\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\\\")\\r\\n| extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\\r\\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,2)\\r\\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,0,indexof(AdminAuditLogExcludedCmdlets, ']'))\\r\\n| extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets,'\\\"',\\\"\\\")\\r\\n//| extend Cmdlet = replace_string(AdminAuditLogExcludedCmdlets,'\\\"',\\\"\\\")\\r\\n//| extend AALECSplit = tostring(split(AdminAuditLogExcludedCmdlets,\\\",\\\"))\\r\\n| project-away CmdletResultValue\\r\\n| extend Comment_AdminAuditLogExcludedCmdlet = case( isnotempty( SentsitivecmdletTrack ),\\\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\\\",AdminAuditLogExcludedCmdlets <>\\\"\\\",\\\"⚠️ Some Cmdlets are excluded \\\",\\\"✅ No Excluded CmdLet\\\")\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Comment_AdminAuditLogCmdlets\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70ch\"}}],\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"AdminAuditLogCmdlets\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"AdminAuditLogCmdlets\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 0Admin Audit Log configuration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\"},\"name\":\"POP authentication configuration\"},{\"type\":1,\"content\":{\"json\":\"### POP authentication configuration\"},\"name\":\"text - 11\"},{\"type\":1,\"content\":{\"json\":\"If the POP Service is started, the LoginType should not set to Plaintext. This means that the password will be sent in clear on the network. As POP is enabled by default on all the mailboxes, this represents a high security risk.\\r\\n\\r\\nPOP Authentication\\r\\n- **PlainText** TLS encryption is not required on port 110. Usernames and passwords are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\\r\\n- **PlainTextAuthentication** TLS encryption is not required on port 110. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\\r\\n- **SecureLogin** Connection on port 110 must use TLS encryption before authenticating.\\r\\n\\r\\nℹ️ Recommendations\\r\\nDisable POP on all mailboxes except those who need to actually use this protocol.\\r\\nSet the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application.\\r\\n\\r\\nIf the application is not able to perform this type of authentication:\\r\\n- Ensure that POP is disabled on all the mailboxes except those who really need it \\r\\n- Monitor the POP connections\\r\\n- Change the password of the application on a regular basis\\r\\n\\r\\nRecommended Reading : \\r\\n\\r\\nConfiguring Authentication for POP3 and IMAP4\\r\\n \\r\\n Set-PopSettings\\r\\n\\r\\n\\r\\nIn order to track mailboxes that are currently using POP\\r\\n- Enable POP logging\\r\\n- Set-PopSettings -Server SRV1 -ProtocolLogEnabled verbose\\r\\n- Several weeks later, analyze the log content\\r\\n- Default location : - Get-PopSettings -server SRV1 | fl server,*log*\\r\\n- Check for connection and authentication\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"PopServiceHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"PopSettings\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangePop3\\\")\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n| join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangePop3BE\\\" )\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| extend LoginType = iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n| extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n| extend ServiceName = iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n| extend Status = tostring(Status)\\r\\n| extend BackendEndService= tostring(ServiceName1)\\r\\n| extend StartupType = tostring(StartupType)\\r\\n| extend BEStatus = tostring(Status1)\\r\\n| extend BEStartupType = tostring(StartupType1)\\r\\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n| sort by ServerName asc\",\"size\":1,\"showAnalytics\":true,\"title\":\"Pop Authentication : should not be set as Plaintext\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LoginType\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":0,\"formatOptions\":{\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"LoginType\"],\"finalBy\":\"LoginType\"}}},\"name\":\"PopSettingsQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"### IMAP authentication configuration\"},\"name\":\"IMAPTitle\"},{\"type\":1,\"content\":{\"json\":\"If the IMAP Service is started, the LoginType should not set to Plaintext. This means that the passwords will be sent in clear over the network. As IMAP is enabled by default on all the mailboxes, this is a high security risk.\\r\\n\\r\\nIMAP Authentication\\r\\n- **PlainText** TLS encryption is not required on port 110. User name and password are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\\r\\n- **PlainTextAuthentication** TLS encryption is not required on port 143. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\\r\\n- **SecureLogin** Connection on port 143 must use TLS encryption before authenticating.\\r\\n\\r\\nℹ️ Recommendations \\r\\nDisable IMAP on all mailboxes except those which needs to use this protocol. Set the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application accordingly.\\r\\n\\r\\nIf the application is not able to perform this type of authentication:\\r\\n- Ensure that IMAP is disable on all the mailboxes except those who really need it \\r\\n- Monitor the connection\\r\\n- Regularly, change the password of the application\\r\\n\\r\\nRecommended Reading : \\r\\n\\r\\nConfiguring Authentication for POP3 and IMAP4\\r\\n\\r\\n Set-IMAPSettings\\r\\n\\r\\n\\r\\n\\r\\nIn order to track mailboxes that are currently using IMAP\\r\\n- Enable IMAP logging\\r\\n- Set-IMAPSettings -Server SRV1 -ProtocolLogEnabled verbose\\r\\n- Several weeks later, analyze the log content\\r\\n- Default location : Get-IMAPSettings -server SRV1 | fl server,*log*\\r\\n- Check for connection and authentication\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"IMAPHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"IMAPSettings\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangeIMAP4\\\")\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n| join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangeIMAP4BE\\\" )\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| extend LoginType = iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n| extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n| extend ServiceName = iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n| extend Status = tostring(Status)\\r\\n| extend BackendEndService= tostring(ServiceName1)\\r\\n| extend StartupType = tostring(StartupType)\\r\\n| extend BEStatus = tostring(Status1)\\r\\n| extend BEStartupType = tostring(StartupType1)\\r\\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n| sort by ServerName asc\",\"size\":1,\"showAnalytics\":true,\"title\":\"IMAP Authentication : should not be set as Plaintext\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LoginType\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"LoginType\"],\"finalBy\":\"LoginType\"}}},\"name\":\"IMAPSettingsQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Nonstandard permissions on Configuration Partitions\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section highlights nonstandard permissions on Configuration Partition for Exchange container. By selecting Yes for Generic All buttom only delegation set for Generic All will be display. Standard, Deny and inherited permissions have been removed\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"During the lifetime of an Exchange Organization, many permissions may have been set on Exchange containers in the Configuration Partition.\\r\\nThis section displayed all the nonstandard permissions found on the most important Exchange containers :\\r\\n - Groups from legacy Exchange versions (Exchange Enterprise Servers, Exchange Domain Servers,...)\\r\\n - SID for deleted accounts\\r\\n - Old service accounts (that may not have been disabled or removed...)\\r\\n \\r\\nWhen an administrator run setup /prepareAD, his account will be granted Generic All at the top-level Exchange container\\r\\n\\r\\nBy default, this section only displayed the Generic All permissions.\\r\\n \\r\\nThis section is built by removing all the standard AD and Exchange groups.\\r\\n\\r\\n Exchange 2013 deployment permissions reference\\r\\n \\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"80f9134a-420f-47c9-b171-1ca8e72efa3e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"GenericAll\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"29e2005c-3bd4-4bb8-be63-053d11abe1d4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NonStandardPermissions\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Authenticated Users\\\", \\\"Domain Admins\\\", \\\"Enterprise Admins\\\",\\\"Schema Admins\\\", \\\"Exchange Trusted Subsystem\\\", \\\"Exchange Servers\\\",\\\"Organization Management\\\", \\\"Public Folder Management\\\",\\\"Delegated Setup\\\", \\\"ANONYMOUS LOGON\\\", \\\"NETWORK SERVICE\\\", \\\"SYSTEM\\\", \\\"Everyone\\\",\\\"Managed Availability Servers\\\"]);\\r\\nlet Exchsrv =ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| summarize make_list(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"PartConfPerm\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Deny !contains \\\"True\\\" and CmdletResultValue.IsInherited !contains \\\"True\\\"\\r\\n| where (CmdletResultValue.AccessRights == \\\"[983551]\\\") in ({GenericAll})\\r\\n| where not (CmdletResultValue.UserString has_any (StandardGroup)) in ({NonStandardPermissions})\\r\\n| where not (CmdletResultValue.UserString has_any (Exchsrv))in ({NonStandardPermissions})\\r\\n| extend Name = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend Account = tostring(CmdletResultValue.UserString )\\r\\n| extend AccessRights = iff (tostring(CmdletResultValue.AccessRightsString) contains \\\"GenericAll\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\\r\\n| extend ExtendedRights = iff (tostring(CmdletResultValue.ExtendedRightsString) contains \\\"-As\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\\r\\n| extend InheritanceType = tostring(CmdletResultValue.InheritanceType)\\r\\n| extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\\r\\n| project-away CmdletResultValue\\r\\n| sort by DN desc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"AccessRights\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"AccessRights\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Nonstandard permissions on Configuration Partitions\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"SecConf\"},\"name\":\"Security Configuration for the Exchange environment\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays important security configurations that allow access to all or partial mailboxes' content - Direct delegations are not listed - Example :
\\r\\n- Permissions Full Access \\r\\n- Permission on mailboxes folders\\r\\n\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n//| where CmdletResultValue.Name !contains \\\"Deleg\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\"\\r\\n| where CmdletResultValue.Name !contains \\\"Deleg\\\" \\r\\n| where CmdletResultValue.RoleAssigneeName !in (\\\"Hygiene Management\\\",\\\"Exchange Online-ApplicationAccount\\\",\\\"Discovery Management\\\")\\r\\n| where CmdletResultValue.Role.Name contains \\\"Export\\\" or CmdletResultValue.Role.Name contains \\\"Impersonation\\\" or (CmdletResultValue.Role.Name contains \\\"Search\\\" and CmdletResultValue.Role.Name !contains \\\"MailboxSearchApplication\\\")\\r\\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role.Name)\",\"size\":1,\"showAnalytics\":true,\"title\":\"Number of delegations for sensitive RBAC roles\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"role\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_RoleAssigneeName\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"role\",\"sortOrderField\":1}},\"name\":\"MRAQuery\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Application Impersonation Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows the delegated account to access and modify the content of every mailboxes using EWS.\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes using EWS. \\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nIt should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\\r\\n\\r\\nHelp for the role Application Impersonation\\r\\n\\r\\nIt is common (but not recommended) to see service accounts from backup solution, antivirus software, MDM... with this delegation.\\r\\n\\r\\nNote that the default configuration to the group Hygiene Management is excluded. This group is a sensitive group. Remember to monitor the content of this group.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.Role.Name contains \\\"Impersonation\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n//| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Application Impersonation Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Import Export Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to export the content all mailboxes in a scope in PST file.\\r\\nExcluded from the result as default configuration :\\r\\nDelegating delegation to Organization Management\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Import Export** is a RBAC role that allows an account to export the content of any maibox in a PST. It also allows search in all mailboxes.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\\r\\n\\r\\nHelp for the role Mailbox Import Export\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n- create an empty group with this delegation\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ExportRoleHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Role.Name contains \\\"export\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, RoleAssigneeType,Status, CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Import Export Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Search Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to search inside all or in a scope of mailboxes and export the result in PST.\\r\\nExcluded from the result as default configuration :\\r\\nDelegating delegation to Organization Management\\r\\nExchange Online-ApplicationAccount\\r\\nDiscovery Management has been excluded\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Search** is an RBAC role that allows an account to search in any mailbox and export the results to a PST.\\r\\n\\r\\n⚡ This role is very powerful.\\r\\n\\r\\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\\r\\n\\r\\nHelp for the role Mailbox Search\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n\\r\\n- add the administrators in the Discovery Management group\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Role.Name contains \\\"search\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| where CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\"\\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Search Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"ReceiveAs/SendAs Extended Right on databases\",\"items\":[{\"type\":1,\"content\":{\"json\":\"These are delegations at the database level.\\r\\n\\r\\n**Receive As Extended Right on database's objects in the Configuration**\\r\\n\\r\\nWhen an account has **ReceiveAs** permissions on a database's object, it can open and view the content of any mailboxes on that database.\\r\\n\\r\\nHelp for Receive As Permission\\r\\n\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person.Change the password as often as possible.\\r\\n\\r\\n**Send As Extended Right on database objects in the Configuration**\\r\\n\\r\\n\\r\\nWhen an account has **SendAs** permissions on a database's object, it can send messages from all the mailboxes contained in this database. The messages that are sent from a mailbox will appear as if the mailbox owner sent them.\\r\\n\\r\\nHelp for Send As Permission\\r\\n\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person.Change the password as often as possible.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SendAsHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| union ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| summarize dcount(tostring(CmdletResultValue.UserString)) by iff( tostring(Section) contains \\\"MailboxDatabaseReceiveAs\\\",\\\"ReceiveAs Unique Acct\\\",\\\"SendAs Unique Acct\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Number of accounts with ReceiveAs/SendAs delegations\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_UserString\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"Column1\",\"sortOrderField\":1}},\"customWidth\":\"50\",\"name\":\"ReceiveAsUsersTiles\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| union ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| summarize dcount(tostring(CmdletResultValue.Identity.Name)) by iff( tostring(Section) contains \\\"MailboxDatabaseReceiveAs\\\",\\\"ReceiveAs Unique DB\\\",\\\"SendAs Unique DB\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"ReceiveAs/SendAs database delegations\",\"color\":\"purple\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_Identity_Name\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"Column1\",\"sortOrderField\":1}},\"customWidth\":\"50\",\"name\":\"ReceiveAsTiles\",\"styleSettings\":{\"margin\":\"25\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| extend Account = tostring(CmdletResultValue.UserString)\\r\\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n| summarize Count =count() by Account,DatabaseName\\r\\n| project Account,Count,DatabaseName\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"ReceiveAs Extended Right on databases\",\"noDataMessage\":\"No Receive-As delegation\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Account\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Account\"],\"finalBy\":\"Account\"},\"sortBy\":[{\"itemKey\":\"$gen_count_$gen_group_0\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"Account\",\"comment\":\"Account and the number of databases on which it has delegation \"}]},\"sortBy\":[{\"itemKey\":\"$gen_count_$gen_group_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"MailboxDatabaseReceiveAsGrid\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| extend Account = tostring(CmdletResultValue.UserString)\\r\\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n| summarize Count =count() by Account, DatabaseName\\r\\n| project Account, Count, DatabaseName\",\"size\":1,\"showAnalytics\":true,\"title\":\"SendAs Extended Right on databases\",\"noDataMessage\":\"No Send-As delegation\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Account\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Sum\",\"compositeBarSettings\":{\"labelText\":\"\"}}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Account\"],\"finalBy\":\"Account\"},\"labelSettings\":[{\"columnId\":\"Account\",\"comment\":\"Account and the number of databases on which it has delegation \"}]}},\"customWidth\":\"50\",\"name\":\"MailboxDatabaseSendAsGrid\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ReceiveSendAs\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Delegation\"},\"name\":\"Importantsecurityconfiguration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Local Administrators\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The following section will display the content of the local Administrators group for each server\\r\\n\\r\\n** When content refer to groups from other forests, none or partial information will be displayed and the number of Administrators may be inconsistent. **\\r\\n\\r\\nMost of the sections display the same information but with differents sorting, displays...\"},\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"Only Exchange administrators should be members of the local Administrators group of Exchange servers.\\r\\n\\r\\nYou need to review the content of the local Administrators group on a regular basis.\\r\\n\\r\\nIt is considered a high security risk to have a discrepancy of members between the servers. \\r\\n\\r\\nIt is not recommended to have more than one local administrator accounts. Furthermore, the password should be unique on each server and regularly changed. A solution like LAPS could be used to manage the local administrator password.\\r\\n\\r\\nOnly Exchange administrators should be able to logon on Exchange servers.\\r\\n\\r\\nHere the default content of the local Administrators group for an Exchange server \\r\\n:\\r\\n- Administrator (this account can be renamed)\\r\\n- Domain Admins\\r\\n- Exchange Trusted Subsystem\\r\\n- Organization Management\\r\\n\\r\\n**Service accounts should not be members of the local Administrators group**. If it is necessary, you need to ensure that the account is dedicated to Exchange. If the service account opens sessions on other servers, it can be used for lateral movements. \\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"LocalAdminsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"dfffbaa4-5888-41c2-b039-dafb6110260c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Limited\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":1,\"content\":{\"json\":\"**Top 10 servers with high number of unique local Administrators members**\"},\"name\":\"text - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup)) in ({Limited})\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| where ObjectClass !contains \\\"group\\\"\\r\\n| summarize dcount(MemberPath) by Parentgroup\\r\\n| top 10 by dcount_MemberPath\\r\\n| sort by dcount_MemberPath\",\"size\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Click to see number of unique members for all servers\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Number of unique members for all servers\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup)) in ({Limited})\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| where ObjectClass !contains \\\"group\\\"\\r\\n| summarize dcount(MemberPath) by Parentgroup\\r\\n| sort by dcount_MemberPath\",\"size\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 9 - Copy\"}]},\"name\":\"All servers number of members\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let allsrv = ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") | where \\r\\nCmdletResultValue.IsMailboxServer== true | extend Name=tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Name = tostring(trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup)))\\r\\n| distinct Name\\r\\n| project Name\\r\\n| join kind=rightanti (allsrv) on Name\\r\\n| project CmdletResultValue.Name\",\"size\":4,\"title\":\"Servers not reachable\",\"noDataMessage\":\"All server were successfully analyzed\",\"noDataMessageStyle\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletResultValue_Name\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"name\":\"query - 9 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.ServerRole <> 64\\r\\n| count\\r\\n\",\"size\":4,\"title\":\"Number of servers\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\\r\\n| distinct Parentgroup = Parentgroup\\r\\n| count \",\"size\":4,\"title\":\"Number of Analyzed servers\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"This view shows each nonstandard user account that is member (directly or by a group) of the local Administrators group per server.\\r\\n\\r\\nConsider reviewing:\\r\\n- **nonstandard members** the Memberpath help to understand from which group the user comprised\\r\\n- **inconsistent memebrs** across servers\\r\\n\\r\\nNote that content from Trusted forests might not be displayed. \",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"LocalAdminPerServersHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0 \\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| summarize Count=count() by MemberPath,Parentgroup,Level,ObjectClass,LastLogon,LastPwdSet,Enabled,DN\\r\\n| project Parentgroup = strcat(\\\"💻 \\\",Parentgroup),Count,MemberPath,Level,ObjectClass,LastLogon,LastPwdSet,Enabled,DN\\r\\n| sort by Parentgroup asc \",\"size\":1,\"showAnalytics\":true,\"title\":\" Total Non standard Groups and accounts including nested groups\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Parentgroup\",\"formatter\":5,\"formatOptions\":{\"aggregation\":\"Count\"}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Parentgroup\"],\"finalBy\":\"Parentgroup\"},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"Parentgroup\",\"label\":\"Server\"}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"name\":\"LocalAdminPerServers\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend MemberPath = case( ObjectClass == \\\"group\\\", strcat( \\\"👪 \\\", MemberPath), ObjectClass == \\\"computer\\\", strcat( \\\"💻 \\\", MemberPath), strcat( \\\"🧑‍🦰 \\\", MemberPath) )\\r\\n| project-away CmdletResultValue\\r\\n//| summarize Count=count(), Servers=make_set(Parentgroup) by MemberPath\\r\\n| summarize Count=count() by MemberPath,Parentgroup \\r\\n| sort by Count desc\",\"size\":1,\"showAnalytics\":true,\"title\":\"Non Standard accounts summary\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Group\",\"formatter\":1},{\"columnMatch\":\"MemberPath\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Member\",\"formatter\":1}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"MemberPath\"],\"expandTopLevel\":false},\"labelSettings\":[{\"columnId\":\"MemberPath\",\"label\":\"MemberPath\"},{\"columnId\":\"Parentgroup\",\"label\":\"Servers\"},{\"columnId\":\"Count\",\"label\":\"Nb Servers\"}]}},\"name\":\"LocalAdminCount\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"##### Select a server to display its content\\r\\n\\r\\nBy default only the non-standard members are displayed. \\r\\n\\r\\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"19e606d9-7f3e-4d2f-a314-892da571e50a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\\r\\n| distinct Parentgroup = Parentgroup\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"05ef4f1c-4cf4-406f-9fb2-9ee30dc93abd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Limited\",\"label\":\"Show only nonstandard members\",\"type\":10,\"description\":\"Show only non standard members\",\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\",\"value\":\"True\"},{\"id\":\"901bf975-426f-486b-82de-ff0d64f139bb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"2f7a613f-8749-44c9-b8be-844964badef8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0 \\r\\n| where CmdletResultValue.Parentgroup contains \\\"{Server}\\\"\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup)) in ({Limited})\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ Never logged\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(365d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ Password never set\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| project-away CmdletResultValue\\r\\n| sort by MemberPath asc\\r\\n| project-away Parentgroup\",\"size\":1,\"showAnalytics\":true,\"title\":\"Local Administrators group content\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Server\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"AdGroups\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Server\"},\"name\":\"Local Administrators\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange and AD GRoup\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays the content of high privilege groups in Exchange and AD.\"},\"name\":\"text - 7\"},{\"type\":1,\"content\":{\"json\":\"The **Exchange Trusted Subsystem** group is one the two most sensistive groups in Exchange. This group has all privileges in Exchange and very high privileges in AD.\\r\\n\\r\\nExchange 2013 deployment permissions reference\\r\\n\\r\\nThis group should only contains computer accounts for each Exchange servers. When the DAG has an IP and a CNO, it is acceptable to have the DAG's computer account.\\r\\n\\r\\nThis section only shows direct nonstandard members.\",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ExchangeTrustedSubsystemHelp\"},{\"type\":1,\"content\":{\"json\":\"The **Exchange Windows Permissions** group is one the two most sensistive groups in Exchange. This group has very high privileges in AD.\\r\\n\\r\\nExchange 2013 deployment permissions reference\\r\\n\\r\\nThis group should only contains the group Exchange Trusted SubSystem. This section only shows direct nonstandard members. \",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"WindowsPermissionGroupTileHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETSValidcontent = union kind=outer (ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(CmdletResultValue.Name)), (ExchangeConfiguration(SpecificSectionList=\\\"DAG\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(Identity));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ETS\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETSValidcontent)\\r\\n| summarize MyCount=countif( CmdletResultType == \\\"Success\\\") by CmdletResultType\\r\\n| project Result = iff ( CmdletResultType == \\\"Success\\\", tostring(MyCount), \\\"\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Trusted SubSystem group nonstandard member count\",\"noDataMessage\":\"Content of group as Expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletResultValue_Name\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Result\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"ScriptError\"}},\"showBorder\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersTileGroup1Query\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETScontent = ExchangeConfiguration(SpecificSectionList=\\\"ETS\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") | project Name = tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"EWP\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETScontent) and CmdletResultValue.Name != \\\"Exchange Trusted Subsystem\\\"\\r\\n| extend Result = iff ( CmdletResultType == \\\"Success\\\", \\\"\\\", \\\"Error in the script unable to retrieve value\\\")\\r\\n| summarize MyCount=countif( CmdletResultType == \\\"Success\\\") by CmdletResultType\\r\\n| project Result = iff ( CmdletResultType == \\\"Success\\\", tostring(MyCount), \\\"\\\")\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Windows Permissions group direct nonstandard members (Exchange Trusted subsystem non standard content not included)\",\"noDataMessage\":\"Content of group as expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletResultValue_Name\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Result\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"ScriptError\"}},\"showBorder\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersTileGroup2Query\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange Windows Permissions direct nonstandard content (Exchange Trusted subsystem non standard content not included)\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETSValidcontnet = union kind=outer (ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(CmdletResultValue.Name)), (ExchangeConfiguration(SpecificSectionList=\\\"DAG\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(Identity));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ETS\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETSValidcontnet)\\r\\n//| extend Name = strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name))\\r\\n| extend Name = iff(CmdletResultType == \\\"Success\\\", strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name)),\\\"Script was unable to retrieve data\\\")\\r\\n| project Name \",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Trusted SubSystem nonstandard content\",\"noDataMessage\":\"Content of Exchange Trusted SubSystem as Expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"ETSDetails\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETScontent = ExchangeConfiguration(SpecificSectionList=\\\"ETS\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") | project Name = tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"EWP\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETScontent) and CmdletResultValue.Name != \\\"Exchange Trusted Subsystem\\\"\\r\\n//| extend Name = strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name))\\r\\n| extend Name = iff(CmdletResultType == \\\"Success\\\", strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name)),\\\"Script was unable to retrieve data\\\")\\r\\n| project Name \",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Windows Permissions direct nonstandard content (Exchange Trusted subsystem non standard content not included)\",\"noDataMessage\":\"Content of Exchange Windows Permissions as Expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"WindowsPermissionsQuery\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ETS and WP Grids\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange groups from old Exchange version\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Groups from old Exchange version should have been removed\\r\\n- List of old groups \\r\\n\\t- Exchange Organization Administrators\\r\\n\\t- Exchange Recipient Administrators\\r\\n\\t- Exchange Public Folder Administrators\\r\\n\\t- Exchange Server Administrator\\r\\n\\t- Exchange View-Only Administrator\\r\\n\\t- Exchange Enterprise Servers (located in the root domain)\\r\\n\\t- Exchange Domain Servers : one group per domain\\r\\n\\r\\n\\r\\nHelp for Built-in role groups\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nlet OldVGroup = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")| where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"| extend Parentgroup = tostring(CmdletResultValue.Parentgroup));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\") |union OldVGroup\\r\\n| where CmdletResultValue.Level != 0 and CmdletResultValue.ObjectClass !contains \\\"group\\\"\\r\\n| extend MemberPath= tostring(split(tostring(CmdletResultValue.MemberPath), \\\"\\\\\\\\\\\")[countof(tostring(CmdletResultValue.MemberPath), \\\"\\\\\\\\\\\")])\\r\\n| summarize dcount(tostring(MemberPath)) by Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| sort by dcount_MemberPath\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"noDataMessage\":\"No groups from old versions found\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Expand details on the content of old groups\",\"expandable\":true,\"expanded\":false,\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"let OldVGroup = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")| where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"| extend Parentgroup = tostring(CmdletResultValue.Parentgroup));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\") |union OldVGroup\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a695df39-1965-479a-ad0f-b4d3d168aaed\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\\r\\n\"},{\"id\":\"2d69bad8-0904-467a-86e6-cb0923520c18\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"Old Exchange groups content groups (Extract for the OU \\\"Microsoft Exchange Security Groups\\\").\\r\\nSelect a group to display detailed information of its contents.\\r\\nLevel attribute helps you understand the level of nested groups.\\r\\n\\r\\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let OldVGroupEES = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n | where (CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.MemberPath != @\\\"Exchange Enterprise Servers\\\\Exchange Domain Servers\\\") or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled) );\\r\\nlet OldVGroupEDS = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='B13', Target = \\\"On-Premises\\\")\\r\\n | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.Level ==0\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| mv-expand CmdletResultValue.Members\\r\\n| where CmdletResultValue_Members.objectClass == \\\"group\\\"\\r\\n| project Parentgroup, MemberPath= strcat(Parentgroup,\\\"\\\\\\\\\\\", CmdletResultValue_Members.name), Level = tostring(1), ObjectClass = tostring(CmdletResultValue_Members.objectClass), DN = tostring(CmdletResultValue_Members.DistinguishedName), ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)| join kind=inner ( ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='B13', Target = \\\"On-Premises\\\")\\r\\n | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid)) on ObjectGuid) ;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='B13', Target = \\\"On-Premises\\\") \\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\")\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| union OldVGroupEES,OldVGroupEDS\\r\\n| search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago(0d) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago(0d) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| sort by tostring(CmdletResultValue.MemberPath) asc \\r\\n| where CmdletResultValue.Level != 0\\r\\n//| extend DN = tostring(CmdletResultValue.DN)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ Never logged\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ Password never set\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n| extend MemberPath = case(ObjectClass == \\\"group\\\", strcat(\\\"👪 \\\", MemberPath), ObjectClass == \\\"computer\\\", strcat(\\\"💻 \\\", MemberPath), strcat(\\\"🧑‍🦰 \\\", MemberPath))\\r\\n| project Parentgroup, MemberPath, Level, ObjectClass,LastLogon, LastPwdSet ,Enabled,DN\\r\\n\",\"size\":1,\"showAnalytics\":true,\"noDataMessage\":\"The query returned no results.\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5},{\"columnMatch\":\"Parentgroup\",\"formatter\":5},{\"columnMatch\":\"LastPwdSet\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5},{\"columnMatch\":\"Id\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"showPin\":true,\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 5\"}]},\"name\":\"Exchange group from old Exchange versions\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Ensure that no service account are a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\\r\\n- Limit the usage of nested group for administration.\\r\\n- Ensure that accounts are given only the required pernissions to execute their tasks.\\r\\n- Use just in time administration principle by adding users in a group only when they need the permissions, then remove them when their operation is over.\\r\\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\\r\\n- Monitor the content of the following groups:\\r\\n - Organization Management\\r\\n - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\\r\\n - Discovery Management\\r\\n - Server Management\\r\\n - Hygiene Management\\r\\n - Exchange Servers\\r\\n - Exchange Trusted Subsystem \\r\\n - Exchange Windows Permissions\\r\\n - xxx High privilege group (not an exhaustive list)\\r\\n - All RBAC groups that have high roles delegation\\r\\n - All nested groups in high privileges groups\\r\\n - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\\r\\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\\r\\n- Periodically review the members of the groups\\r\\n\\r\\nHelp for Built-in role groups\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Summary content of most important groups\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Level != 0 and CmdletResultValue.ObjectClass !contains \\\"group\\\"\\r\\n| extend MemberPath= tostring(split(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")[countof(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")])\\r\\n| summarize dcount(tostring(MemberPath)) by Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where Parentgroup in (\\\"Organization Management\\\", \\\"Compliance Management\\\", \\\"Discovery Management\\\", \\\"Server Management\\\", \\\"Recipient Manangement\\\",\\\"Security Administrator\\\", \\\"Hygiene Management\\\", \\\"Public Folder Manangement\\\", \\\"Records Manangement\\\") or Parentgroup contains \\\"Impersonation\\\" or Parentgroup contains \\\"Export\\\"\\r\\n| sort by dcount_MemberPath\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true}},\"name\":\"query - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Expand for summary content for all groups located in the OU Exchange Security Groups\",\"expandable\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Level != 0 and CmdletResultValue.ObjectClass !contains \\\"group\\\"\\r\\n| extend MemberPath= tostring(split(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")[countof(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")])\\r\\n| summarize dcount(tostring(MemberPath)) by Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| sort by dcount_MemberPath desc\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"OU Exchange Security Groups\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true}},\"showPin\":false,\"name\":\"query - 0 - Copy\"}]},\"name\":\"All groups\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Trusted Subsystem\\\"\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Windows Permissions\\\"\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"showExportToExcel\":true,\"showAnalytics\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f3b935d7-b78f-41d2-94bc-f8c878a13260\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon >\",\"type\":10,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"3343688f-e609-4822-b4ed-cdd50b77d948\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set >\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"Exchange groups content (Extract for the OU \\\"Microsoft Exchange Security Groups\\\").\\r\\nSelect a group to display detailed information of its contents.\\r\\nLevel attribute helps you understand the level of nested groups.\\r\\n\\r\\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| sort by tostring(CmdletResultValue.MemberPath) asc \\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| sort by MemberPath asc\\r\\n//| extend MemberPath = case( ObjectClass == \\\"group\\\", strcat( \\\"👪 \\\", MemberPath), ObjectClass == \\\"computer\\\", strcat( \\\"💻 \\\", MemberPath), strcat( \\\"🧑‍🦰 \\\", MemberPath) )\\r\\n| project-away CmdletResultValue,Parentgroup\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Exchange group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"AD Group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"High privileges AD groups can take control of Exchange by adding any accounts in the Exchange groups.\\r\\n\\r\\nNote that the members of the Account Operators are able to manage every AD group (except those protected by AdminSDHolder). This means they can manage the content of every high privilege Exchange groups.\\r\\n\\r\\nℹ️ It is recommended to not use this group and to monitor its changes.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ADGroupHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"268bd356-7d05-41c3-9867-00c6ab198c5a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"showExportToExcel\":true,\"showAnalytics\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},{\"id\":\"9d02cad2-f4c5-418d-976f-b88b56f80cb5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"9e591429-d8ea-40c2-80c1-2426c72c92d5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":1,\"content\":{\"json\":\"Overview of high privileges AD Groups' content.\\r\\nSelect a group to display detailed information of its contents.\\r\\nLevel attribute helps you understand the level of nested groups.\\r\\n\\r\\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| sort by tostring(CmdletResultValue.MemberPath) asc \\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| sort by MemberPath asc\\r\\n//| extend MemberPath = case( ObjectClass == \\\"group\\\", strcat( \\\"👪 \\\", MemberPath), ObjectClass == \\\"computer\\\", strcat( \\\"💻 \\\", MemberPath), strcat( \\\"🧑‍🦰 \\\", MemberPath) )\\r\\n| project-away CmdletResultValue,Parentgroup\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5},{\"columnMatch\":\"Parentgroup\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"AD Group\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"ExchAD\"},\"name\":\"Exchange and AD GRoup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Security configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays differents security configuration for transport components.\"},\"name\":\"text - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\"\\r\\n| summarize Count = countif (CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\") by Name,tostring(CmdletResultValue.Server.Name)\\r\\n\",\"size\":0,\"title\":\"Anonymous Configuration\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"yAxis\":[\"Count\"],\"group\":\"CmdletResultValue_Server_Name\",\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"33\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RCAnonymous\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend Identity = tostring(Identity)\\r\\n|summarize count() by Identity\",\"size\":0,\"title\":\"OpenRelay with \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" for Anonymous\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.AuthMechanismString contains (\\\"ExternalAuthoritative\\\")\\r\\n| extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n| summarize count() by Name,Server\\r\\n\",\"size\":0,\"title\":\"Open Relay using with Externally Secure\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 2\"}]},\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors OpenRelay using Extended Right \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" for Anonymous\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This view shows all **Receive Connectors** configured configured as Open Relay with the Extended Rights \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" set on the Receive Connector object in the Configuration partition.\\r\\n\\r\\n\\r\\nRemember that with this configuration, the Exchange servers can be used to send emails outside the organization. Depending on the configuration, the connectors may be protected by IPs. However, IP protection is not safe configuration.\\r\\n\\r\\nYou can check if the \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" ExtendedRights has been added on the Receive connector for Anonymous with PowerShell: `Get-ReceiveConnector | Get-ADPermission | ? {$_.ExtendedRights -like \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\"}`\\r\\n\\r\\nAllow anonymous relay on Exchange server\\r\\n\\r\\nSee the section \\\"Receive Connectors with Anonymous Permission\\\" for additional information regarding Anonymous authentication and IP protection.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ReceiveConnectorsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"fa5f9749-d6f8-436f-ae00-cba306713bac\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.ServerRole <> \\\"64\\\"\\r\\n| extend SRVName = tostring(CmdletResultValue.Name)\\r\\n| distinct SRVName\\r\\n| sort by SRVName asc\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"14912e83-60a1-4a21-a34b-500d4662a666\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NoIPRestriction\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":\\\"False\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":1,\"content\":{\"json\":\"The toogle buttom help you to sort by:\\r\\n\\r\\n- Server\\r\\n- Receive connectors with no IP restrictions\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RCAnonymous\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project Identity,CmdletResultValue\\r\\n| extend Identity = tostring(Identity)\\r\\n| extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.DistinguishedName,\\\",\\\",3)),\\\"[\\\\\\\"CN=\\\",\\\"\\\"),\\\"\\\\\\\"]\\\",\\\"\\\")\\r\\n|join kind=leftouter ( ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\") ) on $left.Identity == $right.Name\\r\\n| where CmdletResultValue1.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue1.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue1.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n| where CmdletResultValue1.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n| extend Server = tostring(CmdletResultValue1.Server.Name)\\r\\n| extend Name = tostring(CmdletResultValue1.Name)\\r\\n| extend TransportRole = iff(CmdletResultValue1.TransportRole== \\\"32\\\" , \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n| extend Enabled = tostring(CmdletResultValue1.Enabled)\\r\\n| extend PermissionGroups = tostring(CmdletResultValue1.PermissionGroupsString) \\r\\n| extend AuthMechanism = tostring(CmdletResultValue1.AuthMechanismString)\\r\\n| mv-expand RemoteIPall=CmdletResultValue1.RemoteIPRanges\\r\\n| mv-expand BindingAllall=CmdletResultValue1.Bindings\\r\\n| extend RemoteIP= RemoteIPall.Expression\\r\\n| extend IP= strcat (BindingAllall.Address,\\\"-\\\",BindingAllall.Port)\\r\\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\\r\\n| sort by Server asc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"name\":\"RCAnonymousQuery\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Receive Connectors OpenRelay using Extended Right \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" for Anonymous\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors OpenRelay using Authentication ExternalAuthoritative\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This view shows all Receive Connectors configured with authentication set to Externally Secure. With this configuration the Receive connector will be allow as Open Relay.\\r\\n\\r\\nRemember that with this configuration, the Exchange servers can be used to send emails outside the organization. Depending on the configuration, the connectors may be protected by IP. However, IP protection is not safe configuration.\\r\\n\\r\\n\\r\\nAllow anonymous relay on Exchange server\\r\\n\\r\\nSee the section \\\"Receive Connectors with Anonymous Permission\\\" for additional information regarding Anonymous authentication and IP protection.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ReceiveConnectorsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"195a66a1-7aa2-4564-bd3b-233049d6f101\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.ServerRole <> \\\"64\\\"\\r\\n| extend SRVName = tostring(CmdletResultValue.Name)\\r\\n| distinct SRVName\\r\\n| sort by SRVName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4ef1d2a2-a13f-4bd4-9e66-2d9a15ad8a7a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NoIPRestriction\",\"type\":10,\"description\":\"See Receive Connectors with no IP restriction\",\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":\\\"False\\\" }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"The toogle buttom help you to sort by:\\r\\n\\r\\n- Server\\r\\n- Receive connectors with no IP restrictions\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n| where CmdletResultValue.AuthMechanismString contains \\\"ExternalAuthoritative\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n| project CmdletResultValue\\r\\n| extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend TransportRole = iff(CmdletResultValue.TransportRole== \\\"32\\\" , \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n//| extend Bindings = iif(tostring(parse_json(tostring(CmdletResultValue.Bindings))[1].Port )!=\\\"\\\",tostring(strcat(tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Address),\\\"-\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Port),\\\",\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[1].Address),\\\"-\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[1].Port))),tostring(strcat(tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Address),\\\"-\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Port))))\\r\\n//| extend RemoteIPRanges = tostring(CmdletResultValue.RemoteIPRanges)\\r\\n| extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n| mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n| mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n| extend RemoteIP= RemoteIPall.Expression\\r\\n| extend IP= strcat (BindingAllall.Address,\\\"-\\\",BindingAllall.Port)\\r\\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\\r\\n| sort by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Receive Connectors configure with Externally Secured Authentication\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Security Transport Configuration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors with Anonymous Permission\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This view shows all Receive Connectors configured with Anonymous authentication. It is not recommended to configure connectors with Anonymous authentication.\\r\\n\\r\\nWhen configured with Anonymous and No Ip Restriction, any machine can initiate an SMTP session with the Receive Connectors. This can then be used send emails (SPAM/Virus/Phishing....) to all the mailboxes in the organization. The mail will be seen as an internal mail and might bypass some protections.\\r\\n\\r\\nIf you absolute need this configuration because some of your application does not support Authentication, it is strongly recommended to limit the IP addresses that can establish SMTP sessions with Exchange. Do not use range of subnet.\\r\\n\\r\\nThis section has an option button to display \\r\\n All Receive Connectors with Anonymous (No)\\r\\n All Receive Connectors with Anonymous and with no IP Restriction (Yes)\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ReceiveConnectorsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"195a66a1-7aa2-4564-bd3b-233049d6f101\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.ServerRole <> \\\"64\\\"\\r\\n| extend SRVName = tostring(CmdletResultValue.Name)\\r\\n| distinct SRVName\\r\\n| sort by SRVName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bcb24a01-9242-4fec-b30a-02b0583cbc87\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NoIPRestriction\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":\\\"False\\\" }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"The toogle buttom help you to sort by:\\r\\n\\r\\n- Server\\r\\n- Receive connectors with no IP restrictions\"},\"name\":\"text - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n| where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n| project CmdletResultValue\\r\\n| extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend TransportRole = iff(CmdletResultValue.TransportRole== \\\"32\\\" , \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString) \\r\\n| extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n| mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n| mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n| extend RemoteIP= RemoteIPall.Expression\\r\\n| extend IP= strcat (BindingAllall.Address,\\\"-\\\",BindingAllall.Port)\\r\\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\\r\\n| sort by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Receive Connectors configure with Anonymous Permission\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Receive Connectors configure with Anonymous Permission\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Rules with specific actions to monitor\",\"items\":[{\"type\":1,\"content\":{\"json\":\"A common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\\r\\n\\r\\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\\r\\n- BlindCopyTo\\r\\n- RedirectMessageTo\\r\\n- CopyTo\\r\\n\\r\\n\\r\\nFor more information :\\r\\nMail flow rules in Exchange Serve\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n//| extend State = tostring(CmdletResultValue.State)\\r\\n| extend Status= iff ( tostring(CmdletResultValue.State)== \\\"Enabled\\\" or tostring(CmdletResultValue.State)== \\\"1\\\" , \\\"Enabled\\\",iff(tostring(CmdletResultValue.State)==\\\"\\\",\\\"\\\", \\\"Disabled\\\"))\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend Mode = tostring(CmdletResultValue.Identity.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc\\r\\n| sort by Status desc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Transport Rules actions to monitor\"},{\"type\":1,\"content\":{\"json\":\"### Journal Mailboxes\"},\"name\":\"JournalMailboxHelp\"},{\"type\":1,\"content\":{\"json\":\"The **Journal Mailboxes** contain emails sent and received by specific or all users. The content of these mailboxes is very sensitives.\\r\\n\\r\\nJournal Rules should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. Also by default, no one should access to these mailboxes.\\r\\n\\r\\nThen, it is recommended to regularly check who have Full Access mailbox or Receive As on these mailboxes.\\r\\nAdditional information :\\r\\n\\r\\nJournaling in Exchange Server\\r\\n\\r\\nJournaling procedures\\r\\n\\r\\n\\r\\nMailbox audit logging in Exchange Server\\r\\n\\r\\n\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"JournalHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"JournalRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n| extend Status= iff ( tostring(CmdletResultValue.Enabled)== \\\"Enabled\\\" or tostring(CmdletResultValue.Enabled)== \\\"1\\\" , \\\"Enabled\\\", iff(tostring(CmdletResultValue.Enabled)==\\\"\\\",\\\"\\\", \\\"Disabled\\\"))\\r\\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress)\\r\\n| extend Recipient = tostring(CmdletResultValue.Recipient)\\r\\n| sort by Identity asc\\r\\n| sort by Status desc\\r\\n| project-away CmdletResultValue\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Journal Rules configured in your environment\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"JournalQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Journal Recipients on mailbox databases configured in your environment\",\"items\":[{\"type\":1,\"content\":{\"json\":\"As Journal Recipient on databases send all the mail send to users in this database to a specific mailbox. The content of these mailboxes is very sensitive.\\r\\n\\r\\nJournal Recipients configuration should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. No one should have access to these mailboxes by default.\\r\\n\\r\\nIt is recommended to regularly check who have Full Access or Receive As on these mailboxes.\\r\\n\\r\\nAdditional information :\\r\\n\\r\\nJournaling in Exchange Server\\r\\n\\r\\nJournaling procedures\\r\\n\\r\\n\\r\\nMailbox audit logging in Exchange Server\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"JournalRecipientsHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MbxDBJournaling\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.JournalRecipient !=\\\"\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Identity = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"JournalRecipientsGroup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is set to True for an SMTP domain, then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\\r\\n\\r\\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \\r\\n\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\\r\\n\\r\\nAdditional information:\\r\\n\\r\\nRemote Domains\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\\r\\n| extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address == \\\"*\\\", strcat (\\\"❌\\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address != \\\"*\\\", strcat (\\\"⚠️\\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅\\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n| project-away CmdletResultValue\\r\\n| sort by Address asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"Accepted domains set to * authorize Open Relay.\\r\\n\\r\\nMore information:\\r\\n\\r\\nAccepted domains\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"AcceptedDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.DomainName.Address == \\\"*\\\"\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\\r\\n| extend Address = \\\"* : ❌ OpenRelay configuration\\\"\\r\\n| extend DomainType = case(CmdletResultValue.DomainType==\\\"0\\\",\\\"Authoritative Domain\\\",CmdletResultValue.DomainType==\\\"1\\\",\\\"ExternalRelay\\\",CmdletResultValue.DomainType==\\\"2\\\",\\\"InternalRelay\\\",\\\"NotApplicable\\\")\\r\\n| project-away CmdletResultValue\",\"size\":1,\"showAnalytics\":true,\"title\":\"Accepted domain with *\",\"noDataMessage\":\"Accepted Domain * not confirgured (no Open Relay)\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ForwardGroup\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Transport\"},\"name\":\"Transport Security configuration\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityReview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Security Review\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"743317e2-ebcf-4958-861d-4ff97fc7cce1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"On-Premises\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"cfc36178-c5d7-4f69-87f5-b887e722f968\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Compare_Collect\",\"label\":\"CompareCollect\",\"type\":10,\"description\":\"If this sesstion is checked, two collection will be compared\",\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"3ce4bf51-fca3-4aa6-a67c-69be846dd706\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateCompare\",\"type\":2,\"description\":\"This date must be older than the date configured in the Date of configuration\",\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":1,\"content\":{\"json\":\"This workbook helps review your Exchange Security configuration.\\r\\nSelect your Exchange Organization and adjust the time range.\\r\\n**By default, the Help won't be displayed. To display the help, choose Yes on the toogle buttom \\\"Show Help\\\"**\\r\\n\\r\\nTo compare collects, choose **Yes on the toogle buttom Compare Collect ** and choose the initial date.\\r\\nDepending on the section, a new table will be displayed with **all** the modifications (Add, Remove, Modifications) beetween the two dates.\\r\\nFor some sections, you'll see Add+Remove. This means that an account has been added and then removed during the choosen time range.\\r\\n\\r\\n**Important notes** : Some information are limited are may be not 100% accurate :\\r\\n - Date\\r\\n - When a fied is modified several times in the range, only first and last values will be displayed\\r\\n - **Remove Time is displayed the date of the last collect and not the exact remove time**\\r\\n - ... \\r\\n\\r\\nThis is due to some restrictions in the collect. The goal of the comparaison is to give you a global overview of the modifications between two collects.\\r\\nFor more details information, please check the workbook **\\\"Microsoft Exchange Search AdminAuditLog\\\"**\\r\\n.\\r\\n\\r\\nThe compare functionnality may not be available for all sections in this workbook.\\r\\n\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Mailbox Access\",\"subTarget\":\"Delegation\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true},{\"id\":\"be02c735-6150-4b6e-a386-b2b023e754e5\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Exchange & AD Groups\",\"subTarget\":\"ExchAD\",\"style\":\"link\"},{\"id\":\"30dc6820-339d-4fa9-ad79-5d79816a5cab\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Local Administrators\",\"subTarget\":\"Server\",\"style\":\"link\"},{\"id\":\"571fa2a4-1f1e-44a2-ada0-ccfb31b9abbb\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Exchange Security Configuration\",\"subTarget\":\"SecConf\",\"style\":\"link\"},{\"id\":\"26c68d90-925b-4c3c-a837-e3cecd489b2d\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Transport Configuration\",\"subTarget\":\"Transport\",\"style\":\"link\"},{\"id\":\"eb2888ca-7fa6-4e82-88db-1bb3663a801e\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Summary\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"TopMenuTabs\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\n\\r\\nThe goal of this workbook is to outline key security configurations of your Exchange On-Premises environment.\\r\\n\\r\\nMost of Exchange organizations have were installed years ago (sometimes more than 10 years). Many configurations have been done and might not have been documented. For most environments, the core commitment was maintaining a high availability of the users’ mailboxes putting aside other consideration (even security considerations). Recommended security practices have also evolved since the first released and a regular review is necessary.\\r\\n\\r\\nThis workbook is designed to show your Exchange organization is configured with a security point of view. Indeed, some configurations easy to display as there are no UI available.\\r\\n\\r\\nFor each configuration, you will find explanations and recommendations when applicable.\\r\\n\\r\\n- This workbook does not pretend to show you every weak Security configurations, but the most common issues and known to be used by attackers. \\r\\n- It will not show you if you have been comprised, but will help you identify unexpected configuration.\\r\\n\\r\\n----\\r\\n\\r\\n## Quick reminder of how Exchange works\\r\\n\\r\\nDuring Exchange installation two very important groups are created :\\r\\n- Exchange Trusted Subsystem : Contain all the computer accounts for Exchange Server\\r\\n- Exchange Windows Permissions : Contain the group Exchange trusted Subsystem\\r\\n\\r\\nThese groups have :\\r\\n- Very high privileges in ALL AD domains including the root domain\\r\\n- Right on any Exchange including mailboxes\\r\\n\\r\\nAs each Exchange server computer account is member of Exchange Trusted Subsystem, it means by taking control of the computer account or being System on an Exchange server you will gain access to all the permissions granted to Exchange Trusted Subsystem and Exchange Windows Permissions.\\r\\n\\r\\nTo protect AD and Exchange, it is very important to ensure the following:\\r\\n- There is a very limited number of persons that are local Administrator on Exchange server\\r\\n- To protect user right like : Act part of the operating System, Debug\\r\\n\\r\\nEvery service account or application that have high privileges on Exchange need to be considered as sensitive\\r\\n\\r\\n** 💡 Exchange servers need to be considered as very sensitive servers**\\r\\n\\r\\n-----\\r\\n\\r\\n\\r\\n## Tabs\\r\\n\\r\\n### Mailbox Access\\r\\n\\r\\nThis tab will show you several top sensitive delegations that allow an account to access, modify, act as another user, search, export the content of a mailbox.\\r\\n\\r\\n### Exchange & AD Groups\\r\\n\\r\\nThis tab will show you the members of Exchange groups and Sensitive AD groups.\\r\\n\\r\\n### Local Administrators\\r\\n\\r\\nThis tab will show you the non standard content of the local Administrators group. Remember that a member of the local Administrators group can take control of the computer account of the server and then it will have all the permissions associated with Exchange Trusted Subsytem and Exchange Windows Permissions\\r\\n\\r\\nThe information is displayed with different views : \\r\\n- List of nonstandard users\\r\\n- Number of servers with a nonstandard a user\\r\\n- Nonstandard groups content\\r\\n- For each user important information are displayed like last logon, last password set, enabled\\r\\n\\r\\n### Exchange Security configuration\\r\\n\\r\\nThis tab will show you some important configuration for your Exchange Organization\\r\\n- Status of Admin Audit Log configuration\\r\\n- Status of POP and IMAP configuration : especially, is Plaintext Authentication configured ?\\r\\n- Nonstandard permissions on the Exchange container in the Configuration Partition\\r\\n\\r\\n### Transport Configuration\\r\\n\\r\\nThis tab will show you the configuration of the main Transport components\\r\\n- Receive Connectors configured with Anonymous and/or Open Relay\\r\\n- Remote Domain Autoforward configuration\\r\\n- Transport Rules configured with BlindCopyTo, SendTo, RedirectTo\\r\\n- Journal Rule and Journal Recipient configurations\\r\\n- Accepted Domains with *\\r\\n\\r\\n\"},\"name\":\"WorkbookInfo\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"InformationTab\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Security Configuration for the Exchange Environment\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays several security information regarding the organization or server's configuration.\"},\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"This section displays the Exchange version and the CU installed.\\r\\n\\r\\nFor the latest build number, check this link : Exchange Build Numbers\\r\\n\\r\\nThis section is built from a file located in the public GitHub repository.\\r\\nThe repository is manually updated by the team project when new CU/SU are released. ((Delay may happen between the release of a new CU/SU and the update of the file))\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ServerVersionCheckHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\\\"https://aka.ms/ExchBuildNumber\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\\r\\n//ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| extend VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Minor,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Build)\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExchVersion\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend VersionNumber = tostring(CmdletResultValue.ProductVersion)\\r\\n| extend Server = tostring(ProcessedByServer_s)\\r\\n| extend CmdletResultType = tostring(CmdletResultType)\\r\\n| join kind= leftouter (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\\r\\n| distinct Server,VersionNumber,Productname,CU,SU,CmdletResultType\\r\\n| extend Server = strcat(\\\"💻 \\\",Server)\\r\\n| extend Productname = case ( VersionNumber startswith \\\"15.02\\\", \\\"Exchange 2019\\\", VersionNumber startswith \\\"15.01\\\", \\\"Exchange 2016\\\", VersionNumber startswith \\\"15.00\\\",\\\"Exchange 2013\\\", \\\"Exchange 2010\\\")\\r\\n| extend CU = iff(CmdletResultType <>\\\"Success\\\", \\\"Unable to retrieve information from server\\\", iff(CU <> \\\"\\\", CU, \\\"New CU or SU not yet in the List\\\"))\\r\\n| extend SU = iff(CmdletResultType <>\\\"Success\\\", \\\"Unable to retrieve information from server\\\", iff( SU <> \\\"\\\", SU, \\\"New CU or SU not yet in the List\\\"))\\r\\n|project-away CmdletResultType\\r\\n| sort by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange servers CU-SU level\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersList\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\\\"https://aka.ms/ExchBuildNumber\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExchVersion\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| extend VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Minor,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Build)\\r\\n| extend VersionNumber = tostring(CmdletResultValue.ProductVersion)\\r\\n| extend Server = tostring(CmdletResultValue.Server)\\r\\n| join kind= leftouter (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\\r\\n| extend CU = iff( CU <> \\\"\\\", CU, \\\"New CU/SU not yet in the CU List\\\")\\r\\n| extend Version =strcat (VersionNumber,\\\"-\\\",CU,\\\"-\\\",SU)\\r\\n| summarize dcount(Server) by Version\",\"size\":0,\"showAnalytics\":true,\"title\":\"Version break down\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"ExchangeServerVersionPie\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Admin Audit Log configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The Admin Audit log stores all the actions performed on Exchange Servers (except Read actions such as Get/Test).\\r\\n\\r\\nAdmin Audit Log \\r\\n\\r\\nManage Admin Audit Log \\r\\n\\r\\n\\r\\nThis can be used to track :\\r\\n- Unexpected behaviors\\r\\n- Who did a modification\\r\\n- Real actions performed by an account (the output could be used to identify the necessary privileges) and then reduce the privilege of the account by creating appropriate RBAC delegation\\r\\n\\r\\nℹ️ Recommendations\\r\\n- Ensure that Admin Audit Log is not disabled\\r\\n- Ensure that critical Cmdlets have not been excluded\\r\\n- Ensure that AdminAuditLogCmdlets is set to * (list of audited Cmdlets)\\r\\n- Review the retention configuration for the Admin Audit Log content\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AdminAuditHelp\"},{\"type\":1,\"content\":{\"json\":\"Here the main settings for the Admin Audit Log. \\r\\nRemember that AdminAudit log needs to be enabled and no cmdlet should be excluded. Also check the retention limit.\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\\\"https://aka.ms/CmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\\r\\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\\r\\n| project AdminAuditLogExcludedCmdlets);\\r\\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend AdminAuditLogEnabled = iff(CmdletResultValue.AdminAuditLogEnabled == \\\"FALSE\\\", \\\" ❌ Disabled, High Risk\\\", \\\"✅ Enabled\\\")\\r\\n| extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\\r\\n| extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit,8)\\r\\n| extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit,0,indexof(AdminAuditLogAgeLimit, ','))\\r\\n| extend AdminAuditLogAgeLimit = iff(toint(AdminAuditLogAgeLimit) == 0,strcat(\\\"❌ No AdminAuditlog recorded \\\",AdminAuditLogAgeLimit), iff(toint(AdminAuditLogAgeLimit) <=30,strcat(\\\"⚠️ Value to low except if exported \\\",AdminAuditLogAgeLimit), strcat(\\\"✅\\\",AdminAuditLogAgeLimit)))\\r\\n| extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\\r\\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,2)\\r\\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,0,indexof(AdminAuditLogCmdlets, '\\\"]') )\\r\\n| extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets,'\\\"',\\\"\\\")\\r\\n| extend Comment_AdminAuditLogCmdlets = iff( AdminAuditLogCmdlets == \\\"*\\\",\\\"✅ Default configuration\\\",\\\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\\\")\\r\\n| extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\\r\\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,2)\\r\\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,0,indexof(AdminAuditLogExcludedCmdlets, ']'))\\r\\n| extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets,'\\\"',\\\"\\\")\\r\\n//| extend Cmdlet = replace_string(AdminAuditLogExcludedCmdlets,'\\\"',\\\"\\\")\\r\\n//| extend AALECSplit = tostring(split(AdminAuditLogExcludedCmdlets,\\\",\\\"))\\r\\n| project-away CmdletResultValue\\r\\n| extend Comment_AdminAuditLogExcludedCmdlet = case( isnotempty( SentsitivecmdletTrack ),\\\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\\\",AdminAuditLogExcludedCmdlets <>\\\"\\\",\\\"⚠️ Some Cmdlets are excluded \\\",\\\"✅ No Excluded CmdLet\\\")\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Comment_AdminAuditLogCmdlets\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70ch\"}}],\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"AdminAuditLogCmdlets\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"AdminAuditLogCmdlets\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\\\"https://aka.ms/CmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\\r\\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\\r\\n| project AdminAuditLogExcludedCmdlets);\\r\\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\\r\\nlet _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n | extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\n//let _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet _CurrentDateB = datetime_add('day', 1, todatetime(toscalar(_currD)));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\\r\\n | extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit, 8)\\r\\n | extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit, 0, indexof(AdminAuditLogAgeLimit, ','))\\r\\n | extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\\r\\n | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 2)\\r\\n | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 0, indexof(AdminAuditLogCmdlets, '\\\"]'))\\r\\n | extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets, '\\\"', \\\"\\\")\\r\\n | extend Comment_AdminAuditLogCmdlets = iff(AdminAuditLogCmdlets == \\\"*\\\", \\\"✅ Default configuration\\\", \\\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\\\")\\r\\n | extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\\r\\n | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 2)\\r\\n | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 0, indexof(AdminAuditLogExcludedCmdlets, ']'))\\r\\n | extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets, '\\\"', \\\"\\\")\\r\\n | project-away CmdletResultValue\\r\\n | extend Comment_AdminAuditLogExcludedCmdlet = case(isnotempty(SentsitivecmdletTrack), \\\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\\\", AdminAuditLogExcludedCmdlets <> \\\"\\\", \\\"⚠️ Some Cmdlets are excluded \\\", \\\"✅ No Excluded CmdLet\\\")\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\\r\\n | extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit, 8)\\r\\n | extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit, 0, indexof(AdminAuditLogAgeLimit, ','))\\r\\n | extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\\r\\n | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 2)\\r\\n | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 0, indexof(AdminAuditLogCmdlets, '\\\"]'))\\r\\n | extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets, '\\\"', \\\"\\\")\\r\\n | extend Comment_AdminAuditLogCmdlets = iff(AdminAuditLogCmdlets == \\\"*\\\", \\\"✅ Default configuration\\\", \\\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\\\")\\r\\n | extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\\r\\n | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 2)\\r\\n | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 0, indexof(AdminAuditLogExcludedCmdlets, ']'))\\r\\n | extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets, '\\\"', \\\"\\\")\\r\\n | project-away CmdletResultValue\\r\\n | extend Comment_AdminAuditLogExcludedCmdlet = case(isnotempty(SentsitivecmdletTrack), \\\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\\\", AdminAuditLogExcludedCmdlets <> \\\"\\\", \\\"⚠️ Some Cmdlets are excluded \\\", \\\"✅ No Excluded CmdLet\\\")\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffModifData = union AfterData, BeforeData\\r\\n | sort by WhenChanged asc \\r\\n | project\\r\\n WhenChanged,\\r\\n AdminAuditLogAgeLimit,\\r\\n AdminAuditLogCmdlets,\\r\\n Comment_AdminAuditLogCmdlets,\\r\\n AdminAuditLogExcludedCmdlets,\\r\\n Comment_AdminAuditLogExcludedCmdlet,\\r\\n WhenCreated\\r\\n | extend AdminAuditLogAgeLimit = iff(AdminAuditLogAgeLimit != prev(AdminAuditLogAgeLimit) and prev(AdminAuditLogAgeLimit) != \\\"\\\", strcat(\\\"📍 \\\", AdminAuditLogAgeLimit, \\\" (\\\", prev(AdminAuditLogAgeLimit), \\\"->\\\", AdminAuditLogAgeLimit, \\\" )\\\"), AdminAuditLogAgeLimit)\\r\\n | extend AdminAuditLogCmdlets = iff(AdminAuditLogCmdlets != prev(AdminAuditLogCmdlets) and prev(AdminAuditLogCmdlets) != \\\"\\\", strcat(\\\"📍 \\\", AdminAuditLogCmdlets, \\\" (\\\", prev(AdminAuditLogCmdlets), \\\"->\\\", AdminAuditLogCmdlets, \\\" )\\\"), AdminAuditLogCmdlets)\\r\\n | extend Comment_AdminAuditLogCmdlets = iff(Comment_AdminAuditLogCmdlets != prev(Comment_AdminAuditLogCmdlets) and prev(Comment_AdminAuditLogCmdlets) != \\\"\\\", strcat(\\\"📍 \\\", Comment_AdminAuditLogCmdlets, \\\" (\\\", prev(Comment_AdminAuditLogCmdlets), \\\"->\\\", Comment_AdminAuditLogCmdlets, \\\" )\\\"), Comment_AdminAuditLogCmdlets)\\r\\n | extend AdminAuditLogExcludedCmdlets = iff(AdminAuditLogExcludedCmdlets != prev(AdminAuditLogExcludedCmdlets) and prev(AdminAuditLogExcludedCmdlets) != \\\"\\\", strcat(\\\"📍 \\\", AdminAuditLogExcludedCmdlets, \\\" (\\\", prev(AdminAuditLogExcludedCmdlets), \\\"->\\\", AdminAuditLogExcludedCmdlets, \\\" )\\\"), AdminAuditLogExcludedCmdlets)\\r\\n | extend Comment_AdminAuditLogExcludedCmdlet = iff(Comment_AdminAuditLogExcludedCmdlet != prev(Comment_AdminAuditLogExcludedCmdlet) and prev(Comment_AdminAuditLogExcludedCmdlet) != \\\"\\\", strcat(\\\"📍 \\\", Comment_AdminAuditLogExcludedCmdlet, \\\" (\\\", prev(Comment_AdminAuditLogExcludedCmdlet), \\\"->\\\", Comment_AdminAuditLogExcludedCmdlet, \\\" )\\\"), Comment_AdminAuditLogExcludedCmdlet)\\r\\n | extend ActiontypeR =iff(( AdminAuditLogAgeLimit contains \\\"📍\\\" or AdminAuditLogCmdlets contains \\\"📍\\\" or Comment_AdminAuditLogCmdlets contains \\\"📍\\\" or AdminAuditLogExcludedCmdlets contains \\\"📍\\\" or Comment_AdminAuditLogExcludedCmdlet contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n AdminAuditLogAgeLimit,\\r\\n AdminAuditLogCmdlets,\\r\\n Comment_AdminAuditLogCmdlets,\\r\\n AdminAuditLogExcludedCmdlets,\\r\\n Comment_AdminAuditLogExcludedCmdlet,\\r\\n WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n AdminAuditLogAgeLimit,\\r\\n AdminAuditLogCmdlets,\\r\\n Comment_AdminAuditLogCmdlets,\\r\\n AdminAuditLogExcludedCmdlets,\\r\\n Comment_AdminAuditLogExcludedCmdlet\",\"size\":1,\"showAnalytics\":true,\"title\":\"AdminAuditLog settings comparaison\",\"noDataMessage\":\"No modification\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 3\"}]},\"name\":\"group - 0Admin Audit Log configuration\"},{\"type\":1,\"content\":{\"json\":\"### POP authentication configuration\"},\"name\":\"text - 11\"},{\"type\":1,\"content\":{\"json\":\"If the POP Service is started, the LoginType should not set to Plaintext. This means that the password will be sent in clear on the network. As POP is enabled by default on all the mailboxes, this represents a high security risk.\\r\\n\\r\\nPOP Authentication\\r\\n- **PlainText** TLS encryption is not required on port 110. Usernames and passwords are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\\r\\n- **PlainTextAuthentication** TLS encryption is not required on port 110. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\\r\\n- **SecureLogin** Connection on port 110 must use TLS encryption before authenticating.\\r\\n\\r\\nℹ️ Recommendations\\r\\nDisable POP on all mailboxes except those which really need to use this protocol.\\r\\nSet the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application.\\r\\n\\r\\nIf the application is not able to perform this type of authentication:\\r\\n- Ensure that POP is disabled on all the mailboxes except those who really need it \\r\\n- Monitor the POP connections\\r\\n- Change the password of the application on a regular basis\\r\\n\\r\\nRecommended Reading : \\r\\n\\r\\nConfiguring Authentication for POP3 and IMAP4\\r\\n \\r\\n Set-PopSettings\\r\\n\\r\\n\\r\\nIn order to track mailboxes that are currently using POP\\r\\n- Enable POP logging\\r\\n- Set-PopSettings -Server SRV1 -ProtocolLogEnabled verbose\\r\\n- Several weeks later, analyze the log content\\r\\n- Default location : - Get-PopSettings -server SRV1 | fl server,*log*\\r\\n- Check for connection and authentication\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"PopServiceHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"PopSettings\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name == (\\\"MSExchangePop3\\\")\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n| join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangePop3BE\\\" )\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| extend LoginType = iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n| extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n| extend ServiceName = iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n| extend Status = tostring(Status)\\r\\n| extend BackendEndService= tostring(ServiceName1)\\r\\n| extend StartupType = tostring(StartupType)\\r\\n| extend BEStatus = tostring(Status1)\\r\\n| extend BEStartupType = tostring(StartupType1)\\r\\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n| sort by ServerName asc\",\"size\":1,\"showAnalytics\":true,\"title\":\"Pop Authentication : should not be set as Plaintext\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LoginType\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":0,\"formatOptions\":{\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"LoginType\"],\"finalBy\":\"LoginType\"}}},\"name\":\"PopSettingsQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"POP settings comparaison\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"PopSettings\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n//| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\n//let _CurrentDateB = datetime_add('day',1,todatetime(toscalar(_currD)));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"PopSettings\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | where CmdletResultValue.Name == (\\\"MSExchangePop3\\\")\\r\\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n | join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | where CmdletResultValue.Name contains (\\\"MSExchangePop3BE\\\" )\\r\\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n | extend LoginType = iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n | extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n | extend ServiceName = iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n | extend Status = tostring(Status)\\r\\n | extend BackendEndService= tostring(ServiceName1)\\r\\n | extend StartupType = tostring(StartupType)\\r\\n | extend BEStatus = tostring(Status1)\\r\\n | extend BEStartupType = tostring(StartupType1)\\r\\n | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n | sort by ServerName asc\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"PopSettings\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | where CmdletResultValue.Name == (\\\"MSExchangePop3\\\")\\r\\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n | join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | where CmdletResultValue.Name contains (\\\"MSExchangePop3BE\\\" )\\r\\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n | extend LoginType = iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n | extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n | extend ServiceName = iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n | extend Status = tostring(Status)\\r\\n | extend BackendEndService= tostring(ServiceName1)\\r\\n | extend StartupType = tostring(StartupType)\\r\\n | extend BEStatus = tostring(Status1)\\r\\n | extend BEStartupType = tostring(StartupType1)\\r\\n | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n | sort by ServerName asc\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n | sort by ServerName,TimeGenerated asc\\r\\n | extend LoginType = iff(ServerName == prev(ServerName) and LoginType != prev(LoginType) and prev(LoginType) != \\\"\\\", strcat(\\\"📍 \\\", LoginType, \\\" (\\\", prev(LoginType), \\\"->\\\", LoginType, \\\" )\\\"), LoginType)\\r\\n | extend ProtocolLogEnabled = iff(ServerName == prev(ServerName) and ProtocolLogEnabled != prev(ProtocolLogEnabled) and prev(ProtocolLogEnabled) != \\\"\\\", strcat(\\\"📍 \\\", ProtocolLogEnabled, \\\" (\\\", prev(ProtocolLogEnabled), \\\"->\\\", ProtocolLogEnabled, \\\" )\\\"), ProtocolLogEnabled)\\r\\n | extend Status = iff( ServerName == prev(ServerName) and Status != prev(Status) and prev(Status) != \\\"\\\", strcat(\\\"📍 \\\", Status, \\\" (\\\", prev(Status), \\\"->\\\", Status, \\\" )\\\"), Status)\\r\\n | extend StartupType = iff(ServerName == prev(ServerName) and StartupType != prev(StartupType) and prev(StartupType) != \\\"\\\", strcat(\\\"📍 \\\", StartupType, \\\" (\\\", prev(StartupType), \\\"->\\\", StartupType, \\\" )\\\"), StartupType)\\r\\n | extend BEStatus = iff(ServerName == prev(ServerName) and BEStatus != prev(BEStatus) and prev(BEStatus) != \\\"\\\", strcat(\\\"📍 \\\", BEStatus, \\\" (\\\", prev(BEStatus), \\\"->\\\", BEStatus, \\\" )\\\"), BEStatus)\\r\\n | extend BEStartupType = iff(ServerName == prev(ServerName) and BEStartupType != prev(BEStartupType) and prev(BEStartupType) != \\\"\\\", strcat(\\\"📍 \\\", BEStartupType, \\\" (\\\", prev(BEStartupType), \\\"->\\\", BEStartupType, \\\" )\\\"), BEStartupType)\\r\\n | extend ActiontypeR =iff((LoginType contains \\\"📍\\\" or ProtocolLogEnabled contains \\\"📍\\\" or Status contains \\\"📍\\\" or StartupType contains \\\"📍\\\" or BEStatus contains \\\"📍\\\" or BEStartupType contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n TimeGenerated,\\r\\n Actiontype,\\r\\n ServerName,\\r\\n LoginType,\\r\\n ProtocolLogEnabled,\\r\\n Status,\\r\\n StartupType,\\r\\n BEStatus,\\r\\n BEStartupType\\r\\n;\\r\\nDiffModifData\\r\\n//| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n ServerName,\\r\\n LoginType,\\r\\n ProtocolLogEnabled,\\r\\n Status,\\r\\n StartupType,\\r\\n BEStatus, \\r\\n BEStartupType\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"Compare\"}]},\"name\":\"POP authentication configuration\"},{\"type\":1,\"content\":{\"json\":\"### IMAP authentication configuration\"},\"name\":\"IMAPTitle\"},{\"type\":1,\"content\":{\"json\":\"If the IMAP Service is started, the LoginType should not set to Plaintext. This means that the passwords will be sent in clear over the network. As IMAP is enabled by default on all the mailboxes, this is a high security risk.\\r\\n\\r\\nIMAP Authentication\\r\\n- **PlainText** TLS encryption is not required on port 110. User name and password are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\\r\\n- **PlainTextAuthentication** TLS encryption is not required on port 143. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\\r\\n- **SecureLogin** Connection on port 143 must use TLS encryption before authenticating.\\r\\n\\r\\nℹ️ Recommendations \\r\\nDisable IMAP on all mailboxes except those which really need to use this protocol. Set the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application accordingly.\\r\\n\\r\\nIf the application is not able to perform this type of authentication:\\r\\n- Ensure that IMAP is disable on all the mailboxes except those who really need it \\r\\n- Monitor the connection\\r\\n- Regularly, change the password of the application\\r\\n\\r\\nRecommended Reading : \\r\\n\\r\\nConfiguring Authentication for POP3 and IMAP4\\r\\n\\r\\n Set-IMAPSettings\\r\\n\\r\\n\\r\\n\\r\\nIn order to track mailboxes that are currently using IMAP\\r\\n- Enable IMAP logging\\r\\n- Set-IMAPSettings -Server SRV1 -ProtocolLogEnabled verbose\\r\\n- Several weeks later, analyze the log content\\r\\n- Default location : Get-IMAPSettings -server SRV1 | fl server,*log*\\r\\n- Check for connection and authentication\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"IMAPHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"IMAPSettings\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name == (\\\"MSExchangeImap4\\\")\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n| join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangeIMAP4BE\\\" )\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| extend LoginType = iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n| extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n| extend ServiceName = iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n| extend Status = tostring(Status)\\r\\n| extend BackendEndService= tostring(ServiceName1)\\r\\n| extend StartupType = tostring(StartupType)\\r\\n| extend BEStatus = tostring(Status1)\\r\\n| extend BEStartupType = tostring(StartupType1)\\r\\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n| sort by ServerName asc\",\"size\":1,\"showAnalytics\":true,\"title\":\"IMAP Authentication : should not be set as Plaintext\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LoginType\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"LoginType\"],\"finalBy\":\"LoginType\"}}},\"name\":\"IMAPSettingsQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"IMAPSettings\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n//| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\n//let _CurrentDateB = datetime_add('day',1,todatetime(toscalar(_currD)));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"IMAPSettings\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | where CmdletResultValue.Name == (\\\"MSExchangeImap4\\\")\\r\\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n | join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | where CmdletResultValue.Name contains (\\\"MSExchangeIMAP4BE\\\" )\\r\\n | project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n | extend LoginType = iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n | extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n | extend ServiceName = iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n | extend Status = tostring(Status)\\r\\n | extend BackendEndService= tostring(ServiceName1)\\r\\n | extend StartupType = tostring(StartupType)\\r\\n | extend BEStatus = tostring(Status1)\\r\\n | extend BEStartupType = tostring(StartupType1)\\r\\n | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n | sort by ServerName asc\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"IMAPSettings\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | where CmdletResultValue.Name == (\\\"MSExchangeImap4\\\")\\r\\n | project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n | join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | where CmdletResultValue.Name contains (\\\"MSExchangeIMAP4BE\\\" )\\r\\n | project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n | extend LoginType = iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n | extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n | extend ServiceName = iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n | extend Status = tostring(Status)\\r\\n | extend BackendEndService= tostring(ServiceName1)\\r\\n | extend StartupType = tostring(StartupType)\\r\\n | extend BEStatus = tostring(Status1)\\r\\n | extend BEStartupType = tostring(StartupType1)\\r\\n | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n | sort by ServerName asc\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n | sort by ServerName,TimeGenerated asc\\r\\n | extend LoginType = iff(ServerName == prev(ServerName) and LoginType != prev(LoginType) and prev(LoginType) != \\\"\\\", strcat(\\\"📍 \\\", LoginType, \\\" (\\\", prev(LoginType), \\\"->\\\", LoginType, \\\" )\\\"), LoginType)\\r\\n | extend ProtocolLogEnabled = iff(ServerName == prev(ServerName) and ProtocolLogEnabled != prev(ProtocolLogEnabled) and prev(ProtocolLogEnabled) != \\\"\\\", strcat(\\\"📍 \\\", ProtocolLogEnabled, \\\" (\\\", prev(ProtocolLogEnabled), \\\"->\\\", ProtocolLogEnabled, \\\" )\\\"), ProtocolLogEnabled)\\r\\n | extend Status = iff( ServerName == prev(ServerName) and Status != prev(Status) and prev(Status) != \\\"\\\", strcat(\\\"📍 \\\", Status, \\\" (\\\", prev(Status), \\\"->\\\", Status, \\\" )\\\"), Status)\\r\\n | extend StartupType = iff(ServerName == prev(ServerName) and StartupType != prev(StartupType) and prev(StartupType) != \\\"\\\", strcat(\\\"📍 \\\", StartupType, \\\" (\\\", prev(StartupType), \\\"->\\\", StartupType, \\\" )\\\"), StartupType)\\r\\n | extend BEStatus = iff(ServerName == prev(ServerName) and BEStatus != prev(BEStatus) and prev(BEStatus) != \\\"\\\", strcat(\\\"📍 \\\", BEStatus, \\\" (\\\", prev(BEStatus), \\\"->\\\", BEStatus, \\\" )\\\"), BEStatus)\\r\\n | extend BEStartupType = iff(ServerName == prev(ServerName) and BEStartupType != prev(BEStartupType) and prev(BEStartupType) != \\\"\\\", strcat(\\\"📍 \\\", BEStartupType, \\\" (\\\", prev(BEStartupType), \\\"->\\\", BEStartupType, \\\" )\\\"), BEStartupType)\\r\\n | extend ActiontypeR =iff((LoginType contains \\\"📍\\\" or ProtocolLogEnabled contains \\\"📍\\\" or Status contains \\\"📍\\\" or StartupType contains \\\"📍\\\" or BEStatus contains \\\"📍\\\" or BEStartupType contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n Actiontype,\\r\\n ServerName,\\r\\n LoginType,\\r\\n ProtocolLogEnabled,\\r\\n Status,\\r\\n StartupType,\\r\\n BEStatus,\\r\\n BEStartupType\\r\\n;\\r\\nDiffModifData\\r\\n//| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n ServerName,\\r\\n LoginType,\\r\\n ProtocolLogEnabled,\\r\\n Status,\\r\\n StartupType,\\r\\n BEStatus, \\r\\n BEStartupType\",\"size\":1,\"showAnalytics\":true,\"title\":\"IMAP settings comparaison\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"Compare - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Nonstandard permissions on Configuration Partitions\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section highlights nonstandard permissions on the Exchange container in the Configuration Partition. By selecting Yes for **Generic All** button, only delegations set to Generic All will be displayed. \\r\\nAlso Standard, Deny and inherited permissions have been removed\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"During the lifetime of an Exchange Organization, many permissions may have been set on Exchange containers in the Configuration Partition.\\r\\nThis section displayed all the nonstandard permissions found on the most important Exchange containers :\\r\\n - Groups from legacy Exchange versions (Exchange Enterprise Servers, Exchange Domain Servers,...)\\r\\n - SID for deleted accounts\\r\\n - Old service accounts (that may not have been disabled or removed...)\\r\\n \\r\\nWhen an administrator runs setup /PrepareAD, his account will be granted Generic All at the top-level Exchange container\\r\\n\\r\\nBy default, this section only displayed the **Generic All** permissions.\\r\\n \\r\\nThis section is built by removing all the standard AD and Exchange groups.\\r\\n\\r\\n Exchange 2013 deployment permissions reference\\r\\n \\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"80f9134a-420f-47c9-b171-1ca8e72efa3e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"GenericAll\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"29e2005c-3bd4-4bb8-be63-053d11abe1d4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NonStandardPermissions\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Authenticated Users\\\", \\\"Domain Admins\\\", \\\"Enterprise Admins\\\",\\\"Schema Admins\\\", \\\"Exchange Trusted Subsystem\\\", \\\"Exchange Servers\\\",\\\"Organization Management\\\", \\\"Public Folder Management\\\",\\\"Delegated Setup\\\", \\\"ANONYMOUS LOGON\\\", \\\"NETWORK SERVICE\\\", \\\"SYSTEM\\\", \\\"Everyone\\\",\\\"Managed Availability Servers\\\"]);\\r\\nlet Exchsrv =ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| summarize make_list(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"PartConfPerm\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Deny !contains \\\"True\\\" and CmdletResultValue.IsInherited !contains \\\"True\\\"\\r\\n| where (CmdletResultValue.AccessRights == \\\"[983551]\\\") in ({GenericAll})\\r\\n| where not (CmdletResultValue.UserString has_any (StandardGroup)) in ({NonStandardPermissions})\\r\\n| where not (CmdletResultValue.UserString has_any (Exchsrv))in ({NonStandardPermissions})\\r\\n| extend Name = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend Account = tostring(CmdletResultValue.UserString )\\r\\n| extend AccessRights = iff (tostring(CmdletResultValue.AccessRightsString) contains \\\"GenericAll\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\\r\\n| extend ExtendedRights = iff (tostring(CmdletResultValue.ExtendedRightsString) contains \\\"-As\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\\r\\n| extend InheritanceType = tostring(CmdletResultValue.InheritanceType)\\r\\n| extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\\r\\n| project-away CmdletResultValue\\r\\n| sort by DN desc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"DN\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"DN\",\"sortOrder\":2}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Authenticated Users\\\", \\\"Domain Admins\\\", \\\"Enterprise Admins\\\", \\\"Schema Admins\\\", \\\"Exchange Trusted Subsystem\\\", \\\"Exchange Servers\\\", \\\"Organization Management\\\", \\\"Public Folder Management\\\", \\\"Delegated Setup\\\", \\\"ANONYMOUS LOGON\\\", \\\"NETWORK SERVICE\\\", \\\"SYSTEM\\\", \\\"Everyone\\\", \\\"Managed Availability Servers\\\"]);\\r\\nlet Exchsrv =ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='B119E5', Target = \\\"On-Premises\\\")\\r\\n | summarize make_list(CmdletResultValue.Name);\\r\\nlet _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"PartConfPerm\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n ESIExchangeConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where Section_s == \\\"PartConfPerm\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n | where CmdletResultValue.Deny !contains \\\"True\\\" and CmdletResultValue.IsInherited !contains \\\"True\\\"\\r\\n | where (CmdletResultValue.AccessRights == \\\"[983551]\\\") in (True, False)\\r\\n | where not (CmdletResultValue.UserString has_any (StandardGroup)) in (True)\\r\\n | where not (CmdletResultValue.UserString has_any (Exchsrv))in (True)\\r\\n | extend Name = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend Account = tostring(CmdletResultValue.UserString )\\r\\n | extend AccessRights = iff (tostring(CmdletResultValue.AccessRightsString) contains \\\"GenericAll\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\\r\\n | extend ExtendedRights = iff (tostring(CmdletResultValue.ExtendedRightsString) contains \\\"-As\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\\r\\n | extend InheritanceType = tostring(CmdletResultValue.InheritanceType)\\r\\n | extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\\r\\n | extend AllInfo = strcat(Name,Account,CmdletResultValue.AccessRightsString,CmdletResultValue.ExtendedRightsString)\\r\\n | project-away CmdletResultValue\\r\\n | sort by Name,Account desc\\r\\n;\\r\\nlet AlldataUnique = allDataRange\\r\\n | join kind = innerunique (allDataRange) on AllInfo \\r\\n | distinct \\r\\n Name, \\r\\n Account, \\r\\n AccessRights, \\r\\n ExtendedRights, \\r\\n InheritanceType, \\r\\n DN,\\r\\n AllInfo\\r\\n;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"PartConfPerm\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | where CmdletResultValue.Deny !contains \\\"True\\\" and CmdletResultValue.IsInherited !contains \\\"True\\\"\\r\\n | where (CmdletResultValue.AccessRights == \\\"[983551]\\\") in (True, False)\\r\\n | where not (CmdletResultValue.UserString has_any (StandardGroup)) in (True)\\r\\n | where not (CmdletResultValue.UserString has_any (Exchsrv))in (True)\\r\\n | extend Name = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend Account = tostring(CmdletResultValue.UserString )\\r\\n | extend AccessRights = iff (tostring(CmdletResultValue.AccessRightsString) contains \\\"GenericAll\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\\r\\n | extend ExtendedRights = iff (tostring(CmdletResultValue.ExtendedRightsString) contains \\\"-As\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\\r\\n | extend InheritanceType = tostring(CmdletResultValue.InheritanceType)\\r\\n | extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\\r\\n | extend AllInfo = strcat(Name,Account,CmdletResultValue.AccessRightsString,CmdletResultValue.ExtendedRightsString)\\r\\n | project-away CmdletResultValue\\r\\n | sort by Name,Account desc\\r\\n ;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"PartConfPerm\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | where CmdletResultValue.Deny !contains \\\"True\\\" and CmdletResultValue.IsInherited !contains \\\"True\\\"\\r\\n | where (CmdletResultValue.AccessRights == \\\"[983551]\\\") in (True, False)\\r\\n | where not (CmdletResultValue.UserString has_any (StandardGroup)) in (True)\\r\\n | where not (CmdletResultValue.UserString has_any (Exchsrv))in (True)\\r\\n | extend Name = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend Account = tostring(CmdletResultValue.UserString )\\r\\n | extend AccessRights = iff (tostring(CmdletResultValue.AccessRightsString) contains \\\"GenericAll\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\\r\\n | extend ExtendedRights = iff (tostring(CmdletResultValue.ExtendedRightsString) contains \\\"-As\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\\r\\n | extend InheritanceType = tostring(CmdletResultValue.InheritanceType)\\r\\n | extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\\r\\n | extend AllInfo = strcat(Name,Account,CmdletResultValue.AccessRightsString,CmdletResultValue.ExtendedRightsString)\\r\\n | project-away CmdletResultValue\\r\\n | sort by Name,Account desc\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n | join kind = leftanti (AfterData) on AllInfo\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n | join kind = innerunique (BeforeData) on AllInfo\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n | join kind = leftanti (InBeforedatabotAfter) on AllInfo\\r\\n | extend Actiontype =\\\"Add/Remove\\\"\\r\\n | project \\r\\n Actiontype,\\r\\n Name, \\r\\n Account, \\r\\n AccessRights, \\r\\n ExtendedRights, \\r\\n InheritanceType, \\r\\n DN \\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on AllInfo\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n Actiontype,\\r\\n Name, \\r\\n Account, \\r\\n AccessRights, \\r\\n ExtendedRights, \\r\\n InheritanceType, \\r\\n DN \",\"size\":1,\"showAnalytics\":true,\"title\":\"Compare NonStandard Permissions for Exchange Container in the Configuration Partition\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"Compare - Copy - Copy\"}]},\"name\":\"Nonstandard permissions on Configuration Partitions\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"SecConf\"},\"name\":\"Security Configuration for the Exchange environment\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays important security configurations that allow access to all or partial mailboxes' content - Direct delegations are not listed - Example :
\\r\\n- Permissions Full Access \\r\\n- Permission on mailboxes folders\\r\\n\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.RoleAssignmentDelegationType !=\\\"6\\\" \\r\\n| where CmdletResultValue.RoleAssigneeName !in (\\\"Hygiene Management\\\",\\\"Exchange Online-ApplicationAccount\\\",\\\"Discovery Management\\\")\\r\\n| where CmdletResultValue.Role.Name == \\\"Mailbox Import Export\\\" or CmdletResultValue.Role.Name == \\\"ApplicationImpersonation\\\" or (CmdletResultValue.Role.Name == \\\"Mailbox Search\\\")\\r\\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role.Name)\",\"size\":1,\"showAnalytics\":true,\"title\":\"Number of delegations for sensitive RBAC roles\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"role\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_RoleAssigneeName\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"role\",\"sortOrderField\":1}},\"name\":\"MRAQuery\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Application Impersonation Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows the delegated accounts to access and modify the content of every mailboxes using EWS.\\r\\nExcluded from the result as default configuration :\\r\\n- The Delegating delegation for this role assigned to Organization Management\\r\\n- Hygiene Management group as it is a default delegation\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes using EWS. \\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nIt should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\\r\\n\\r\\nHelp for the role Application Impersonation\\r\\n\\r\\nIt is common (but not recommended) to see service accounts from backup solution, antivirus software, MDM... with this delegation.\\r\\nThese service accounts should be closely monitored and the security of the server where they are running needs to be at the same level of Exchange servers.\\r\\nNote that the default configuration to the group Hygiene Management is excluded. This group is a sensitive group. Remember to monitor the content of this group.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.Role.Name == \\\"ApplicationImpersonation\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssignmentDelegationType !=\\\"6\\\" \\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssignmentDelegationType\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssignmentDelegationType\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExclusionsAcctValue = dynamic([\\\"Hygiene Management\\\", \\\"RIM-MailboxAdmins\\\"]);\\r\\nMESCompareDataOnPMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"On-Premises\\\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\\\"Impersonation\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"**Remove Time is displayed the date of the last collect and not the exact remove time**\"},\"name\":\"text - 4\"}]},\"name\":\"Application Impersonation Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Import Export Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to export the content all mailboxes in a scope in PST file.\\r\\nExcluded from the result as default configuration :\\r\\nDelegating delegation to Organization Management\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Import Export** is a RBAC role that allows an account to export the content of any maibox in a PST. It also allows the delegated account to perform searches in all mailboxes.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\\r\\n\\r\\nHelp for the role Mailbox Import Export\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n- Create an empty group with this delegation\\r\\n- Monitor the group content and alert when the group content is modified\\r\\n- Add administrators in this group only for a short period of time\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ExportRoleHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Role.Name == \\\"Mailbox Import Export\\\" and CmdletResultValue.RoleAssignmentDelegationType !=\\\"6\\\" \\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, RoleAssigneeType,Status, CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExclusionsAcctValue = dynamic([\\\"Hygiene Management\\\", \\\"RIM-MailboxAdmins\\\"]);\\r\\nMESCompareDataOnPMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"On-Premises\\\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\\\"export\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"**Remove Time is displayed the date of the last collect and not the exact remove time**\"},\"name\":\"text - 4\"}]},\"name\":\"Mailbox Import Export Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Search Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows the delegated account to search inside all or in a scope of mailboxes and export the result in PST.\\r\\nExcluded from the result as default configuration :\\r\\n- The Delegating delegation for this role assigned to Organization Management\\r\\n- Delegation for the account Exchange Online-Application\\r\\n- Delegation for the group Discovery Management \\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Search** is an RBAC role that allows an account to search in any mailbox and export the results to a PST.\\r\\n\\r\\n⚡ This role is very powerful.\\r\\n\\r\\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\\r\\n\\r\\nHelp for the role Mailbox Search\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n\\r\\n- Temporarily add the administrators in the Discovery Management group\\r\\n- Monitor the group content and alert when the group is modified\\r\\n- Add administrators in this group only for a short period of time\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Role.Name == \\\"Mailbox Search\\\" and CmdletResultValue.RoleAssignmentDelegationType !=\\\"6\\\" \\r\\n| where CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\"\\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExclusionsAcctValue = dynamic([\\\"Hygiene Management\\\", \\\"RIM-MailboxAdmins\\\"]);\\r\\nMESCompareDataOnPMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"On-Premises\\\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\\\"Search\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"**Remove Time is displayed the date of the last collect and not the exact remove time**\"},\"name\":\"text - 4\"}]},\"name\":\"Mailbox Search Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"ReceiveAs/SendAs Extended Right on databases\",\"items\":[{\"type\":1,\"content\":{\"json\":\"These sections display delegations at the database level (the database Object, not the container) ..\\r\\n\\r\\n**Receive As Extended Right on database's objects in the Configuration**\\r\\n\\r\\nWhen an account has **ReceiveAs** permissions on a database's object, it can open and view the content of any mailboxes on that database.\\r\\n\\r\\nHelp for Receive As Permission\\r\\n\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person. This account should be closely monitored and the security of the server where it is running needs to be at the same level of Exchange servers.\\r\\nChange the password as often as possible.\\r\\n\\r\\n**Send As Extended Right on database objects in the Configuration**\\r\\n\\r\\n\\r\\nWhen an account has **SendAs** permissions on a database's object, it can send messages from all the mailboxes contained in this database. The messages that are sent from a mailbox will appear as if the mailbox owner sent them.\\r\\n\\r\\nHelp for Send As Permission\\r\\n\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person.\\r\\nThis account should be closely monitored and the security of the server where it is running needs to be at the same level of Exchange servers. \\r\\nChange the password as often as possible.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SendAsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"eb0af112-df51-47f5-8849-b3ee764fa72d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IsInherited\",\"label\":\"Included Inherited deleg\",\"type\":10,\"description\":\"Yes Show all the delegations (Databases object and Database Containers), No only databases objects\",\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"false\\\", \\\"label\\\": \\\"No\\\" , \\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"true, false\\\", \\\"label\\\": \\\"Yes\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"true, false\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| union ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n| summarize dcount(tostring(CmdletResultValue.UserString)) by iff( tostring(Section) contains \\\"MailboxDatabaseReceiveAs\\\",\\\"ReceiveAs Unique Acct\\\",\\\"SendAs Unique Acct\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Number of accounts with ReceiveAs/SendAs delegations\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_UserString\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"Column1\",\"sortOrderField\":1}},\"customWidth\":\"50\",\"name\":\"ReceiveAsUsersTiles\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| union ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n| summarize dcount(tostring(CmdletResultValue.Identity.Name)) by iff( tostring(Section) contains \\\"MailboxDatabaseReceiveAs\\\",\\\"ReceiveAs Unique DB\\\",\\\"SendAs Unique DB\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Databases with ReceiveAs/SendAs delegations\",\"color\":\"purple\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_Identity_Name\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"Column1\",\"sortOrderField\":1}},\"customWidth\":\"50\",\"name\":\"ReceiveAsTiles\",\"styleSettings\":{\"margin\":\"25\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n| extend Account = tostring(CmdletResultValue.UserString)\\r\\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n| summarize Count =count() by Account,DatabaseName,IsInherited\\r\\n| project Account,Count,DatabaseName,IsInherited\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"ReceiveAs Extended Right on databases\",\"noDataMessage\":\"No Receive-As delegation\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Account\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Account\"],\"finalBy\":\"Account\"},\"sortBy\":[{\"itemKey\":\"$gen_count_$gen_group_0\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"Account\",\"comment\":\"Account and the number of databases on which it has delegation \"}]},\"sortBy\":[{\"itemKey\":\"$gen_count_$gen_group_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"MailboxDatabaseReceiveAsGrid\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n| extend Account = tostring(CmdletResultValue.UserString)\\r\\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n| summarize Count =count() by Account,DatabaseName,IsInherited\\r\\n| project Account,Count,DatabaseName,IsInherited\",\"size\":1,\"showAnalytics\":true,\"title\":\"SendAs Extended Right on databases\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Account\",\"formatter\":5}],\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Account\"],\"finalBy\":\"Account\"}}},\"customWidth\":\"50\",\"name\":\"SendAs Extended Right on databases\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n ESIExchangeConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where Section_s == \\\"MailboxDatabaseReceiveAs\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n | where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n | extend Account = tostring(CmdletResultValue.UserString)\\r\\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n | extend Allinfo = strcat(Account,DatabaseName)\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n | sort by Account\\r\\n;\\r\\nlet AlldataUnique = allDataRange\\r\\n | join kind = innerunique (allDataRange) on Allinfo \\r\\n | distinct \\r\\n Account,\\r\\n DatabaseName,\\r\\n IsInherited,\\r\\n Allinfo\\r\\n;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n | extend Account = tostring(CmdletResultValue.UserString)\\r\\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n | extend Allinfo = strcat(Account,DatabaseName)\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n | sort by Account\\r\\n ;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n | extend Account = tostring(CmdletResultValue.UserString)\\r\\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n | extend Allinfo = strcat(Account,DatabaseName)\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n | sort by Account\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n | join kind = leftanti (AfterData) on Allinfo\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n | join kind = innerunique (BeforeData) on Allinfo\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n | join kind = leftanti (InBeforedatabotAfter) on Allinfo\\r\\n | extend Actiontype =\\\"Add/Remove\\\"\\r\\n | project \\r\\n Actiontype,\\r\\n Account,\\r\\n DatabaseName,\\r\\n IsInherited,\\r\\n Allinfo\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Allinfo\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n Actiontype,\\r\\n Account,\\r\\n DatabaseName,\\r\\n IsInherited\",\"size\":3,\"showAnalytics\":true,\"title\":\"Comparaison ReceiveAs\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n ESIExchangeConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where Section_s == \\\"MailboxDatabaseSendAs\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n | where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n | extend Account = tostring(CmdletResultValue.UserString)\\r\\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n | extend Allinfo = strcat(Account,DatabaseName)\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n | sort by Account\\r\\n;\\r\\nlet AlldataUnique = allDataRange\\r\\n | join kind = innerunique (allDataRange) on Allinfo \\r\\n | distinct \\r\\n Account,\\r\\n DatabaseName,\\r\\n IsInherited,\\r\\n Allinfo\\r\\n;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n | extend Account = tostring(CmdletResultValue.UserString)\\r\\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n | extend Allinfo = strcat(Account,DatabaseName)\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n | sort by Account\\r\\n ;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n | extend Account = tostring(CmdletResultValue.UserString)\\r\\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n | extend Allinfo = strcat(Account,DatabaseName)\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n | sort by Account\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n | join kind = leftanti (AfterData) on Allinfo\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n | join kind = innerunique (BeforeData) on Allinfo\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n | join kind = leftanti (InBeforedatabotAfter) on Allinfo\\r\\n | extend Actiontype =\\\"Add/Remove\\\"\\r\\n | project \\r\\n Actiontype,\\r\\n Account,\\r\\n DatabaseName,\\r\\n IsInherited,\\r\\n Allinfo\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Allinfo\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n Actiontype,\\r\\n Account,\\r\\n DatabaseName,\\r\\n IsInherited\",\"size\":3,\"showAnalytics\":true,\"title\":\"Comparaison SendAs\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 5 - Copy\"}]},\"name\":\"ReceiveSendAs\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Delegation\"},\"name\":\"Importantsecurityconfiguration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Local Administrators\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The following section will display the content of the local Administrators group for each server\\r\\n\\r\\n** When content refers to groups from other forests, none or partial information will be displayed, and the number of Administrators may be inconsistent. **\\r\\n\\r\\nMost of the sections display the same information but with different sorting, views...\\r\\nIf an SID is part of the local Administrators group, it won't be displayed due to a collect limitation.\"},\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"Only Exchange administrators should be members of the local Administrators group of Exchange servers.\\r\\n\\r\\nYou need to review the content of the local Administrators group on a regular basis. Ensure that the content is enforced by GPO.\\r\\n\\r\\nIt is considered as a high security risk to have a discrepancy of members between the servers. \\r\\n\\r\\nIt is not recommended to have more than one local Administrator accounts. Furthermore, the password should be unique on each server and regularly changed. A solution like LAPS could be used to manage the local administrator password.\\r\\n\\r\\nOnly Exchange administrators should be able to logon on Exchange servers.\\r\\n\\r\\nHere the default content of the local Administrators group for an Exchange server \\r\\n:\\r\\n- Administrator (this account can be renamed)\\r\\n- Domain Admins\\r\\n- Exchange Trusted Subsystem\\r\\n- Organization Management\\r\\n\\r\\n**Service accounts should not be members of the local Administrators group**. If it is necessary, you need to ensure that the account is dedicated to Exchange. If the service account opens sessions on other servers, it can be used for lateral movements.\\r\\nThese service accounts should be closely monitored and the security of the server where they are running needs to be at the same level of Exchange servers.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"LocalAdminsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"dfffbaa4-5888-41c2-b039-dafb6110260c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Limited\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":1,\"content\":{\"json\":\"**Yes** : display all content including the default Groups : Default groups after the installation of Exchange\\r\\n\\r\\n**No** : display only content of non standard Groups\"},\"name\":\"text - 15\"},{\"type\":1,\"content\":{\"json\":\"**Top 10 servers with high number of unique local Administrators members**\"},\"name\":\"text - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup)) in ({Limited})\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| where ObjectClass !contains \\\"group\\\"\\r\\n| summarize dcount(MemberPath) by Parentgroup\\r\\n| top 10 by dcount_MemberPath\\r\\n| sort by dcount_MemberPath\",\"size\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Click to see number of unique members for every servers in the organization\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Number of unique members for all servers\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup)) in ({Limited})\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| where ObjectClass !contains \\\"group\\\"\\r\\n| summarize dcount(MemberPath) by Parentgroup\\r\\n| sort by dcount_MemberPath\",\"size\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 9 - Copy\"}]},\"name\":\"All servers number of members\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let allsrv = ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") | where \\r\\nCmdletResultValue.IsMailboxServer== true | extend Name=tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Name = tostring(trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup)))\\r\\n| distinct Name\\r\\n| project Name\\r\\n| join kind=rightanti (allsrv) on Name\\r\\n| project CmdletResultValue.Name\",\"size\":4,\"title\":\"Servers not reachable during the collect\",\"noDataMessage\":\"All server were successfully analyzed\",\"noDataMessageStyle\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletResultValue_Name\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"name\":\"query - 9 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.ServerRole <> 64\\r\\n| count\\r\\n\",\"size\":4,\"title\":\"Total number of servers in the Organizaton\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\\r\\n| distinct Parentgroup = Parentgroup\\r\\n| count \",\"size\":4,\"title\":\"Number of Analyzed servers\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"This Tab shows each nonstandard user account that is member (directly or by a group) of the local Administrators group per server.\\r\\n\\r\\nConsider reviewing:\\r\\n- **nonstandard members** : the Memberpath help to understand from which group inclusion the user come from\\r\\n- **inconsistent members** across servers\\r\\n\\r\\nNote that content from Trusted forests might not be displayed. \",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"LocalAdminPerServersHelp\"},{\"type\":1,\"content\":{\"json\":\"This tabled shows a comparaison of the content between two dates.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"LocalAdminPerServersHelp - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"590a6eb9-3349-46cd-ace1-cae9aac1f26a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\\r\\n| distinct Parentgroup = Parentgroup\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 18\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nlet _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n ESIExchangeConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where Section_s == \\\"LocalAminGroup\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n | where CmdletResultValue.Level != 0 \\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| extend Allinfo = strcat(Parentgroup,MemberPath)\\r\\n| sort by Parentgroup asc\\r\\n;\\r\\nlet AlldataUnique = allDataRange\\r\\n | join kind = innerunique (allDataRange) on Allinfo \\r\\n | distinct \\r\\n Parentgroup,\\r\\n MemberPath, \\r\\n Level, \\r\\n ObjectClass, \\r\\n LastLogon, \\r\\n LastPwdSet, \\r\\n Enabled, \\r\\n DN,\\r\\n Allinfo\\r\\n;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | where CmdletResultValue.Level != 0 \\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| extend Allinfo = strcat(Parentgroup,MemberPath)\\r\\n| sort by Parentgroup asc\\r\\n ;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | where CmdletResultValue.Level != 0 \\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| extend Allinfo = strcat(Parentgroup,MemberPath)\\r\\n| sort by Parentgroup asc\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n | join kind = leftanti (AfterData) on Allinfo\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n | join kind = innerunique (BeforeData) on Allinfo\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n | join kind = leftanti (InBeforedatabotAfter) on Allinfo\\r\\n | extend Actiontype =\\\"Add/Remove\\\"\\r\\n | project \\r\\n Actiontype,\\r\\n Parentgroup,\\r\\n MemberPath, \\r\\n Level, \\r\\n ObjectClass, \\r\\n LastLogon, \\r\\n LastPwdSet, \\r\\n Enabled, \\r\\n DN\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Allinfo\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n Actiontype,\\r\\n Parentgroup, \\r\\n MemberPath, \\r\\n Level, \\r\\n ObjectClass, \\r\\n LastLogon, \\r\\n LastPwdSet, \\r\\n Enabled, \\r\\n DN\\r\\n| where Parentgroup contains \\\"{Server}\\\"\",\"size\":3,\"showAnalytics\":true,\"title\":\"To view the comparaison for one specific server, select a server in the dropdown list\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0 \\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| summarize Count=count() by MemberPath,Parentgroup,Level,ObjectClass,LastLogon,LastPwdSet,Enabled,DN\\r\\n| project Parentgroup = strcat(\\\"💻 \\\",Parentgroup),Count,MemberPath,Level,ObjectClass,LastLogon,LastPwdSet,Enabled,DN\\r\\n| sort by Parentgroup asc \",\"size\":1,\"showAnalytics\":true,\"title\":\" Total per server of Non standard Groups and accounts including nested groups\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Parentgroup\",\"formatter\":5,\"formatOptions\":{\"aggregation\":\"Count\"}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Parentgroup\"],\"finalBy\":\"Parentgroup\"},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"Parentgroup\",\"label\":\"Server\"}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"name\":\"LocalAdminPerServers\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend MemberPath = case( ObjectClass == \\\"group\\\", strcat( \\\"👪 \\\", MemberPath), ObjectClass == \\\"computer\\\", strcat( \\\"💻 \\\", MemberPath), strcat( \\\"🧑‍🦰 \\\", MemberPath) )\\r\\n| project-away CmdletResultValue\\r\\n//| summarize Count=count(), Servers=make_set(Parentgroup) by MemberPath\\r\\n| summarize Count=count() by MemberPath,Parentgroup \\r\\n| sort by Count desc\",\"size\":1,\"showAnalytics\":true,\"title\":\"Non Standard accounts summary for all servers\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Group\",\"formatter\":1},{\"columnMatch\":\"MemberPath\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Member\",\"formatter\":1}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"MemberPath\"],\"expandTopLevel\":false},\"labelSettings\":[{\"columnId\":\"MemberPath\",\"label\":\"MemberPath\"},{\"columnId\":\"Parentgroup\",\"label\":\"Servers\"},{\"columnId\":\"Count\",\"label\":\"Nb Servers\"}]}},\"name\":\"LocalAdminCount\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"##### Select a server to display its content\\r\\n\\r\\nBy default only the non-standard members are displayed. \\r\\n\\r\\n❌ : for last logon displayed when the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"19e606d9-7f3e-4d2f-a314-892da571e50a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\\r\\n| distinct Parentgroup = Parentgroup\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"05ef4f1c-4cf4-406f-9fb2-9ee30dc93abd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Limited\",\"label\":\"Show only nonstandard members\",\"type\":10,\"description\":\"Show only non standard members\",\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\",\"value\":\"True\"},{\"id\":\"901bf975-426f-486b-82de-ff0d64f139bb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"2f7a613f-8749-44c9-b8be-844964badef8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0 \\r\\n| where CmdletResultValue.Parentgroup contains \\\"{Server}\\\"\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup)) in ({Limited})\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ Never logged\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(365d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ Password never set\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| project-away CmdletResultValue\\r\\n| sort by MemberPath asc\\r\\n| project-away Parentgroup\",\"size\":1,\"showAnalytics\":true,\"title\":\"Local Administrators group content\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Server\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"AdGroups\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Server\"},\"name\":\"Local Administrators\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange and AD GRoup\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays the content of high privilege groups in Exchange and AD.\"},\"name\":\"text - 7\"},{\"type\":1,\"content\":{\"json\":\"The **Exchange Trusted Subsystem** group is one of the two most sensitive groups in Exchange. This group has all privileges in Exchange and very high privileges in AD.\\r\\n\\r\\nExchange 2013 deployment permissions reference\\r\\n\\r\\nThis group should only contain computer accounts for each Exchange servers. When the DAG has an IP and a CNO, it is acceptable to have the DAG's computer account.\\r\\n\\r\\nThis section only shows direct nonstandard members.\",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ExchangeTrustedSubsystemHelp\"},{\"type\":1,\"content\":{\"json\":\"The **Exchange Windows Permissions** group is one of the two most sensitive groups in Exchange. This group has very high privileges in AD.\\r\\n\\r\\nExchange 2013 deployment permissions reference\\r\\n\\r\\nThis group should only contain the group Exchange Trusted SubSystem. This section only shows direct nonstandard members. \",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"WindowsPermissionGroupTileHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETSValidcontent = union kind=outer (ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(CmdletResultValue.Name)), (ExchangeConfiguration(SpecificSectionList=\\\"DAG\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(Identity));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ETS\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETSValidcontent)\\r\\n| summarize MyCount=countif( CmdletResultType == \\\"Success\\\") by CmdletResultType\\r\\n| project Result = iff ( CmdletResultType == \\\"Success\\\", tostring(MyCount), \\\"\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Trusted SubSystem group nonstandard member count\",\"noDataMessage\":\"Content of group as Expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletResultValue_Name\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Result\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"ScriptError\"}},\"showBorder\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersTileGroup1Query\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETScontent = ExchangeConfiguration(SpecificSectionList=\\\"ETS\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") | project Name = tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"EWP\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETScontent) and CmdletResultValue.Name != \\\"Exchange Trusted Subsystem\\\"\\r\\n| extend Result = iff ( CmdletResultType == \\\"Success\\\", \\\"\\\", \\\"Error in the script unable to retrieve value\\\")\\r\\n| summarize MyCount=countif( CmdletResultType == \\\"Success\\\") by CmdletResultType\\r\\n| project Result = iff ( CmdletResultType == \\\"Success\\\", tostring(MyCount), \\\"\\\")\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Windows Permissions group direct nonstandard members (Exchange Trusted subsystem non standard content not included)\",\"noDataMessage\":\"Content of group as expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletResultValue_Name\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Result\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"ScriptError\"}},\"showBorder\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersTileGroup2Query\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETSValidcontnet = union kind=outer (ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(CmdletResultValue.Name)), (ExchangeConfiguration(SpecificSectionList=\\\"DAG\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(Identity));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ETS\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETSValidcontnet)\\r\\n//| extend Name = strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name))\\r\\n| extend Name = iff(CmdletResultType == \\\"Success\\\", strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name)),\\\"Script was unable to retrieve data\\\")\\r\\n| project Name \",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Trusted SubSystem nonstandard content\",\"noDataMessage\":\"Content of Exchange Trusted SubSystem as Expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"ETSDetails\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETScontent = ExchangeConfiguration(SpecificSectionList=\\\"ETS\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") | project Name = tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"EWP\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETScontent) and CmdletResultValue.Name != \\\"Exchange Trusted Subsystem\\\"\\r\\n| extend Name = iff(CmdletResultType == \\\"Success\\\", strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name)),\\\"Script was unable to retrieve data\\\")\\r\\n| project Name \",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Windows Permissions direct nonstandard content (Exchange Trusted subsystem non standard content not included)\",\"noDataMessage\":\"Content of Exchange Windows Permissions as Expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"WindowsPermissionsQuery\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ETS and WP Grids\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange groups from old Exchange version\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Groups from the old Exchange version should have been removed\\r\\n- List of old groups \\r\\n\\t- Exchange Organization Administrators\\r\\n\\t- Exchange Recipient Administrators\\r\\n\\t- Exchange Public Folder Administrators\\r\\n\\t- Exchange Server Administrator\\r\\n\\t- Exchange View-Only Administrator\\r\\n\\t- Exchange Enterprise Servers (located in the root domain)\\r\\n\\t- Exchange Domain Servers : one group per domain\\r\\n\\r\\n\\r\\nHelp for Built-in role groups\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"If still exist, this section showed a summary of the content of old groups\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nlet OldVGroup = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")| where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"| extend Parentgroup = tostring(CmdletResultValue.Parentgroup));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\") |union OldVGroup\\r\\n| where CmdletResultValue.Level != 0 and CmdletResultValue.ObjectClass !contains \\\"group\\\"\\r\\n| extend MemberPath= tostring(split(tostring(CmdletResultValue.MemberPath), \\\"\\\\\\\\\\\")[countof(tostring(CmdletResultValue.MemberPath), \\\"\\\\\\\\\\\")])\\r\\n| summarize dcount(tostring(MemberPath)) by Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| sort by dcount_MemberPath\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"noDataMessage\":\"No groups from old versions found\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Expand this section to details on the content of the old groups\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Please select a group\"},\"name\":\"text - 5\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"let OldVGroup = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")| where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"| extend Parentgroup = tostring(CmdletResultValue.Parentgroup));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\") |union OldVGroup\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a695df39-1965-479a-ad0f-b4d3d168aaed\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\\r\\n\"},{\"id\":\"2d69bad8-0904-467a-86e6-cb0923520c18\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"Old Exchange groups content groups (Extract for the OU \\\"Microsoft Exchange Security Groups\\\").\\r\\nSelect a group to display detailed information of its contents.\\r\\nLevel attribute helps you understand the level of nested groups.\\r\\n\\r\\n❌ : for last logon displayed when the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let OldVGroupEES = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n | where (CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.MemberPath != @\\\"Exchange Enterprise Servers\\\\Exchange Domain Servers\\\") or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled) );\\r\\nlet OldVGroupEDS = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.Level ==0\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | mv-expand CmdletResultValue.Members\\r\\n | where CmdletResultValue_Members.objectClass == \\\"group\\\"\\r\\n | project Parentgroup, MemberPath= strcat(Parentgroup,\\\"\\\\\\\\\\\", CmdletResultValue_Members.name), Level = tostring(1), ObjectClass = tostring(CmdletResultValue_Members.objectClass), DN = tostring(CmdletResultValue_Members.DistinguishedName), ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)\\r\\n | join kind=inner ( ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid)) on ObjectGuid) ;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\")\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | union OldVGroupEES,OldVGroupEDS\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | where todatetime (CmdletResultValue.LastPwdSetString) < ago(0d) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n | where todatetime (CmdletResultValue.LastLogonString) < ago(0d) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n | sort by tostring(CmdletResultValue.MemberPath) asc \\r\\n | where CmdletResultValue.Level != 0\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ Never logged\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ Password never set\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend MemberPath = case(ObjectClass == \\\"group\\\", strcat(\\\"👪 \\\", MemberPath), ObjectClass == \\\"computer\\\", strcat(\\\"💻 \\\", MemberPath), strcat(\\\"🧑‍🦰 \\\", MemberPath))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | project Parentgroup, MemberPath, Level, ObjectClass,LastLogon, LastPwdSet ,Enabled,DN\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Selected group content\",\"noDataMessage\":\"The query returned no results.\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5},{\"columnMatch\":\"Parentgroup\",\"formatter\":5},{\"columnMatch\":\"LastPwdSet\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5},{\"columnMatch\":\"Id\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"showPin\":true,\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeDataEES=\\r\\n (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | where (CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.MemberPath != @\\\"Exchange Enterprise Servers\\\\Exchange Domain Servers\\\") or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled));\\r\\nlet BeforeDataEDS = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.Level == 0\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | mv-expand CmdletResultValue.Members\\r\\n | where CmdletResultValue_Members.objectClass == \\\"group\\\"\\r\\n | project\\r\\n Parentgroup,\\r\\n MemberPath= strcat(Parentgroup, \\\"\\\\\\\\\\\", CmdletResultValue_Members.name),\\r\\n Level = tostring(1),\\r\\n ObjectClass = tostring(CmdletResultValue_Members.objectClass),\\r\\n DN = tostring(CmdletResultValue_Members.DistinguishedName),\\r\\n ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)\\r\\n | join kind=inner (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='B13', Target = \\\"On-Premises\\\")\\r\\n | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid))\\r\\n on ObjectGuid); \\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\")\\r\\n | union BeforeDataEES, BeforeDataEDS\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | sort by MemberPath asc\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n;\\r\\nlet AfterDataEES=\\r\\n (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | where (CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.MemberPath != @\\\"Exchange Enterprise Servers\\\\Exchange Domain Servers\\\") or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled));\\r\\nlet AfterDataEDS = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.Level == 0\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | mv-expand CmdletResultValue.Members\\r\\n | where CmdletResultValue_Members.objectClass == \\\"group\\\"\\r\\n | project\\r\\n Parentgroup,\\r\\n MemberPath= strcat(Parentgroup, \\\"\\\\\\\\\\\", CmdletResultValue_Members.name),\\r\\n Level = tostring(1),\\r\\n ObjectClass = tostring(CmdletResultValue_Members.objectClass),\\r\\n DN = tostring(CmdletResultValue_Members.DistinguishedName),\\r\\n ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)\\r\\n | join kind=inner (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid))\\r\\n on ObjectGuid); \\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | union AfterDataEES, AfterDataEDS\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | sort by MemberPath asc\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n;\\r\\nlet allDataRange = \\r\\n ESIExchangeConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where Section_s == \\\"ExGroup\\\" or Section_s == \\\"ADGroup\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n | where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\", \\\"Exchange Enterprise Servers\\\" , \\\"Exchange Services\\\")\\r\\n //| where CmdletResultValue.MemberPath != @\\\"Exchange Enterprise Servers\\\\Exchange Domain Servers\\\"\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | sort by MemberPath asc\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n ;\\r\\nlet AlldataUnique = allDataRange\\r\\n | join kind = innerunique (allDataRange) on MemberPath \\r\\n | distinct \\r\\n TimeGenerated,\\r\\n Parentgroup,\\r\\n MemberPath,\\r\\n Level,\\r\\n ObjectClass,\\r\\n LastLogon,\\r\\n LastPwdSet,\\r\\n Enabled\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n | join kind = leftanti (AfterData ) on MemberPath\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n| join kind = innerunique (BeforeData ) on MemberPath\\r\\n| extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n| join kind = leftanti (InBeforedatabotAfter ) on MemberPath\\r\\n| extend Actiontype =\\\"Add/Remove\\\"\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on MemberPath\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData,AddRemoveindataset,InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype),\\\"N/A\\\")\\r\\n| where MemberPath <> \\\"Exchange Enterprise Servers\\\\\\\\Exchange Domain Servers\\\"\\r\\n| project\\r\\n Actiontype,Parentgroup, MemberPath, Level, ObjectClass, LastLogon, LastPwdSet, Enabled\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Compare of the contents of selected old group\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"ExchangeServersGroupsGrid - Compare\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 5\"}]},\"name\":\"Exchange group from old Exchange versions\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Ensure that no service account is a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\\r\\n- Limit the usage of nested group for administration.\\r\\n- Ensure that accounts are given only the required permissions to execute their tasks.\\r\\n- Use just in time administration principle by adding users in a group only when they need the required permissions, then remove them when their operation is over.\\r\\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\\r\\n- Monitor the content of the following groups:\\r\\n - Organization Management\\r\\n - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\\r\\n - Discovery Management\\r\\n - Server Management\\r\\n - Hygiene Management\\r\\n - Exchange Servers\\r\\n - Exchange Trusted Subsystem \\r\\n - Exchange Windows Permissions\\r\\n - xxx High privilege group (not an exhaustive list)\\r\\n - All RBAC groups that have high roles delegation\\r\\n - All nested groups in high privileges groups\\r\\n - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\\r\\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\\r\\n- Periodically review the members of the groups\\r\\n\\r\\nHelp for Built-in role groups\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Summary content of most important groups\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Level != 0 and CmdletResultValue.ObjectClass !contains \\\"group\\\"\\r\\n| extend MemberPath= tostring(split(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")[countof(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")])\\r\\n| summarize dcount(tostring(MemberPath)) by Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where Parentgroup in (\\\"Organization Management\\\", \\\"Compliance Management\\\", \\\"Discovery Management\\\", \\\"Server Management\\\", \\\"Recipient Manangement\\\",\\\"Security Administrator\\\", \\\"Hygiene Management\\\", \\\"Public Folder Manangement\\\", \\\"Records Manangement\\\") or Parentgroup contains \\\"Impersonation\\\" or Parentgroup contains \\\"Export\\\"\\r\\n| sort by dcount_MemberPath\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true}},\"name\":\"query - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Expand for summary content for all groups located in the OU Exchange Security Groups\",\"expandable\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Level != 0 and CmdletResultValue.ObjectClass !contains \\\"group\\\"\\r\\n| extend MemberPath= tostring(split(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")[countof(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")])\\r\\n| summarize dcount(tostring(MemberPath)) by Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| sort by dcount_MemberPath desc\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"OU Exchange Security Groups\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true}},\"showPin\":false,\"name\":\"query - 0 - Copy\"}]},\"name\":\"All groups\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":1,\"content\":{\"json\":\"Please select a group\"},\"name\":\"text - 5 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Trusted Subsystem\\\"\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Windows Permissions\\\"\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"showExportToExcel\":true,\"showAnalytics\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f3b935d7-b78f-41d2-94bc-f8c878a13260\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon >\",\"type\":10,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"3343688f-e609-4822-b4ed-cdd50b77d948\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set >\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"Exchange groups content (Extract for the OU \\\"Microsoft Exchange Security Groups\\\").\\r\\nSelect a group to display detailed information of its contents.\\r\\nLevel attribute helps you understand the level of nested groups.\\r\\n\\r\\n❌ : for last logon displayed when the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| sort by tostring(CmdletResultValue.MemberPath) asc \\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| sort by MemberPath asc\\r\\n| project-away CmdletResultValue,Parentgroup\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n ESIExchangeConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where Section_s == \\\"ExGroup\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | sort by MemberPath asc\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n ;\\r\\nlet AlldataUnique = allDataRange\\r\\n | join kind = innerunique (allDataRange) on MemberPath \\r\\n | distinct \\r\\n TimeGenerated,\\r\\n Parentgroup,\\r\\n MemberPath,\\r\\n Level,\\r\\n ObjectClass,\\r\\n LastLogon,\\r\\n LastPwdSet,\\r\\n Enabled\\r\\n;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | sort by MemberPath asc\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | sort by MemberPath asc\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n | join kind = leftanti (AfterData ) on MemberPath\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n| join kind = innerunique (BeforeData ) on MemberPath\\r\\n| extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n| join kind = leftanti (InBeforedatabotAfter ) on MemberPath\\r\\n| extend Actiontype =\\\"Add/Remove\\\"\\r\\n| project \\r\\n TimeGenerated,\\r\\n Parentgroup,\\r\\n Actiontype,\\r\\n MemberPath,\\r\\n Level,\\r\\n ObjectClass,\\r\\n LastLogon,\\r\\n LastPwdSet,\\r\\n Enabled\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on MemberPath\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData,AddRemoveindataset,InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype),\\\"N/A\\\")\\r\\n| project\\r\\n Actiontype,Parentgroup, MemberPath, Level, ObjectClass, LastLogon, LastPwdSet, Enabled\",\"size\":3,\"showAnalytics\":true,\"title\":\"Add/Remove information in selected group\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"ExchangeServersGroupsGrid - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"Add/Remove means that the account has been added and removed between the Time Range (so not present Before or After the Time Range)\"},\"name\":\"text - 7\"}]},\"name\":\"Exchange group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"AD Group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Please select a group\"},\"name\":\"text - 5 - Copy\"},{\"type\":1,\"content\":{\"json\":\"High privileges AD groups can take control of Exchange by adding any accounts in the Exchange groups.\\r\\n\\r\\nNote that the members of the Account Operators are able to manage every AD group (except those protected by AdminSDHolder). This means they can manage the content of every high privilege Exchange groups.\\r\\n\\r\\nℹ️ It is recommended to not use this group and to monitor its changes.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ADGroupHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"268bd356-7d05-41c3-9867-00c6ab198c5a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where tostring(CmdletResultValue.Parentgroup) != \\\"Exchange Enterprise Servers\\\" and tostring(CmdletResultValue.Parentgroup) <> \\\"Exchange Services\\\"\\r\\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9d02cad2-f4c5-418d-976f-b88b56f80cb5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"9e591429-d8ea-40c2-80c1-2426c72c92d5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":1,\"content\":{\"json\":\"Overview of high privileges AD Groups' content.\\r\\nSelect a group to display detailed information of its contents.\\r\\nLevel attribute helps you understand the level of nested groups.\\r\\n\\r\\n❌ : for last logon displayed when the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| sort by tostring(CmdletResultValue.MemberPath) asc \\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| sort by MemberPath asc\\r\\n| project-away CmdletResultValue,Parentgroup\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5},{\"columnMatch\":\"Parentgroup\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n ESIExchangeConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where Section_s == \\\"ADGroup\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | sort by MemberPath asc\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n ;\\r\\nlet AlldataUnique = allDataRange\\r\\n | join kind = innerunique (allDataRange) on MemberPath \\r\\n | distinct \\r\\n TimeGenerated,\\r\\n Parentgroup,\\r\\n MemberPath,\\r\\n Level,\\r\\n ObjectClass,\\r\\n LastLogon,\\r\\n LastPwdSet,\\r\\n Enabled\\r\\n;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | sort by MemberPath asc\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | sort by MemberPath asc\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n | join kind = leftanti (AfterData ) on MemberPath\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n| join kind = innerunique (BeforeData ) on MemberPath\\r\\n| extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n| join kind = leftanti (InBeforedatabotAfter ) on MemberPath\\r\\n| extend Actiontype =\\\"Add/Remove\\\"\\r\\n| project \\r\\n TimeGenerated,\\r\\n Parentgroup,\\r\\n Actiontype,\\r\\n MemberPath,\\r\\n Level,\\r\\n ObjectClass,\\r\\n LastLogon,\\r\\n LastPwdSet,\\r\\n Enabled\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on MemberPath\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData,AddRemoveindataset,InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype),\\\"N/A\\\")\\r\\n| project\\r\\n Actiontype,Parentgroup, MemberPath, Level, ObjectClass, LastLogon, LastPwdSet, Enabled\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"Add/Remove information in selected group\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"ExchangeServersGroupsGrid - Compare\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"Add/Remove means that the account has been added and removed between the Time Range (so not present Before or After the Time Range)\"},\"name\":\"text - 6\"}]},\"name\":\"AD Group\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"ExchAD\"},\"name\":\"Exchange and AD GRoup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Security configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays different security configurations for transport components.\"},\"name\":\"text - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors with\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\"\\r\\n| summarize Count = countif (CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\") by Name,tostring(CmdletResultValue.Server.Name)\\r\\n\",\"size\":0,\"title\":\"Anonymous Configuration\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"yAxis\":[\"Count\"],\"group\":\"CmdletResultValue_Server_Name\",\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"33\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RCAnonymous\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend Identity = tostring(Identity)\\r\\n|summarize count() by Identity\",\"size\":0,\"title\":\"OpenRelay with \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" for Anonymous\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.AuthMechanismString contains (\\\"ExternalAuthoritative\\\")\\r\\n| extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n| summarize count() by Name,Server\\r\\n\",\"size\":0,\"title\":\"Open Relay using with Externally Secure\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 2\"}]},\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors OpenRelay using Extended Right \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" for Anonymous\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This view shows all **Receive Connectors** configured configured as Open Relay with the Extended Rights \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" set on the Receive Connector object in the Configuration partition.\\r\\n\\r\\n\\r\\nRemember that with this configuration, the Exchange servers can be used to send emails outside the organization. Depending on the configuration, the connectors may be protected by IPs. However, IP protection is not safe configuration.\\r\\n\\r\\nYou can check if the \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" ExtendedRights has been added on the Receive connector for Anonymous with PowerShell: `Get-ReceiveConnector | Get-ADPermission | ? {$_.ExtendedRights -like \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\"}`\\r\\n\\r\\nAllow anonymous relay on Exchange server\\r\\n\\r\\nSee the section \\\"Receive Connectors with Anonymous Permission\\\" for additional information regarding Anonymous authentication and IP protection.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ReceiveConnectorsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"fa5f9749-d6f8-436f-ae00-cba306713bac\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.ServerRole <> \\\"64\\\"\\r\\n| extend SRVName = tostring(CmdletResultValue.Name)\\r\\n| distinct SRVName\\r\\n| sort by SRVName asc\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"14912e83-60a1-4a21-a34b-500d4662a666\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NoIPRestriction\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":\\\"False\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":1,\"content\":{\"json\":\"The toggle button helps you to sort by:\\r\\n\\r\\n- Server\\r\\n- Receive connectors with/without no IP restrictions\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RCAnonymous\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project Identity,CmdletResultValue\\r\\n| extend Identity = tostring(Identity)\\r\\n| extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.Identity.DistinguishedName,\\\",\\\",3)),\\\"[\\\\\\\"CN=\\\",\\\"\\\"),\\\"\\\\\\\"]\\\",\\\"\\\")\\r\\n|join kind=leftouter ( ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\") ) on $left.Identity == $right.Name\\r\\n| where CmdletResultValue1.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue1.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue1.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n| where CmdletResultValue1.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n| extend Server = tostring(CmdletResultValue1.Server.Name)\\r\\n| extend Name = tostring(CmdletResultValue1.Name)\\r\\n| extend TransportRole = iff(CmdletResultValue1.TransportRole== \\\"32\\\" , \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n| extend Enabled = tostring(CmdletResultValue1.Enabled)\\r\\n| extend PermissionGroups = tostring(CmdletResultValue1.PermissionGroupsString) \\r\\n| extend AuthMechanism = tostring(CmdletResultValue1.AuthMechanismString)\\r\\n| mv-expand RemoteIPall=CmdletResultValue1.RemoteIPRanges\\r\\n| mv-expand BindingAllall=CmdletResultValue1.Bindings\\r\\n| extend RemoteIP= RemoteIPall.Expression\\r\\n| extend IP= strcat (BindingAllall.Address,\\\"-\\\",BindingAllall.Port)\\r\\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\\r\\n| sort by Server asc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"name\":\"RCAnonymousQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n | extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"RCAnonymous\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| project Identity,CmdletResultValue\\r\\n| extend Identity = tostring(Identity)\\r\\n| extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.Identity.DistinguishedName,\\\",\\\",3)),\\\"[\\\\\\\"CN=\\\",\\\"\\\"),\\\"\\\\\\\"]\\\",\\\"\\\")\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"RCAnonymous\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project Identity,CmdletResultValue\\r\\n | extend Identity = tostring(Identity)\\r\\n | extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.Identity.DistinguishedName,\\\",\\\",3)),\\\"[\\\\\\\"CN=\\\",\\\"\\\"),\\\"\\\\\\\"]\\\",\\\"\\\")\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Server\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n | join kind = leftanti AfterData on Server\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct \\r\\n Actiontype,\\r\\n Identity,\\r\\n Server\\r\\n | project \\r\\n Actiontype,\\r\\n Identity,\\r\\n Server\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n Actiontype,\\r\\n Permission = \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\",\\r\\n Identity,\\r\\n Server\\r\\n| order by Server\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4\"}]},\"name\":\"Receive Connectors OpenRelay using Extended Right \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" for Anonymous\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors OpenRelay using Authentication ExternalAuthoritative\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This view shows all Receive Connectors configured with authentication set to Externally Secure. With this configuration the Receive connector will be allow as Open Relay.\\r\\n\\r\\nRemember that with this configuration, the Exchange servers can be used to send emails outside the organization. Depending on the configuration, the connectors may be protected by IP. However, IP protection is not safe configuration.\\r\\n\\r\\n\\r\\nAllow anonymous relay on Exchange server\\r\\n\\r\\nSee the section \\\"Receive Connectors with Anonymous Permission\\\" for additional information regarding Anonymous authentication and IP protection.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ReceiveConnectorsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"195a66a1-7aa2-4564-bd3b-233049d6f101\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.ServerRole <> \\\"64\\\"\\r\\n| extend SRVName = tostring(CmdletResultValue.Name)\\r\\n| distinct SRVName\\r\\n| sort by SRVName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4ef1d2a2-a13f-4bd4-9e66-2d9a15ad8a7a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NoIPRestriction\",\"type\":10,\"description\":\"See Receive Connectors with no IP restriction\",\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":\\\"False\\\" }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"The toggle button helps you to sort by:\\r\\n\\r\\n- Server\\r\\n- Receive connectors with/without no IP restrictions\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n| where CmdletResultValue.AuthMechanismString contains \\\"ExternalAuthoritative\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n| project CmdletResultValue\\r\\n| extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend TransportRole = iff(CmdletResultValue.TransportRole== \\\"32\\\" , \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n//| extend Bindings = iif(tostring(parse_json(tostring(CmdletResultValue.Bindings))[1].Port )!=\\\"\\\",tostring(strcat(tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Address),\\\"-\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Port),\\\",\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[1].Address),\\\"-\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[1].Port))),tostring(strcat(tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Address),\\\"-\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Port))))\\r\\n//| extend RemoteIPRanges = tostring(CmdletResultValue.RemoteIPRanges)\\r\\n| extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n| mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n| mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n| extend RemoteIP= RemoteIPall.Expression\\r\\n| extend IP= strcat (BindingAllall.Address,\\\"-\\\",BindingAllall.Port)\\r\\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\\r\\n| sort by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Receive Connectors configure with Externally Secured Authentication\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n | where CmdletResultValue.AuthMechanismString contains \\\"ExternalAuthoritative\\\"\\r\\n | project CmdletResultValue,WhenChanged,WhenCreated\\r\\n | extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \\\"32\\\", \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n | mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n | extend RemoteIP= RemoteIPall.Expression\\r\\n | extend IP= strcat (BindingAllall.Address, \\\"-\\\", BindingAllall.Port)\\r\\n | extend Identity = strcat(Server,'\\\\\\\\',Name)\\r\\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\\r\\n | sort by Server asc\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n | where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n | where CmdletResultValue.AuthMechanismString contains \\\"ExternalAuthoritative\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n | project CmdletResultValue, WhenChanged,WhenCreated\\r\\n | extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \\\"32\\\", \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n | mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n | extend RemoteIP= RemoteIPall.Expression\\r\\n | extend IP= strcat (BindingAllall.Address, \\\"-\\\", BindingAllall.Port)\\r\\n | extend Identity = strcat(Server,'\\\\\\\\',Name)\\r\\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\\r\\n | sort by Server asc\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Identity\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n | join kind = leftanti AfterData on Server\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | extend Binding = tostring(Bindings)\\r\\n | extend RIR = tostring(RemoteIPRange)\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Server,\\r\\n Name,\\r\\n TransportRole,\\r\\n Enabled,\\r\\n PermissionGroups,\\r\\n AuthMechanism,\\r\\n Bindings = Binding,\\r\\n RemoteIPRange = RIR,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n | sort by WhenChanged asc \\r\\n | sort by Server, Name asc\\r\\n | extend Identity = strcat(Server,\\\"\\\\\\\\\\\",Name)\\r\\n | extend Name = iff(Name != prev(Name) and prev(Name) != \\\"\\\" and Identity == prev(Identity) , strcat(\\\"📍 \\\", Name, \\\" (\\\", prev(Name), \\\"->\\\", Name, \\\" )\\\"), Name)\\r\\n | extend TransportRole = iff(TransportRole != prev(TransportRole) and prev(TransportRole) != \\\"\\\"and Identity == prev(Identity), strcat(\\\"📍 \\\", TransportRole, \\\" (\\\", prev(TransportRole), \\\"->\\\", TransportRole, \\\" )\\\"), TransportRole)\\r\\n | extend Enabled = iff(Enabled != prev(Enabled) and prev(Enabled) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", Enabled, \\\" (\\\", prev(Enabled), \\\"->\\\", Enabled, \\\" )\\\"), Enabled)\\r\\n | extend PermissionGroups = iff(PermissionGroups != prev(PermissionGroups) and prev(PermissionGroups) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", PermissionGroups, \\\" (\\\", prev(PermissionGroups), \\\"->\\\", PermissionGroups, \\\" )\\\"), PermissionGroups)\\r\\n | extend AuthMechanism = iff(AuthMechanism != prev(AuthMechanism) and prev(AuthMechanism) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", AuthMechanism, \\\" (\\\", prev(AuthMechanism), \\\"->\\\", AuthMechanism, \\\" )\\\"), AuthMechanism)\\r\\n | extend Bindings = iff(tostring(Bindings) != tostring(prev(Bindings)) and tostring(prev(Bindings)) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", tostring(Bindings), \\\" (\\\", prev(Bindings), \\\"->\\\", tostring(Bindings), \\\" )\\\"), tostring(Bindings))\\r\\n | extend RemoteIPRange = iff(tostring(RemoteIPRange) != tostring(prev(RemoteIPRange)) and tostring(prev(RemoteIPRange)) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", tostring(RemoteIPRange), \\\" (\\\", prev(RemoteIPRange), \\\"->\\\", RemoteIPRange, \\\" )\\\"), tostring(RemoteIPRange))\\r\\n | extend ActiontypeR =iff(( Name contains \\\"📍\\\" or TransportRole contains \\\"📍\\\" or Enabled contains \\\"📍\\\" or PermissionGroups contains \\\"📍\\\" or AuthMechanism contains \\\"📍\\\" or Bindings contains \\\"📍\\\" or Bindings contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Server,\\r\\n Name,\\r\\n TransportRole,\\r\\n Enabled,\\r\\n PermissionGroups,\\r\\n AuthMechanism,\\r\\n tostring=(Bindings),\\r\\n tostring(RemoteIPRange),\\r\\n WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n Actiontype,\\r\\n WhenChanged,\\r\\n Server,\\r\\n Name,\\r\\n TransportRole,\\r\\n Enabled,\\r\\n PermissionGroups,\\r\\n AuthMechanism,\\r\\n Bindings = Bindings_string,\\r\\n RemoteIPRange = RemoteIPRange_string,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy\"}]},\"name\":\"Security Transport Configuration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors with Anonymous Permission\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This view shows all Receive Connectors configured with Anonymous authentication. It is not recommended to configure connectors with Anonymous authentication.\\r\\n\\r\\nWhen configured with Anonymous and No Ip Restriction, any machine can initiate an SMTP session with the Receive Connectors. This can then be used send emails (SPAM/Virus/Phishing....) to all the mailboxes in the organization. The mail will be seen as an internal mail and might bypass some protections.\\r\\n\\r\\nIf you absolute need this configuration because some of your application does not support Authentication, it is strongly recommended to limit the IP addresses that can establish SMTP sessions with Exchange. Do not use range of subnet.\\r\\n\\r\\nThis section has an option button to display \\r\\n All Receive Connectors with Anonymous (No)\\r\\n All Receive Connectors with Anonymous and with no IP Restriction (Yes)\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ReceiveConnectorsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"195a66a1-7aa2-4564-bd3b-233049d6f101\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.ServerRole <> \\\"64\\\"\\r\\n| extend SRVName = tostring(CmdletResultValue.Name)\\r\\n| distinct SRVName\\r\\n| sort by SRVName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bcb24a01-9242-4fec-b30a-02b0583cbc87\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NoIPRestriction\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":\\\"False\\\" }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"The toggle button helps you to sort by:\\r\\n- Server\\r\\n- Receive connectors with/without no IP restrictions\"},\"name\":\"text - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n| where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n| project CmdletResultValue\\r\\n| extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend TransportRole = iff(CmdletResultValue.TransportRole== \\\"32\\\" , \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString) \\r\\n| extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n| mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n| mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n| extend RemoteIP= RemoteIPall.Expression\\r\\n| extend IP= strcat (BindingAllall.Address,\\\"-\\\",BindingAllall.Port)\\r\\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\\r\\n| sort by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Receive Connectors configure with Anonymous Permission\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n | where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n | project CmdletResultValue,WhenChanged,WhenCreated\\r\\n | extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \\\"32\\\", \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n | mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n | extend RemoteIP= RemoteIPall.Expression\\r\\n | extend IP= strcat (BindingAllall.Address, \\\"-\\\", BindingAllall.Port)\\r\\n | extend Identity = strcat(Server,'\\\\\\\\',Name)\\r\\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\\r\\n | sort by Server asc\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n | where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n | where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n | project CmdletResultValue, WhenChanged,WhenCreated\\r\\n | extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \\\"32\\\", \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n | mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n | extend RemoteIP= RemoteIPall.Expression\\r\\n | extend IP= strcat (BindingAllall.Address, \\\"-\\\", BindingAllall.Port)\\r\\n | extend Identity = strcat(Server,'\\\\\\\\',Name)\\r\\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\\r\\n | sort by Server asc\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Identity\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | extend Binding = tostring(Bindings)\\r\\n | extend RIR = tostring(RemoteIPRange)\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Server,\\r\\n Name,\\r\\n TransportRole,\\r\\n Enabled,\\r\\n PermissionGroups,\\r\\n AuthMechanism,\\r\\n Bindings = Binding,\\r\\n RemoteIPRange = RIR,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n | sort by WhenChanged asc \\r\\n | sort by Server, Name asc\\r\\n | extend Identity = strcat(Server,\\\"\\\\\\\\\\\",Name)\\r\\n | extend Name = iff(Name != prev(Name) and prev(Name) != \\\"\\\" and Identity == prev(Identity) , strcat(\\\"📍 \\\", Name, \\\" (\\\", prev(Name), \\\"->\\\", Name, \\\" )\\\"), Name)\\r\\n | extend TransportRole = iff(TransportRole != prev(TransportRole) and prev(TransportRole) != \\\"\\\"and Identity == prev(Identity), strcat(\\\"📍 \\\", TransportRole, \\\" (\\\", prev(TransportRole), \\\"->\\\", TransportRole, \\\" )\\\"), TransportRole)\\r\\n | extend Enabled = iff(Enabled != prev(Enabled) and prev(Enabled) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", Enabled, \\\" (\\\", prev(Enabled), \\\"->\\\", Enabled, \\\" )\\\"), Enabled)\\r\\n | extend PermissionGroups = iff(PermissionGroups != prev(PermissionGroups) and prev(PermissionGroups) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", PermissionGroups, \\\" (\\\", prev(PermissionGroups), \\\"->\\\", PermissionGroups, \\\" )\\\"), PermissionGroups)\\r\\n | extend AuthMechanism = iff(AuthMechanism != prev(AuthMechanism) and prev(AuthMechanism) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", AuthMechanism, \\\" (\\\", prev(AuthMechanism), \\\"->\\\", AuthMechanism, \\\" )\\\"), AuthMechanism)\\r\\n | extend Bindings = iff(tostring(Bindings) != tostring(prev(Bindings)) and tostring(prev(Bindings)) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", tostring(Bindings), \\\" (\\\", prev(Bindings), \\\"->\\\", tostring(Bindings), \\\" )\\\"), tostring(Bindings))\\r\\n | extend RemoteIPRange = iff(tostring(RemoteIPRange) != tostring(prev(RemoteIPRange)) and tostring(prev(RemoteIPRange)) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", tostring(RemoteIPRange), \\\" (\\\", prev(RemoteIPRange), \\\"->\\\", RemoteIPRange, \\\" )\\\"), tostring(RemoteIPRange))\\r\\n | extend ActiontypeR =iff(( Name contains \\\"📍\\\" or TransportRole contains \\\"📍\\\" or Enabled contains \\\"📍\\\" or PermissionGroups contains \\\"📍\\\" or AuthMechanism contains \\\"📍\\\" or Bindings contains \\\"📍\\\" or Bindings contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Server,\\r\\n Name,\\r\\n TransportRole,\\r\\n Enabled,\\r\\n PermissionGroups,\\r\\n AuthMechanism,\\r\\n Bindings,\\r\\n RemoteIPRange,\\r\\n WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n Actiontype,\\r\\n WhenChanged,\\r\\n Server,\\r\\n Name,\\r\\n TransportRole,\\r\\n Enabled,\\r\\n PermissionGroups,\\r\\n AuthMechanism,\\r\\n Bindings = Bindings_string,\\r\\n RemoteIPRange = RemoteIPRange_string,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy\"}]},\"name\":\"Receive Connectors configure with Anonymous Permission\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Rules with specific actions to monitor\",\"items\":[{\"type\":1,\"content\":{\"json\":\"A common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\\r\\n\\r\\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\\r\\n- BlindCopyTo\\r\\n- RedirectMessageTo\\r\\n- CopyTo\\r\\n\\r\\n\\r\\nFor more information :\\r\\nMail flow rules in Exchange Server\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n//| extend State = tostring(CmdletResultValue.State)\\r\\n| extend Status= iff ( tostring(CmdletResultValue.State)== \\\"Enabled\\\" or tostring(CmdletResultValue.State)== \\\"1\\\" , \\\"Enabled\\\",iff(tostring(CmdletResultValue.State)==\\\"\\\",\\\"\\\", \\\"Disabled\\\"))\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend Mode = tostring(CmdletResultValue.Identity.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc\\r\\n| sort by Status desc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n | extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\n//let _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n | where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n | project CmdletResultValue,WhenChanged,WhenCreated\\r\\n | extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \\\"32\\\", \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n | mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n | extend RemoteIP= RemoteIPall.Expression\\r\\n | extend IP= strcat (BindingAllall.Address, \\\"-\\\", BindingAllall.Port)\\r\\n | extend Identity = strcat(Server,'\\\\\\\\',Name)\\r\\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\\r\\n | sort by Server asc\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n | where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n | where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n | project CmdletResultValue, WhenChanged,WhenCreated\\r\\n | extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \\\"32\\\", \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n | mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n | extend RemoteIP= RemoteIPall.Expression\\r\\n | extend IP= strcat (BindingAllall.Address, \\\"-\\\", BindingAllall.Port)\\r\\n | extend Identity = strcat(Server,'\\\\\\\\',Name)\\r\\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\\r\\n | sort by Server asc\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Identity\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n | join kind = leftanti AfterData on Server\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | extend Binding = tostring(Bindings)\\r\\n | extend RIR = tostring(RemoteIPRange)\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Server,\\r\\n Name,\\r\\n TransportRole,\\r\\n Enabled,\\r\\n PermissionGroups,\\r\\n AuthMechanism,\\r\\n Bindings = Binding,\\r\\n RemoteIPRange = RIR,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n | sort by WhenChanged asc \\r\\n | sort by Server, Name asc\\r\\n | extend Identity = strcat(Server,\\\"\\\\\\\\\\\",Name)\\r\\n | extend Name = iff(Name != prev(Name) and prev(Name) != \\\"\\\" and Identity == prev(Identity) , strcat(\\\"📍 \\\", Name, \\\" (\\\", prev(Name), \\\"->\\\", Name, \\\" )\\\"), Name)\\r\\n | extend TransportRole = iff(TransportRole != prev(TransportRole) and prev(TransportRole) != \\\"\\\"and Identity == prev(Identity), strcat(\\\"📍 \\\", TransportRole, \\\" (\\\", prev(TransportRole), \\\"->\\\", TransportRole, \\\" )\\\"), TransportRole)\\r\\n | extend Enabled = iff(Enabled != prev(Enabled) and prev(Enabled) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", Enabled, \\\" (\\\", prev(Enabled), \\\"->\\\", Enabled, \\\" )\\\"), Enabled)\\r\\n | extend PermissionGroups = iff(PermissionGroups != prev(PermissionGroups) and prev(PermissionGroups) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", PermissionGroups, \\\" (\\\", prev(PermissionGroups), \\\"->\\\", PermissionGroups, \\\" )\\\"), PermissionGroups)\\r\\n | extend AuthMechanism = iff(AuthMechanism != prev(AuthMechanism) and prev(AuthMechanism) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", AuthMechanism, \\\" (\\\", prev(AuthMechanism), \\\"->\\\", AuthMechanism, \\\" )\\\"), AuthMechanism)\\r\\n | extend Bindings = iff(tostring(Bindings) != tostring(prev(Bindings)) and tostring(prev(Bindings)) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", tostring(Bindings), \\\" (\\\", prev(Bindings), \\\"->\\\", tostring(Bindings), \\\" )\\\"), tostring(Bindings))\\r\\n | extend RemoteIPRange = iff(tostring(RemoteIPRange) != tostring(prev(RemoteIPRange)) and tostring(prev(RemoteIPRange)) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", tostring(RemoteIPRange), \\\" (\\\", prev(RemoteIPRange), \\\"->\\\", RemoteIPRange, \\\" )\\\"), tostring(RemoteIPRange))\\r\\n | extend ActiontypeR =iff(( Name contains \\\"📍\\\" or TransportRole contains \\\"📍\\\" or Enabled contains \\\"📍\\\" or PermissionGroups contains \\\"📍\\\" or AuthMechanism contains \\\"📍\\\" or Bindings contains \\\"📍\\\" or Bindings contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Server,\\r\\n Name,\\r\\n TransportRole,\\r\\n Enabled,\\r\\n PermissionGroups,\\r\\n AuthMechanism,\\r\\n Bindings,\\r\\n RemoteIPRange,\\r\\n WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n Actiontype,\\r\\n WhenChanged,\\r\\n Server,\\r\\n Name,\\r\\n TransportRole,\\r\\n Enabled,\\r\\n PermissionGroups,\\r\\n AuthMechanism,\\r\\n Bindings = Bindings_string,\\r\\n RemoteIPRange = RemoteIPRange_string,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n | extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\n//let _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| project CmdletResultValue,TimeGenerated\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n//| extend State = tostring(CmdletResultValue.State)\\r\\n| extend Status= iff ( tostring(CmdletResultValue.State)== \\\"Enabled\\\" or tostring(CmdletResultValue.State)== \\\"1\\\" , \\\"Enabled\\\",iff(tostring(CmdletResultValue.State)==\\\"\\\",\\\"\\\", \\\"Disabled\\\"))\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend Mode = tostring(CmdletResultValue.Identity.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc\\r\\n| sort by Status desc\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| project CmdletResultValue, TimeGenerated\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n//| extend State = tostring(CmdletResultValue.State)\\r\\n| extend Status= iff ( tostring(CmdletResultValue.State)== \\\"Enabled\\\" or tostring(CmdletResultValue.State)== \\\"1\\\" , \\\"Enabled\\\",iff(tostring(CmdletResultValue.State)==\\\"\\\",\\\"\\\", \\\"Disabled\\\"))\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend Mode = tostring(CmdletResultValue.Identity.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc\\r\\n| sort by Status desc\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Identity\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct\\r\\n TimeGenerated,\\r\\n Actiontype,\\r\\n Identity,\\r\\n Status,\\r\\n SentTo,\\r\\n BlindCopyTo,\\r\\n CopyTo,\\r\\n RedirectMessageTo,\\r\\n Mode\\r\\n;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n | sort by Identity, TimeGenerated asc\\r\\n | extend Status = iff(Status != prev(Status) and Identity == prev(Identity), strcat(\\\"📍 \\\", Status, \\\" (\\\", iff(prev(Status)==\\\"\\\",\\\"Null\\\",prev(Status)), \\\"->\\\", Status, \\\" )\\\"), Status)\\r\\n | extend SentTo = iff(SentTo != prev(SentTo) and Identity == prev(Identity), strcat(\\\"📍 \\\", SentTo, \\\" (\\\", iff(prev(SentTo)==\\\"\\\",\\\"Null\\\",prev(SentTo)), \\\"->\\\", SentTo, \\\" )\\\"), SentTo)\\r\\n | extend BlindCopyTo = iff(BlindCopyTo != prev(BlindCopyTo) and Identity == prev(Identity), strcat(\\\"📍 \\\", BlindCopyTo, \\\" (\\\", iff(prev(BlindCopyTo)==\\\"\\\",\\\"Null\\\",prev(BlindCopyTo)), \\\"->\\\", BlindCopyTo, \\\" )\\\"), BlindCopyTo)\\r\\n | extend CopyTo = iff(CopyTo != prev(CopyTo) and Identity == prev(Identity), strcat(\\\"📍 \\\", CopyTo, \\\" (\\\", iff(prev(CopyTo)==\\\"\\\",\\\"Null\\\",prev(CopyTo)), \\\"->\\\", CopyTo, \\\" )\\\"), CopyTo)\\r\\n | extend RedirectMessageTo = iff(CopyTo != prev(RedirectMessageTo) and Identity == prev(Identity), strcat(\\\"📍 \\\", RedirectMessageTo, \\\" (\\\", iff(prev(RedirectMessageTo)==\\\"\\\",\\\"Null\\\",prev(RedirectMessageTo)), \\\"->\\\", RedirectMessageTo, \\\" )\\\"), RedirectMessageTo)\\r\\n | extend Mode = iff(Mode != prev(Mode) and Identity == prev(Identity), strcat(\\\"📍 \\\", Mode, \\\" (\\\", iff(prev(Mode)==\\\"\\\",\\\"Null\\\",prev(Mode)), \\\"->\\\", Mode, \\\" )\\\"), Mode)\\r\\n | extend ActiontypeR =iff(( Identity contains \\\"📍\\\" or Status contains \\\"📍\\\" or SentTo contains \\\"📍\\\" or BlindCopyTo contains \\\"📍\\\" or CopyTo contains \\\"📍\\\" or RedirectMessageTo contains \\\"📍\\\" or Mode contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n TimeGenerated,\\r\\n Actiontype,\\r\\n Identity,\\r\\n Status,\\r\\n SentTo,\\r\\n BlindCopyTo,\\r\\n CopyTo,\\r\\n RedirectMessageTo,\\r\\n Mode\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by TimeGenerated desc \\r\\n| project\\r\\n TimeGenerated,\\r\\n Actiontype,\\r\\n Identity,\\r\\n Status,\\r\\n SentTo,\\r\\n BlindCopyTo,\\r\\n CopyTo,\\r\\n RedirectMessageTo,\\r\\n Mode\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Transport Rules actions to monitor\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Journal Mailboxes\"},\"name\":\"JournalMailboxHelp\"},{\"type\":1,\"content\":{\"json\":\"The **Journal Mailboxes** contain emails sent and received by specific or all users. The content of these mailboxes is very sensitives.\\r\\n\\r\\nJournal Rules should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. Also by default, no one should access to these mailboxes.\\r\\n\\r\\nThen, it is recommended to regularly check who have Full Access mailbox or Receive As on these mailboxes.\\r\\nAdditional information :\\r\\n\\r\\nJournaling in Exchange Server\\r\\n\\r\\nJournaling procedures\\r\\n\\r\\n\\r\\nMailbox audit logging in Exchange Server\\r\\n\\r\\n\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"JournalHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"JournalRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Status= iff ( tostring(CmdletResultValue.Enabled)== \\\"true\\\" , \\\"Enabled\\\", iff(tostring(CmdletResultValue.Enabled)==\\\"\\\",\\\"\\\", \\\"Disabled\\\"))\\r\\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\\r\\n| extend Recipient = tostring(CmdletResultValue.Recipient.Address)\\r\\n| sort by Name asc\\r\\n| sort by Status desc\\r\\n| project-away CmdletResultValue\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Journal Rules configured in your environment\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"JournalQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"JournalRule\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n ESIExchangeConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where Section_s == \\\"JournalRule\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n | project CmdletResultValue, TimeGenerated\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend Status= iff (tostring(CmdletResultValue.Enabled) == \\\"true\\\", \\\"Enabled\\\", iff(tostring(CmdletResultValue.Enabled) == \\\"\\\", \\\"\\\", \\\"Disabled\\\"))\\r\\n //| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\\r\\n | extend Recipient = tostring(CmdletResultValue.Recipient.Address)\\r\\n | extend Allinfo = strcat(Name,JournalEmailAddress,Recipient)\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n | sort by Name asc\\r\\n | sort by Status desc\\r\\n;\\r\\nlet AlldataUnique = allDataRange\\r\\n | join kind = innerunique (allDataRange) on Allinfo \\r\\n | distinct \\r\\n TimeGenerated,\\r\\n Name,\\r\\n Status,\\r\\n JournalEmailAddress,\\r\\n Recipient,\\r\\n Allinfo\\r\\n;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"JournalRule\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend Status= iff (tostring(CmdletResultValue.Enabled) == \\\"true\\\", \\\"Enabled\\\", iff(tostring(CmdletResultValue.Enabled) == \\\"\\\", \\\"\\\", \\\"Disabled\\\"))\\r\\n //| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\\r\\n | extend Recipient = tostring(CmdletResultValue.Recipient.Address)\\r\\n | extend Allinfo = strcat(Name,JournalEmailAddress,Recipient)\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n | sort by Name asc\\r\\n | sort by Status desc\\r\\n ;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"JournalRule\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend Status= iff (tostring(CmdletResultValue.Enabled) == \\\"true\\\", \\\"Enabled\\\", iff(tostring(CmdletResultValue.Enabled) == \\\"\\\", \\\"\\\", \\\"Disabled\\\"))\\r\\n //| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\\r\\n | extend Recipient = tostring(CmdletResultValue.Recipient.Address)\\r\\n | extend Allinfo = strcat(Name,JournalEmailAddress,Recipient)\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n | sort by Name asc\\r\\n | sort by Status desc\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n | join kind = leftanti (AfterData) on Allinfo\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n | join kind = innerunique (BeforeData) on Allinfo\\r\\n | extend Actiontype = iff (Name != \\\"\\\", \\\"Remove\\\", \\\"\\\")\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n | join kind = leftanti (InBeforedatabotAfter) on Allinfo\\r\\n | extend Actiontype =\\\"Add/Remove\\\"\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Allinfo\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype), \\\"N/A\\\")\\r\\n| where Name <> \\\"\\\"\\r\\n| project\\r\\n Actiontype,\\r\\n Name,\\r\\n Status,\\r\\n JournalEmailAddress,\\r\\n Recipient\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy - Copy - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Journal Recipients on mailbox databases configured in your environment\",\"items\":[{\"type\":1,\"content\":{\"json\":\"As Journal Recipient on databases send all the mail send to users in this database to a specific mailbox. The content of these mailboxes is very sensitive.\\r\\n\\r\\nJournal Recipients configuration should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. No one should have access to these mailboxes by default.\\r\\n\\r\\nIt is recommended to regularly check who have Full Access or Receive As on these mailboxes.\\r\\n\\r\\nAdditional information :\\r\\n\\r\\nJournaling in Exchange Server\\r\\n\\r\\nJournaling procedures\\r\\n\\r\\n\\r\\nMailbox audit logging in Exchange Server\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"JournalRecipientsHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MbxDBJournaling\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.JournalRecipient !=\\\"\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Identity = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient.Name)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"JournalRecipient\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"JournalRecipient\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"MbxDBJournaling\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n | extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\n//let _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"MbxDBJournaling\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| project CmdletResultValue,WhenChanged,WhenCreated\\r\\n| extend Identity = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient.Name)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc \\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"MbxDBJournaling\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue,WhenChanged,WhenCreated\\r\\n | extend Identity = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient.Name)\\r\\n | project-away CmdletResultValue\\r\\n | sort by Identity asc \\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Identity\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n JournalRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n | sort by Identity, WhenChanged asc\\r\\n | extend JournalRecipient = iff(JournalRecipient != prev(JournalRecipient) and Identity == prev(Identity), strcat(\\\"📍 \\\", JournalRecipient, \\\" (\\\", iff(prev(JournalRecipient)==\\\"\\\",\\\"Null\\\",prev(JournalRecipient)), \\\"->\\\", JournalRecipient, \\\" )\\\"), JournalRecipient)\\r\\n | extend ActiontypeR =iff(( Identity contains \\\"📍\\\" or JournalRecipient contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n JournalRecipient,\\r\\n WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n JournalRecipient,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy - Copy - Copy - Copy\"}]},\"name\":\"JournalRecipientsGroup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is set to True for an SMTP domain, then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\\r\\n\\r\\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \\r\\n\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\\r\\n\\r\\nAdditional information:\\r\\n\\r\\nRemote Domains\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\\r\\n| extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address == \\\"*\\\", strcat (\\\"❌\\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address != \\\"*\\\", strcat (\\\"⚠️\\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅\\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n| project-away CmdletResultValue\\r\\n| sort by Address asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| project CmdletResultValue,WhenChanged,WhenCreated\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\\r\\n| extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address == \\\"*\\\", strcat (\\\"❌\\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address != \\\"*\\\", strcat (\\\"⚠️\\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅\\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n| project-away CmdletResultValue\\r\\n| sort by Address asc \\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue,WhenChanged,WhenCreated\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend Address = tostring(CmdletResultValue.DomainName.Address)\\r\\n | extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address == \\\"*\\\", strcat (\\\"❌\\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address != \\\"*\\\", strcat (\\\"⚠️\\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅\\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n | project-away CmdletResultValue\\r\\n | sort by Address asc \\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Name\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n | join kind = leftanti AfterData on Name\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Name,\\r\\n Address,\\r\\n AutoForwardEnabled,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n | sort by WhenChanged asc \\r\\n | sort by Name asc\\r\\n //| extend Name = iff(Name != prev(Name) and prev(Name) != \\\"\\\" , strcat(\\\"📍 \\\", Name, \\\" (\\\", prev(Name), \\\"->\\\", Name, \\\" )\\\"), Name)\\r\\n | extend Address = iff(Address != prev(Address) and prev(Address) != \\\"\\\" and Name == prev(Name), strcat(\\\"📍 \\\", Address, \\\" (\\\", prev(Address), \\\"->\\\", Address, \\\" )\\\"), Address)\\r\\n | extend AutoForwardEnabled = iff(AutoForwardEnabled != prev(AutoForwardEnabled) and prev(AutoForwardEnabled) != \\\"\\\" and Name == prev(Name), strcat(\\\"📍 \\\", AutoForwardEnabled, \\\" (\\\", prev(AutoForwardEnabled), \\\"->\\\", AutoForwardEnabled, \\\" )\\\"), AutoForwardEnabled)\\r\\n | extend ActiontypeR =iff(( Name contains \\\"📍\\\" or Address contains \\\"📍\\\" or AutoForwardEnabled contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Name,\\r\\n Address,\\r\\n AutoForwardEnabled,\\r\\n WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Name,\\r\\n Address,\\r\\n AutoForwardEnabled,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Accepted domains set to * authorize Open Relay.\\r\\n\\r\\nMore information:\\r\\n\\r\\nAccepted domains\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"AcceptedDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.DomainName.Address == \\\"*\\\"\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\\r\\n| extend Address = \\\"* : ❌ OpenRelay configuration\\\"\\r\\n| extend DomainType = case(CmdletResultValue.DomainType==\\\"0\\\",\\\"Authoritative Domain\\\",CmdletResultValue.DomainType==\\\"1\\\",\\\"ExternalRelay\\\",CmdletResultValue.DomainType==\\\"2\\\",\\\"InternalRelay\\\",\\\"NotApplicable\\\")\\r\\n| project-away CmdletResultValue\",\"size\":1,\"showAnalytics\":true,\"title\":\"Accepted domain with *\",\"noDataMessage\":\"Accepted Domain * not confirgured (no Open Relay)\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"AcceptedDomain\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"AcceptedDomain\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue, WhenChanged, WhenCreated\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend Address = tostring(CmdletResultValue.DomainName.Address)\\r\\n | extend DomainType = case(CmdletResultValue.DomainType==\\\"0\\\",\\\"Authoritative Domain\\\",CmdletResultValue.DomainType==\\\"1\\\",\\\"ExternalRelay\\\",CmdletResultValue.DomainType==\\\"2\\\",\\\"InternalRelay\\\",\\\"NotApplicable\\\")\\r\\n | project-away CmdletResultValue\\r\\n | sort by Address asc \\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"AcceptedDomain\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue, WhenChanged, WhenCreated\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend Address = tostring(CmdletResultValue.DomainName.Address)\\r\\n | extend DomainType = case(CmdletResultValue.DomainType==\\\"0\\\",\\\"Authoritative Domain\\\",CmdletResultValue.DomainType==\\\"1\\\",\\\"ExternalRelay\\\",CmdletResultValue.DomainType==\\\"2\\\",\\\"InternalRelay\\\",\\\"NotApplicable\\\")\\r\\n | project-away CmdletResultValue\\r\\n | sort by Address asc \\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Name\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n | join kind = leftanti AfterData on Name\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Name,\\r\\n Address,\\r\\n DomainType,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffModifData = union BeforeData, AfterData\\r\\n | sort by WhenChanged asc \\r\\n | sort by Name asc\\r\\n // | extend Name = iff(Name != prev(Name) and prev(Name) != \\\"\\\", strcat(\\\"📍 \\\", Name, \\\" (\\\", prev(Name), \\\"->\\\", Name, \\\" )\\\"), Name)\\r\\n | extend Address = iff(Address != prev(Address) and prev(Address) != \\\"\\\" and Name == prev(Name), strcat(\\\"📍 \\\", Address, \\\" (\\\", prev(Address), \\\"->\\\", Address, \\\" )\\\"), Address)\\r\\n | extend DomainType = iff(DomainType != prev(DomainType) and prev(DomainType) != \\\"\\\" and Name == prev(Name), strcat(\\\"📍 \\\", DomainType, \\\" (\\\", prev(DomainType), \\\"->\\\", DomainType, \\\" )\\\"), DomainType)\\r\\n | extend ActiontypeR =iff((Name contains \\\"📍\\\" or Address contains \\\"📍\\\" or DomainType contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Name,\\r\\n Address,\\r\\n DomainType,\\r\\n WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Name,\\r\\n Address,\\r\\n DomainType,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy - Copy - Copy - Copy\"}]},\"name\":\"ForwardGroup\"}]},\"name\":\"Journal Rules\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Transport\"},\"name\":\"Transport Security configuration\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityReview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", - "sourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" } }, @@ -2948,7 +5940,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId4'),'/'))))]", "properties": { - "description": "@{workbookKey=MicrosoftExchangeSecurityReview; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Microsoft Exchange Security Review; templateRelativePath=Microsoft Exchange Security Review.json; subtitle=; provider=Microsoft}.description", + "description": "@{workbookKey=MicrosoftExchangeSecurityReview; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=2.0.0; title=Microsoft Exchange Security Review; templateRelativePath=Microsoft Exchange Security Review.json; subtitle=; provider=Microsoft}.description", "parentId": "[variables('workbookId4')]", "contentId": "[variables('_workbookContentId4')]", "kind": "Workbook", @@ -3010,7 +6002,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CriticalCmdletsUsageDetection_AnalyticalRules Analytics Rule with template version 3.1.5", + "description": "CriticalCmdletsUsageDetection_AnalyticalRules Analytics Rule with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -3038,10 +6030,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ESI-ExchangeAdminAuditLogEvents", "dataTypes": [ "Event" - ] + ], + "connectorId": "ESI-ExchangeAdminAuditLogEvents" } ], "tactics": [ @@ -3056,54 +6048,54 @@ ], "entityMappings": [ { + "entityType": "Mailbox", "fieldMappings": [ { - "columnName": "TargetObject", - "identifier": "MailboxPrimaryAddress" + "identifier": "MailboxPrimaryAddress", + "columnName": "TargetObject" } - ], - "entityType": "Mailbox" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetObject", - "identifier": "Sid" + "identifier": "Sid", + "columnName": "TargetObject" }, { - "columnName": "TargetObject", - "identifier": "ObjectGuid" + "identifier": "ObjectGuid", + "columnName": "TargetObject" }, { - "columnName": "TargetObject", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "TargetObject" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Caller", - "identifier": "Name" + "identifier": "Name", + "columnName": "Caller" } - ], - "entityType": "Account" + ] } ], "alertDetailsOverride": { + "alertDisplayNameFormat": "{{CmdletName}} executed on {{TargetObject}}", "alertSeverityColumnName": "Level", - "alertDescriptionFormat": "Alert from Microsoft Exchange Security as {{CmdletName}} with parameters {{CmdletParameters}} was executed on {{TargetObject}}", - "alertDisplayNameFormat": "{{CmdletName}} executed on {{TargetObject}}" + "alertDescriptionFormat": "Alert from Microsoft Exchange Security as {{CmdletName}} with parameters {{CmdletParameters}} was executed on {{TargetObject}}" } } }, @@ -3157,7 +6149,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ServerOrientedWithUserOrientedAdministration_AnalyticalRules Analytics Rule with template version 3.1.5", + "description": "ServerOrientedWithUserOrientedAdministration_AnalyticalRules Analytics Rule with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -3185,10 +6177,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ESI-ExchangeAdminAuditLogEvents", "dataTypes": [ "Event" - ] + ], + "connectorId": "ESI-ExchangeAdminAuditLogEvents" } ], "tactics": [ @@ -3203,48 +6195,48 @@ ], "entityMappings": [ { + "entityType": "Mailbox", "fieldMappings": [ { - "columnName": "userPrincipalName", - "identifier": "MailboxPrimaryAddress" + "identifier": "MailboxPrimaryAddress", + "columnName": "userPrincipalName" }, { - "columnName": "userPrincipalName", - "identifier": "Upn" + "identifier": "Upn", + "columnName": "userPrincipalName" } - ], - "entityType": "Mailbox" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" } - ], - "entityType": "Host" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "columnName": "ServerCmdletTargetObject", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "ServerCmdletTargetObject" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Caller", - "identifier": "Name" + "identifier": "Name", + "columnName": "Caller" }, { - "columnName": "objectGUID", - "identifier": "ObjectGuid" + "identifier": "ObjectGuid", + "columnName": "objectGUID" } - ], - "entityType": "Account" + ] } ] } @@ -3331,12 +6323,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.1.5", + "version": "3.3.0", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Microsoft Exchange Security - Exchange On-Premises", "publisherDisplayName": "Community", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Windows Event logs collection, including MS Exchange Management Event logs

    \n
    2. \n

  2. Custom logs ingestion via Data Collector REST API

    \n
    3. \n
\n

Data Connectors: 2, Parsers: 4, Workbooks: 4, Analytic Rules: 2, Watchlists: 2

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Windows Event logs collection, including MS Exchange Management Event logs

    \n
    2. \n

  2. Custom logs ingestion via Data Collector REST API

    \n
    3. \n
\n

Data Connectors: 8, Parsers: 5, Workbooks: 4, Analytic Rules: 2, Watchlists: 2

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3370,6 +6362,36 @@ "contentId": "[variables('_dataConnectorContentId2')]", "version": "[variables('dataConnectorVersion2')]" }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId3')]", + "version": "[variables('dataConnectorVersion3')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId4')]", + "version": "[variables('dataConnectorVersion4')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId5')]", + "version": "[variables('dataConnectorVersion5')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId6')]", + "version": "[variables('dataConnectorVersion6')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId7')]", + "version": "[variables('dataConnectorVersion7')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId8')]", + "version": "[variables('dataConnectorVersion8')]" + }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", @@ -3390,6 +6412,11 @@ "contentId": "[variables('parserObject4').parserContentId4]", "version": "[variables('parserObject4').parserVersion4]" }, + { + "kind": "Parser", + "contentId": "[variables('parserObject5').parserContentId5]", + "version": "[variables('parserObject5').parserVersion5]" + }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", @@ -3423,12 +6450,12 @@ { "kind": "Watchlist", "contentId": "[variables('_Exchange Services Monitoring')]", - "version": "3.1.5" + "version": "3.3.0" }, { "kind": "Watchlist", "contentId": "[variables('_Exchange VIP')]", - "version": "3.1.5" + "version": "3.3.0" } ] }, diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/MESCompareDataOnPMRA.yaml b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/MESCompareDataOnPMRA.yaml index a1ed584b886..33c7525d895 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/MESCompareDataOnPMRA.yaml +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/MESCompareDataOnPMRA.yaml @@ -43,141 +43,141 @@ FunctionQuery: | // This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them. // // USAGE: -// Parameters : 7 parameters to add during creation. -// 1. SectionCompare, type string, default value "" -// 2. DateCompare, type string, default value "lastdate" -// 3. CurrentDate, type string, default value "lastdate" -// 4. EnvList, type string, default value "All" -// 5. TypeEnv, type string, default value "Online" -// 6. CurrentRole, type string, default value "" -// 7. ExclusionsAcct, type dynamic, default value dynamic("") -// -// Parameters simulation -// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values. -// -// let SectionCompare = "SampleEntry"; -// let EnvList = "All"; -// let TypeEnv = "Online"; -// let CurrentRole = ""; -// let ExclusionsAcct = dynamic(""); -// let DateCompare = "lastdate"; -// let CurrentDate = "lastdate"; -// -// Parameters definition -let _SectionCompare = SectionCompare; -let _EnvList =EnvList; -let _TypeEnv = TypeEnv; -let _CurrentRole =CurrentRole; -let _ExclusionsAcct = ExclusionsAcct; -let _DateCompare = DateCompare; -let _CurrentDate = CurrentDate; -let _DateCompareB = todatetime(DateCompare); -let _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv) -| summarize TimeMax = max(TimeGenerated) -| extend TimeMax = tostring(split(TimeMax,"T")[0]) -| project TimeMax); -let _CurrentDateB = todatetime(toscalar(_currD)); -let BeforeData = - ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv) - | where CmdletResultValue.Role contains _CurrentRole - and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) - and CmdletResultValue.Name !contains "Deleg" - | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) - | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== "0" or CmdletResultValue.RoleAssigneeType== "2" , "User", CmdletResultValue.RoleAssigneeType== "10","Group","LinkedGroup") - | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name) -| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name) -| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope=="0","None",CmdletResultValue.RecipientWriteScope=="2","Organization",CmdletResultValue.RecipientWriteScope=="3","MyGAL", CmdletResultValue.RecipientWriteScope=="4","Self",CmdletResultValue.RecipientWriteScope=="7", "CustomRecipientScope",CmdletResultValue.RecipientWriteScope=="8","MyDistributionGroups","NotApplicable") -| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope=="0","None",CmdletResultValue.ConfigWriteScope=="7","CustomConfigScope",CmdletResultValue.ConfigWriteScope=="10","OrganizationConfig","NotApplicable") - | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) - | extend Status= tostring(CmdletResultValue.Enabled) - | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") - | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) - | extend Role = tostring(CmdletResultValue.Role) - ; -let AfterData = - ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv) - | where CmdletResultValue.Role contains _CurrentRole - and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) - and CmdletResultValue.Name !contains "Deleg" - | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) - | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== "0" or CmdletResultValue.RoleAssigneeType== "2" , "User", CmdletResultValue.RoleAssigneeType== "10","Group","LinkedGroup") - | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name) -| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name) -| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope=="0","None",CmdletResultValue.RecipientWriteScope=="2","Organization",CmdletResultValue.RecipientWriteScope=="3","MyGAL", CmdletResultValue.RecipientWriteScope=="4","Self",CmdletResultValue.RecipientWriteScope=="7", "CustomRecipientScope",CmdletResultValue.RecipientWriteScope=="8","MyDistributionGroups","NotApplicable") -| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope=="0","None",CmdletResultValue.ConfigWriteScope=="7","CustomConfigScope",CmdletResultValue.ConfigWriteScope=="10","OrganizationConfig","NotApplicable") - | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) - | extend Status= tostring(CmdletResultValue.Enabled) - | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) - | extend Role = tostring(CmdletResultValue.Role) - | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") - ; -let i=0; -let allDataRange = - ESIExchangeConfig_CL - | where TimeGenerated between (_DateCompareB .. _CurrentDateB) - | where ESIEnvironment_s == _EnvList - | where Section_s == "MRA" - | extend CmdletResultValue = parse_json(rawData_s) - | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t - | where CmdletResultValue.Role contains _CurrentRole - and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) - and CmdletResultValue.Name !contains "Deleg" - | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) - | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== "0" or CmdletResultValue.RoleAssigneeType== "2" , "User", CmdletResultValue.RoleAssigneeType== "10","Group","LinkedGroup") - | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name) -| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name) -| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope=="0","None",CmdletResultValue.RecipientWriteScope=="2","Organization",CmdletResultValue.RecipientWriteScope=="3","MyGAL", CmdletResultValue.RecipientWriteScope=="4","Self",CmdletResultValue.RecipientWriteScope=="7", "CustomRecipientScope",CmdletResultValue.RecipientWriteScope=="8","MyDistributionGroups","NotApplicable") -| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope=="0","None",CmdletResultValue.ConfigWriteScope=="7","CustomConfigScope",CmdletResultValue.ConfigWriteScope=="10","OrganizationConfig","NotApplicable") - | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) - | extend Status= tostring(CmdletResultValue.Enabled) - | extend Role = tostring(CmdletResultValue.Role) - | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") - ; -let DiffAddDataP1 = allDataRange - | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated -; -let DiffAddDataP2 = allDataRange - | join kind = innerunique (allDataRange ) on WhenCreated - | where WhenCreated >=_DateCompareB - | where bin(WhenCreated,5m)==bin(WhenChanged,5m) - | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated - ; -let DiffAddData = union DiffAddDataP1,DiffAddDataP2 -| extend Actiontype ="Add"; -let DiffRemoveData = allDataRange - | join kind = leftanti AfterData on RoleAssigneeName - | extend Actiontype ="Remove" - | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated - | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated - ; -let DiffModifData = union AfterData,allDataRange -| sort by ManagementRoleAssignement,WhenChanged asc -| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !="" , strcat("📍 ", Status, " (",prev(Status),"->", Status," )"),Status) -| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !="" , strcat("📍 ", CustomRecipientWriteScope, " (", prev(CustomRecipientWriteScope),"->", CustomRecipientWriteScope, ")"),CustomRecipientWriteScope) -| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !="" , strcat("📍 ", CustomConfigWriteScope, " (", prev(CustomConfigWriteScope),"->", CustomConfigWriteScope, ")"),CustomConfigWriteScope) -| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !="" , strcat("📍 ", RecipientWriteScope, " (", prev(RecipientWriteScope),"->", RecipientWriteScope, ")"),RecipientWriteScope) -| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !="" , strcat("📍 ", ConfigWriteScope, " (", prev(ConfigWriteScope),"->", ConfigWriteScope, ")"),ConfigWriteScope) -| extend ActiontypeR =iff((Status contains "📍" or CustomRecipientWriteScope contains"📍" or CustomConfigWriteScope contains"📍" or RecipientWriteScope contains"📍" or ConfigWriteScope contains"📍" ), i=i + 1, i) -| extend Actiontype =iff(ActiontypeR > 0, "Modif", "NO") -| where ActiontypeR == 1 -| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated -; -union DiffAddData, DiffRemoveData, DiffModifData -| extend RoleAssigneeName = iff(RoleAssigneeType == "User", strcat("🧑‍🦰 ", RoleAssigneeName), strcat("👪 ", RoleAssigneeName)) -| extend WhenChanged = iff (Actiontype == "Modif", WhenChanged, iff(Actiontype == "Add",WhenCreated, WhenChanged)) -//| extend WhenChanged = case(Actiontype == "Modif" , tostring(bin(WhenChanged,1m)), Actiontype == "Add",tostring(bin(WhenChanged,1m)),Actiontype == "Remove","NoInformation","N/A") -| extend Actiontype = case(Actiontype == "Add", strcat("➕ ", Actiontype), Actiontype == "Remove", strcat("➖ ", Actiontype), Actiontype == "Modif", strcat("📍 ", Actiontype), "N/A") -| sort by WhenChanged desc -| project - WhenChanged, - Actiontype, - RoleAssigneeName, - RoleAssigneeType, - Status, - CustomRecipientWriteScope, - CustomConfigWriteScope, - RecipientWriteScope, - ConfigWriteScope, - ManagementRoleAssignement, - RoleAssignmentDelegationType, - WhenCreated \ No newline at end of file + // Parameters : 7 parameters to add during creation. + // 1. SectionCompare, type string, default value "" + // 2. DateCompare, type string, default value "lastdate" + // 3. CurrentDate, type string, default value "lastdate" + // 4. EnvList, type string, default value "All" + // 5. TypeEnv, type string, default value "Online" + // 6. CurrentRole, type string, default value "" + // 7. ExclusionsAcct, type dynamic, default value dynamic("") + // + // Parameters simulation + // If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values. + // + // let SectionCompare = "SampleEntry"; + // let EnvList = "All"; + // let TypeEnv = "Online"; + // let CurrentRole = ""; + // let ExclusionsAcct = dynamic(""); + // let DateCompare = "lastdate"; + // let CurrentDate = "lastdate"; + // + // Parameters definition + let _SectionCompare = SectionCompare; + let _EnvList =EnvList; + let _TypeEnv = TypeEnv; + let _CurrentRole =CurrentRole; + let _ExclusionsAcct = ExclusionsAcct; + let _DateCompare = DateCompare; + let _CurrentDate = CurrentDate; + let _DateCompareB = todatetime(DateCompare); + let _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv) + | summarize TimeMax = max(TimeGenerated) + | extend TimeMax = tostring(split(TimeMax,"T")[0]) + | project TimeMax); + let _CurrentDateB = todatetime(toscalar(_currD)); + let BeforeData = + ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv) + | where CmdletResultValue.Role contains _CurrentRole + and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) + and CmdletResultValue.Name !contains "Deleg" + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== "0" or CmdletResultValue.RoleAssigneeType== "2" , "User", CmdletResultValue.RoleAssigneeType== "10","Group","LinkedGroup") + | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name) + | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name) + | extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope=="0","None",CmdletResultValue.RecipientWriteScope=="2","Organization",CmdletResultValue.RecipientWriteScope=="3","MyGAL", CmdletResultValue.RecipientWriteScope=="4","Self",CmdletResultValue.RecipientWriteScope=="7", "CustomRecipientScope",CmdletResultValue.RecipientWriteScope=="8","MyDistributionGroups","NotApplicable") + | extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope=="0","None",CmdletResultValue.ConfigWriteScope=="7","CustomConfigScope",CmdletResultValue.ConfigWriteScope=="10","OrganizationConfig","NotApplicable") + | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) + | extend Status= tostring(CmdletResultValue.Enabled) + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend Role = tostring(CmdletResultValue.Role) + ; + let AfterData = + ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv) + | where CmdletResultValue.Role contains _CurrentRole + and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) + and CmdletResultValue.Name !contains "Deleg" + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== "0" or CmdletResultValue.RoleAssigneeType== "2" , "User", CmdletResultValue.RoleAssigneeType== "10","Group","LinkedGroup") + | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name) + | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name) + | extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope=="0","None",CmdletResultValue.RecipientWriteScope=="2","Organization",CmdletResultValue.RecipientWriteScope=="3","MyGAL", CmdletResultValue.RecipientWriteScope=="4","Self",CmdletResultValue.RecipientWriteScope=="7", "CustomRecipientScope",CmdletResultValue.RecipientWriteScope=="8","MyDistributionGroups","NotApplicable") + | extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope=="0","None",CmdletResultValue.ConfigWriteScope=="7","CustomConfigScope",CmdletResultValue.ConfigWriteScope=="10","OrganizationConfig","NotApplicable") + | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) + | extend Status= tostring(CmdletResultValue.Enabled) + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend Role = tostring(CmdletResultValue.Role) + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") + ; + let i=0; + let allDataRange = + ESIExchangeConfig_CL + | where TimeGenerated between (_DateCompareB .. _CurrentDateB) + | where ESIEnvironment_s == _EnvList + | where Section_s == "MRA" + | extend CmdletResultValue = parse_json(rawData_s) + | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t + | where CmdletResultValue.Role contains _CurrentRole + and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) + and CmdletResultValue.Name !contains "Deleg" + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== "0" or CmdletResultValue.RoleAssigneeType== "2" , "User", CmdletResultValue.RoleAssigneeType== "10","Group","LinkedGroup") + | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name) + | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name) + | extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope=="0","None",CmdletResultValue.RecipientWriteScope=="2","Organization",CmdletResultValue.RecipientWriteScope=="3","MyGAL", CmdletResultValue.RecipientWriteScope=="4","Self",CmdletResultValue.RecipientWriteScope=="7", "CustomRecipientScope",CmdletResultValue.RecipientWriteScope=="8","MyDistributionGroups","NotApplicable") + | extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope=="0","None",CmdletResultValue.ConfigWriteScope=="7","CustomConfigScope",CmdletResultValue.ConfigWriteScope=="10","OrganizationConfig","NotApplicable") + | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) + | extend Status= tostring(CmdletResultValue.Enabled) + | extend Role = tostring(CmdletResultValue.Role) + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") + ; + let DiffAddDataP1 = allDataRange + | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated + ; + let DiffAddDataP2 = allDataRange + | join kind = innerunique (allDataRange ) on WhenCreated + | where WhenCreated >=_DateCompareB + | where bin(WhenCreated,5m)==bin(WhenChanged,5m) + | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + ; + let DiffAddData = union DiffAddDataP1,DiffAddDataP2 + | extend Actiontype ="Add"; + let DiffRemoveData = allDataRange + | join kind = leftanti AfterData on RoleAssigneeName + | extend Actiontype ="Remove" + | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + ; + let DiffModifData = union AfterData,allDataRange + | sort by ManagementRoleAssignement,WhenChanged asc + | extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !="" , strcat("📍 ", Status, " (",prev(Status),"->", Status," )"),Status) + | extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !="" , strcat("📍 ", CustomRecipientWriteScope, " (", prev(CustomRecipientWriteScope),"->", CustomRecipientWriteScope, ")"),CustomRecipientWriteScope) + | extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !="" , strcat("📍 ", CustomConfigWriteScope, " (", prev(CustomConfigWriteScope),"->", CustomConfigWriteScope, ")"),CustomConfigWriteScope) + | extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !="" , strcat("📍 ", RecipientWriteScope, " (", prev(RecipientWriteScope),"->", RecipientWriteScope, ")"),RecipientWriteScope) + | extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !="" , strcat("📍 ", ConfigWriteScope, " (", prev(ConfigWriteScope),"->", ConfigWriteScope, ")"),ConfigWriteScope) + | extend ActiontypeR =iff((Status contains "📍" or CustomRecipientWriteScope contains"📍" or CustomConfigWriteScope contains"📍" or RecipientWriteScope contains"📍" or ConfigWriteScope contains"📍" ), i=i + 1, i) + | extend Actiontype =iff(ActiontypeR > 0, "Modif", "NO") + | where ActiontypeR == 1 + | project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + ; + union DiffAddData, DiffRemoveData, DiffModifData + | extend RoleAssigneeName = iff(RoleAssigneeType == "User", strcat("🧑‍🦰 ", RoleAssigneeName), strcat("👪 ", RoleAssigneeName)) + | extend WhenChanged = iff (Actiontype == "Modif", WhenChanged, iff(Actiontype == "Add",WhenCreated, WhenChanged)) + //| extend WhenChanged = case(Actiontype == "Modif" , tostring(bin(WhenChanged,1m)), Actiontype == "Add",tostring(bin(WhenChanged,1m)),Actiontype == "Remove","NoInformation","N/A") + | extend Actiontype = case(Actiontype == "Add", strcat("➕ ", Actiontype), Actiontype == "Remove", strcat("➖ ", Actiontype), Actiontype == "Modif", strcat("📍 ", Actiontype), "N/A") + | sort by WhenChanged desc + | project + WhenChanged, + Actiontype, + RoleAssigneeName, + RoleAssigneeType, + Status, + CustomRecipientWriteScope, + CustomConfigWriteScope, + RecipientWriteScope, + ConfigWriteScope, + ManagementRoleAssignement, + RoleAssignmentDelegationType, + WhenCreated \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json b/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json index a3fc6b8930e..719ed124386 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json @@ -25,7 +25,7 @@ ], "WatchlistDescription": "ExchOnlineVIP Watchlists contains a list of VIP users identified in Exchange Online that would be more monitored than others. This watchlist is used in the Audit log workbooks to filter activities on those users.", "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Microsoft Exchange Security - Exchange Online", - "Version": "3.1.5", + "Version": "3.1.6", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.1.6.zip b/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.1.6.zip new file mode 100644 index 0000000000000000000000000000000000000000..a364ca4e498793c68760dc94e4afec3fa1f43a72 GIT binary patch literal 46700 zcmX{6b8se3ussgPwl=o;#7;Ke=t;7%ZQHhO+qP}nwz)BWpYOfzeWz;vnC{a(GgVV( zPR+EuG&lqX2nYxa2%Zh0y4@*gbuByyhz~6Y$glsbh7QL1PR7dSqQ)lXHs(&|wl<6w zjZ~EjtSnRrjRanNq~7$mkge9K$h?s$|7u$1Kp6$~B=gaUm=j9}qcl*k;-r47Q%8+LFtop+yWStt^brFVcTVA0Znlz1`;3M(>;(;%wBX zY3UHA&gO*8@HE1Id>!DT8&E9ZM!+aaB|P%0Z$DJeq^~UOnbjtz7=*ra36pB|u}FSN zuk!i0DrjM}+I)%d*85&!@u~!9_D7|`4`!Lz(5z|E6|Xj^)upFdlBLmC9ZKoLKWkRg zYRw3UsP}$;3c3ipTsbv7qVF3YDm^a)s#a>BE{?g$MAZ(>8K!`l+h2p*o3Xm3b+_=K zf^uRSIOiO9jtkfBDtG2NKy9;>uT2t#o zWT)=&u!S6LJ0^;2>3>p#p~nBJK~c|uX!X!*MICTO5{1(YIx+DCh-LM--r| zqW>nk`V8yG;!YztA$G*mCxP3S;hUtUw}+I2*EjbE0Ko~}w&N`>uLL&ysjfcj8jzxZ zC$_rkk~4(%qx!zdXyxFjRIzfiYyJ0$E~tK_idGE57>N__$8SGW?IC~4r!h>^Oo$y5 zpwiKGCTgTvtytRso^#) zutN8#e~VDT%q2?>*Fy_Z_&vHoL@rJ?)(t+JC(f2kPu*9kc8@7v_qcRGRc<7d4geKu4j3BbeH2q^VIB@ZBN4 z7tZv2UT6}-7Az~0KIg1h{~yC&DcRV6s|IR833+)dpQd{01KF?M-&9<%LBw=&1D zj&ZWWNr^sKoT(?Q;elw z&7G4?NjU#^PR*u-H-VqgdVTUd@rhYzj!Sjo^E;dHwvUnh-@|&gQ+C+h>?WSS0`G_Y z*w(i{Y>-8JHwI`7G;!nq8H!rfbC3@QTI6-Z&4a&Mz4h<;E3jMty|-brKE9mEOFu~G zN{nf8zx}hH4rE%ihJM=4*ar1^+W7Y{o&0SNRp{%dWVh}qmMUQR{1-N2kQ;1Iqzs{H z9j!otVdV^xZ9z1saJGbM^NCCUX9-ijonJ_o$p$Ie2Zh>mb9Mn^h}}=V&mN5tYMFMPA1ogF zbC;r5^!nmxX{dC(PLG>|%m+pYKcmXR85sX13>Xul7f0@-5`Gb|21G)Fi>N1n)Coxn z-f6Lv3i|3cjOux{;*WQE33*b?^Q0|7-p#{}tSv6Ep^_}dh(AS_E_{Tl>Em_xu$dgP z%K;@D0J`6*37NnYEo=^`4wfqez$LUo_Fi&0MQ;nRCA|&O7mQAIcIE9N8l9C9&QJHq zmkOUiN+1Va*M(!kEYnT+3Bih)y>v@-gmJr2r8~2Z*&xm%NbyeEpfnzPcv&bn)h9r@7z?>1FO!FTfu07pYWjW1`Z9OW_)7$aPXC6bE0ObJV@UBi601{M5@!DJTZ z>fLH*xYqk|*(U(@-hK8m*97Z%0OHxAohQzvHGb#pFgf@M=wV?{?0 zU;*m|qCJs9n*3YE{@G&zD>ME!%G*Q~D|+;dw+8#n4tW8zs;FHbu%NR-_5SJ@sEP;_ zQMp#o`s@_i+v!x_BQ)YRdg^HdUtAN(gk(CxLnaWmg)~NdG*+;rq8}>z zg@dCl2HN*GtlJ2fvoeMb@fT*y$vNoXs$<1Fh>BvDH%(le`Z<7$=p-HOjG5{mH?YmD zTsr?NY-Ic65S#;nC$@)$^mdn?RLxiOKx!*zf7uL@p$x+=FRj=UH7bqU z=fe*@#i5vhMsc5?{vNMI=VA}UlJCo}`0;J)7af3Q6({6h%Ij0wVC!An^S)u_`ANrp zgoB6c57p`-?{NJreVOZ}+jT?->Z7vsg*H`YH08B^F-$XyeN4OHWWKau92vq+)aWR$ zlSQV59^(Wni~}?VIDVU5_3c$!5BPzp8(78yg$f6y;BX-S-G$mD@zh`Wp@_ld4BRd| zF`GcNwT1y2EOveWCh!r^7w{D^Oy_}(YNM^ZL5ss#C;>N^sW#)bMD&hWJ&M#4M$F$p zxMR?<^ukw=za`49e9Y;-+Uuc*k>sPgjq>pw+}N{u1J{Opj?-Auo?4b6y7Sc9e9nETVRdM;M1kcNp+=q zhYq6UnN~Ft4;?)6;7r^z8vf{28pGCkqU^rl>x-}a|6k*~{XdPbFkjGH4gzuygakqT zPvcwbo7*TETiaRvr}Y0v-CuQUJCaEz5I-}reud&cZ^iF{5rg_*sPms`VnuFGUmIYi z8p-ae)kkIirX0@#i%Xk=P`}zqxDI@3quflCG~r1!cSi1D?JV_7`kwg)y_SpX9F-6k z754#wP_Mc;x=~8RK_&cu?dHGU`~C8heMtW$K&bUW=6c@V=#)*K`1-bi`>{aSZul}m z^mbTu{ml~n`Am#|-{4l=xwCFvZQHWKYnda66XL3NJ4GZLVsp^?gCBZmo075APmE6` z|12RG5oj0n<+O46>f7aYL{)Q28P;F>3M$aPc*GM`ccB0X8{q1a$x1<&qe=uweS47i zkO(8dII{|47+5*uB9+2Aosi>`oU%k^VXX9z_BZqPJY*~S0-^(skn$#NZAS+6u9!&H z_5nmvEL*>goheIqMyWmmCn6r{e;Rw49rRk@)+qQ@*QTmtM%>TlVzzuD|ZdT!rx z5`$)jq76r*#jDBRK%THkD1-=koi!z1EkNC-;cLho0oca*AVrGZwhwc+B)LT%0wmS_$p4&C4!!APnpa-VbuS#$bc*Fyp6Lt8^Y__TS6n%^@6_pnC$k8?zOwv*FI zmMSS?Zw`g`JziHEaq!|Pv)0KWpN(g;IN$|MqB_B!9$qVO0y|AB~R4ilB!$=OZfy`W(<2Z@0^)qR<^d0c!PL4t&YOcofnqy4%ib*paY@(?BI^?SarSl)-? z{+mSa7f6U6Qh=g(3|gdL4LiKB#>VLajGQ~A%R>Tp8TR7)0n-)eIDiO&rumzuR%1kk zeUwsT$pd`H{YZ})CxmQ3aTP^Rt7vCRtlf1sOWFn3BARpEqMjhWE|hAhPN>QIQym4= z&`2W@l6@gKh3vC_lLD_o#F9=NUY?$e-*b8fmvk)T_41Bm#jyeD?^mLH%7up@+t1J) zsif}?dYrs3lLLvS-p)Z0GkfRkAxj6&*woCJ3ivTFd8mvSFfqGWh$$*BP(~1_@Jku)LQBS4Oaz;D^_7leM2*R58dwO*D3uD-ym(Hyo)efi zB>D~@QgPe31Ag$16R~>4VP+eV7b2=NEPLw;>f`ZA1E*SvEN(i=Cw^p2#FKChZ@Thbh34a zyVYW~IBl>s(g>#zM$CMIFQldq8RW>i8^TCBC^PS*Qc?eaI%S|6rpY?WR71`z zy%H6&2WqC(N&UD9JDNQQtc3jVs5%$VdSxGFX6!H}CTe4&q!=zAOr}|ws(zwuzAt9o zc!?f5-V-Uu`h;O(wFS9>)x*gH3-;>(9q5UNmcMcfVYsr1(98@YrujX}Rf1R#+@zIq z9KB|iv4baIU7Sl&rt$YPiRGC`0(s=x;}{docEVY*XsOX8;0vd~x&B$nDWRunXR9k%UAr8ZSSX__FfuQ$f|6Kid(P4T~b>Wa6h%RC z3KP|M$!*Su;|`bN+^rc#ED@Zn5x^8pPRAfRi`WeuMS)o?b#~UrD-((wZwz!}@tke? z+b(3`zL z&*MyJCt6Ong|gh2^D(^$ka}`?x$3vLX4d<3UdmBxR<>kg z+N^V07$Yp((&iq0?XHG#{-Q7+Y-@l1Td-6R0SH61W5HKLK{zN|WCrJll&C6VoF9f* z?z+{$3?WLag8{-)y(Z}ZBkDulr(tSp>Xd>gbvu<3W-Gu9AtUPP$9b9o#GyFwSE9Ku z_Rwk%Ay}rOIx3cg%~LRZ7|4_~b$SH3-B zYy96XQ2*IV`p>6YDY!2{6oyg%Ya4>+)EUrUs#(>VC9V_{am}2+NS-qsk>=t@-`J3`g5wYeTZw?^kPyN?y`)pzW;m^jjm%94V>yODE#muJAleRy44i#Xa6+3> z8m)N^p{@6v`huX3^~o0R{;L6Ea{&Ulj`l7z%tZd>+yC7SC&#}%{k7>2cetYy?Ud>? zu^MaSP5-uht>4xT*8vQZTj9oy%2KG_1`ymP0Va2gAY3@K9S@a_oauYc`R#7YXL&4* zIuTfweO{5t$N^*Kr#Bds(Ia&!-xo+w`%YPWDEpAfqgle94Z0`S_SuQ&*xRj-iUPrH zqag`sxwLpoFQe7w^e4m=f7}iw%82>a*owNo!839m6EbZyN34rH7TxhaP(QLw{AT|4 zxtQuMrOO)w{xS<+F8AKg@5QXtpp>9TDQK`r1$4amFSAA4{UX+h55QKzcMpO2DUMtH^^Z^}T_1g7vv;CI`h+^{_uBIA;iUnC9aJXlEFLp!( zd)Ka|v8~jlb4=}uIlR7h*_UIzR}8a#QV35EuJTF$AR7k+tJ-%ltA$86WKp2M^eHAI zPLhEi@KyHriA-8|RL(tpH_k_+%=AlJ|K#&PPPyqEcyg21a|5FUJ4ckj-@|_i0z^GG zozcjvAA`Pc3Rfn%_XE{%<#X8KY~o8rUoI zLIEZK1Q7hHs%7QN?2P4QgMOplutDtdVezHBZu#@RHdlpa_{WZr`SG_`{5pPqUM?4& zI+gV^Ln{7h&wv2&tl7JADSKxXpPuJYB;E)b9wkhPPg!m~C9)s`Uc1miUZj;5hZ#GJ zpo++kr&6Q1*F>bIMHiir)qE}-8y^EpbpOJTAbIEwHa6Tp^CRm45&}rkV z=WJeF72|GCyBC=+j7B$qJww6a1~gxjj4GSWb<>1EImMbNyC4GIS$x8nY-0p(UGZ`b z2xaO4?k@P!7RT;mY-QR!?%B_I2y>qHLY!0RhX7E!cZJvdzce6%9FUwFGv%I-eNUUv z3{T)T*lw)gif80~+oy)7#lGR4+zX`1Qf=;S_s}hadh_h-!~tfBPW)gnQ0aXgsy2Wb zRrcZ8fb-UMC_HoFenl%{W(1M-Qx>ObD~3mur86`SaPxplufWiML2+6FQR7PZYy8z}S z(_`t(fBeF;+$9PbNa$r3ZG;^vb5h2%_*Rp3r^Hx+0C82AZB+6Zw^Sh~G)VBRQL4Nw z+7FOn;`13A9mnZMbWZG%iogmXgjx6ptb^`TKRS7B`Ml@aK>(CRkH8;vL+ylya6?HO z5oK*yDw%8Q_0aFxJWFPxOE_?_^LZS>K4Q(+*q_n-ev)AeI^_@%Bqo7~k6dCgf z)XoUQ0AbL;zhb0%Pk+fX?9K;GZ|hRGmG>^=vu3oqs86~rSUg3w7c zrAibsay&@gX!EJAL&QEQez*d~T?(gFC}v{rZO9(rf8Q~k<%yx;`@9+79Vj6QwXxkX zdwi8H1fCfiJ0?D(jmTMW$O9bO3z-~Lo`EsAF=5|E0p|?GXhYTgay23;kKvJ~D2Nr* zU0tD37KW;N2Lm9np-7Y4r&;R{O_D zju|y^di-(CUo)uK%ObtyYT8%SUXUgGxUB>&=yi_P1vXiu{^ zc6U-OVuD*Jvr;=!C1@QoDA$_b9&hsmrhaL~6Goo}p%x{9Asu93lWnQDDMAC!iA~Td zzqM^!g0CrNqEu8{HwgIn2@TsI#GR#VshG2nuIz#$Ih-M~U(s`GNztxIMd^}15JdQ( z)Hnt(Hr|)$IUCujVf54G$CB>NAhqORJEYBA?772&?JmJ+nqYh^dz)}T@7IaEP0$z2 z)no`C>VKF~3)Qr}t!8#Pvo=VJjC0?@PK-1WjaEjZHS3fn=PcvPhoV)lgXZL)uXqS~ zor>7+Tt1}%`db6r<*A^Y$3G`e)0WT5*e|1{1ka#UNhJ_(h+KE|R7b^IYHvzY+>n?Q z(1{>jm1-BKI5Z7R!ZV~Q$&;uXDPU0|uYF3DDOnN5s1(DRTxL4?0XRGF^XJWi_yr?$ zMgcU8f6MEpI&@5^?Lmb$YHwIeFV*(hO2Rc`7I6?qa7`Qaq$n4XKnWWsf5-NMAs+=b z`r*k!I)9Jd%JM_~3hRMe196p9B{c^4|I8C02!-pkAc#7EpMtqys#&S}ov={w>6l~+ ze~*W8PdZS*Bhn%9=~{<<(*T0oMY0%~hG1lvN9P0%E#g1Lv2b_ihVCG#;12jWO1+r4 zgVUqU*nQFw5)O3xe&KQS=*4G*#av`#nA(JZy$qe)LUa4pt~FEs&^thvrTC^dn#CCO zv}^fX57zX44xL;`aI2c9-Jb7lNU&csQ=W_3G;Zmal#dTx(X))8e^{EJL3Y$9*;r{9 zersocBU(zI6dF`7*wV88sRZ#h3N#<0%nDa;|M>u?zV9a;c8*B&K6S#M?Y1;=b<2i) zg(}DejWr*7Wq}%jFI2t4Os~x|;B_LIWs}?aB!}(usdmHH(%R>=uNseC;+Wf(>0iY8 zcu|YRVR=fsvTM8< zBl`Dc_NUc}i6C`nC=cc#jSrRO8K&~FS#o8^j7KJ5Tt52B+kvrniG9>WD!g$xGjR$) zi>@7ez?HO;KR~cNM3Zq!%bMH8D+ue&@N9cW=Cnz)rXBrp(1d&I8~KK zwDX{-n?@~2YKzcn%Li00Bbb$ySu62@u_u^EO5Co?)_D7@NQOw0Ix&EZdN;qdk zye2B~PZbx%3DoCZ2`|W5Jj)B+B_h!2v*kbaI^Qi7Je4*_fM1@1{9Jo%L(YujC2)+z zEi7C69ukYdIz|AWN7ql|zY%%-7{km>5`p&YlD_#JlU=AtnbWQr#}&d43Xw@mm^kko z0Q#PHWaSu~F~>2)cW!q&p3cJ+g?9(28EfMR#sJt7@QtqYX}UmHy8l4X75+eBXVri= zzvR^dI$y2`hzykHw9O9bD?ip`?pb(sI_MgyYDuP9|NS2BR@0{&)vGLV6obdcXpqlz zR}gy-D?TyNc?w6F%-R$vw+XhFF2XHotw=$Xb$D|gYt^dRdf#cd@M&SxX@5*`-+ZYJ zxW|?yUmH|Wjc;d*Wa=~oPvEdss`>Fq_g-z1<70VCyW0<7!5i~LJvT!o0Sg%G4=4(d zGX16NZ(#mm6}vj-9w${f-~gfhJ_{Ate*&Dmb$PFz{=V_3>}}j{b%Ex+dCuE)KXGPy zRGC_k%_xxcbf8pJC=y&iV>n(h3H2A-NQIzAi^n_*mZHUw7H9q-VUvb>lD7G@C6ov| zZG*G_1#=y_S_2m+2j-&NE2Z6)65<>T<^t(C(IjVDS9DP4t4V5Sk9hRGG&`-7$SJJa zrK=&($JV)sfMETW_GaV-u%Fg*$=%X(pfHAE5eX4mHxde8cC-9qr;wQlEB9167zfO; z@>^WSoQ~@(qU+NBNueYKullP01AJRo#Iy*^JfvZ^HUn1(9#Mf!Ac%{TXPOkvp%pWg zgBjDuh?EJRGS6?DV%(yY#BtPvg&Lbvm?n7JA;qyuC>6a>Bab1VxpWNs^}s(AF_r}L zRsq&iVW*p=$AnpQksEs%f801rl5<7*DUsuKjafj|#VV{T`a~3aQql<}JidJGHXqxhO zcuAHfq~k<$+uF8Ii1xSS?TxgKPR+i7{K{3&*u}I%Q_>RFmZ~^X zO2J}fFpZT^8{dYikP}LN7n;2*>N6_3EyJnS*Dt#Z$12%$kiW>IXz#0AMk-HjdSZ)K zQp>;`ZPu0I3b}P{5Fy~)xzmXNr4Gef6LQ3%4w5%VRqX;2HAls74&<}xcP(}!&K&|49Ju4K&)OKFa~uv${&>WBf(V1>uc z_WIvm+=-fm&?}nLt?CvaB9egvwSpIEJeR#azUJRv>jNgJunsyB*oE&z{BXNzuZBcn# zQXQALLMW!l3~eo5&x+^C|=x`kgi63*$0=#c+mT8xpg8Eb3)e zr5LxWX^C^T=D+h36>l}|YAKspIBrGR)!Nr|5($fNeA>wkbIb2JCz@$z4PZ*cR>@28 zL_x7bc45U(+rIUcj+0w_0Vi4uhTc5i1W-` zt$^tnKlcY=yO3`ox6rNRUAlwsOz*=wT#ciT%GjIxENr*0&Fsg_!$88<*NUUZP9plr z%=ViR_TH8G=~dV1=N2pHX<~XYRea)Ojw7?}&GZLQINR~j@p$VKH>U7HE4}e(!b>f6 zsoOzcAWX!vCo46VV)dB6_{DV6{7rMx*nQUBqbw`gxn?4CO4)r@vR4;4!Sm~QH6ikW zhF0q$_r1N1p?)@riW|T(NNq<*N`vhBJFL)>eSMH`+&u}j9;TJkyGt06%%ZVZOrjJ$ zHvz?Ii5}IlG<9sc_i?>(+wPsP@k!mJ1CO01k{?gr#v$rIcI^;}xyijt6KLUee2^x3 z67O8xQ4u>@fI+}xmM#(Rc=||7aMzC&7Btk|Aage;$f9WY-+w#fsm2s2fiU2PZ_MC5 zXGa+zl2JI_ppkRhs^#(>JfmVjYKSod**qCnCPopNcQDWtgiiidgZV2=fx zs|nTebe<2FO^?|ZgPw03h+w8ueK-bdPQ#C~mFn{+o#{&}iVB=h${zST zzF+K;Aw8Pt6wpt({sZ%YQ;%>%=!S<=1cOHKk54ISxWSy~4u0F*@cKhQTLrBEMgK8} zT@au5{7X8Ovv$4Yx$hA6@JA457V}UahsrRXc-TZ zEmidiqWjf1Y_Zfon!#_SZY#tn%)8}AsF;!xFIkFMSCUN*Dho66=n%Z=hj=`#Bq~XUa;L$k7OZ;M=#(2X~iAZ$W|E7{CdWM%GU#{#riX)({YP5HQ zr*2*VW&))gUv*lZVMfWbnnr$8=XTZnA;mu2U*?MX{6|O$xMa)lvPh~RsG=XG&~&o9 zhdRVmSnxx1-^=5Rq)DxYMC+?pWDDM);OjupjsKb2In%5sOE?%=XulU`q z%R2RNijoGeDDoWgZ46exX{X|ZWSNJ4{-U-qBSc_w@q&uW%Z*t^7B3tN>$<7(W%I>v z4f44tHkDFXY$9^ZsonMON`@xemj8{8x49>5+2Vr?`E2x$r0JS`?o%B+Tb%0eaOl1o zHGo0Bn8MOzlhxoU;O}L2TPwA!r^Db>OTPo+^CXHlXzkaLnEVp39P47Nd+X=hR#&60 z@V2&5`*;bT< zHf1%gQWfCSRNwMRxP-`NK6p3iG!PxPX65gkPpNV=`sZlWWEppb5)kQrv3_}(h=H^zI;0z@Y$w^{kDw4a)kGhwbTfKb#G zU7D;qYu&hkAt$-Vsa6MK9Dwh2R~X1#k%~q996`HM>f?ky%rOoQsfS$=1TMsUcki-5 zctyx5k#BmrP$q_lt)dL_g->1=Jh~JJ8K8l0oY{>)y4L-$S^og|Tk2>F^BU!!_;-!N z!r1a0I}Ou8p#o~ILu6uBw#2q{$(Q0K>7*#<>)SL>!cvY=re$i8I1heKpc<%y|t z%qrKCk_ru>x!FdoI4*afB`Sav(j|pMUd8jzYZeTZ>-z)H;Y?O*r)=ijq(3k83|pbs zQes}daS8f0`tp!req7((y2i*Ch1-ELzfTGh`8lbyppXAE=LqMLV(4M*4;G0lRk=T1 zSGP|0GeT5>IPjedJ;=qlF|^h{AW-&Ezwt0eM9?|ztT0K&!!@E|A>#KkxFq~{1vw;= zI$3vkOfBEqcJDmBxfpsm*48=`TqPtyQCHgz`tWSkf^+P1dx@{tFwHWYNrW<{itlt+y zH(MQ&jmgBlyQ##jcO}G2ctov(Ll_Sk_k&@|#tfa|DLctsJsI_sE!8UhO%Ec#eshC* zX_BpIwnd!#A4NUTw~k{Hg%!M?iG=~PYs9b%#$q^X_ioss5Y{6&A_GtxzhTDK@`#en zbEbIkHotE)+vwaU9s9z^6cGPmUt(M{T!vLSonRL6oy<9(Y@MGy{?`@%Q+Ok|C4XF$ zq|IJ-ueS?)b0tOfB`7#28&P>|4$Z_V?vBSaAHOLX?}7Fs81V9iuRQS|_0zmtY!QVh zA~%nKJYSJ<2YgN~>-U@ibm6sw659d@85brcB> z`d>_c!*{O58(Rb}`t$DKc`_B+{oNy}TUx-Zx|I`zKwoo0j;$t8ERP&c7l&j(if#1% z1TpM!zIE8#v%2Te(A*NQjy@Bp_=^b(m-*JL%q|Jfek`hOeRFrs^#?dGH&XT-fmK56 zoMB4aN<(SUJ`T2p6VVUa(ylb=>BL%Q{-Oz$i1zmHgYd=!2GfAd4rA3xDxszv=L8u%S&mbK`)kBJG}B7QZTbh;wq^${I)Rm0dNz#za$m;-_e4vnCOdMQwhJILE`tf z2f=lDoOtw4`;Qh5N;{vld1J0=eCz-6cwEo>CS6<=z9z$+kvE6_(Efw?{a!>A`rIUl z6X7Ws`8Z3+OHw?0a&9vF`a78`+G8U9*T>9Q;e14LoX|ao$&&kd?5zhAH~sNvc`BjO zxcJol{9*6H>6HFoxesAyhnWbE=i8`~tEjS3qod6ED>`mS|;dyPB{K&W#p0m9vFK*rI} z>24ZXuY`}!x1{6ROPgVCs`1uick5`aI}RN8Nj@j)kpQ%+=l-RwkalwnJ0$FLYv8`<;RIYSAQG1TYa4@S)e;a5Ta$mqb& zSi#t&qC|5D4U_TC8DEq;#WW;CKDEGpjvZlU@YLrStVBIMrLHZqcK>;tldFxK{f~w7 z5LC(cFx{F~6aR4KWTmoQ@3X_@pTEZ+>Yi`G?$wyRhAr$^a1+O`a-Pp%lD{e|n@qnL zH;&pwJ-Hzb_N7(LxqN-?6`TnXXIE#`DCMf&W0;(OX^mMN^ls)133E+`{o?+C4?3!|q)D{90Sk z=M?mBim9t$AM4TMeYY#cuKg^gI_F>Ge9@fga;4I=pP9YVzlX`F5tmS<+Ojo2yQEW> zi{xb#N3t&<|68Ss=tuOYvP-Rd{D08~-sw99Id2q=HDk<6i{CBP_ygmwapfuhZl2)a z+#j`6flReSW@T+Q9_zLm#*1R}jXqe16K#eb>2hElHy-EbzL|GP-;dC#{Yw#KFS$=^ zzHbr<*LSffY8irsrC;L})HRVh@0}OJd6_t-0w&*FPZ?2-a<{)PvDqbQc>WZQ3wnDB zw1}?cZq^n>Sh}Bkvv=iMz?%5ZkOp~7PEK!C>NUi4X_(e}0(#<=?@MG8wUZNem*|{T zs%(#zPiv~V>}wrZe;pso3NxW1X?HW^rc#_kU4vCw`KAzmFehpalqu%eTb@X7nIAx< zsr;fGtagd?>Nb?!BF=>2>Bb8(>}pI*yvl3uQi;3NYaiESYK&Z|KBm+bQ`diioV*<- z@*p_VZ=W|)V@f+Ua*sR4wAm3szGYp^^lmKpWc&z1I2TD7ANRwaS$ina znVdp2(*1DIJ3#EovM@-Po;Nq=Yq&C&<7zwt3jK?zh-HGNA;L)3ha!9D0cW{)3ZMy> zt`~y$g2S57M&hV5D4_kP$09&aBPm)FaOAO3nnjYN6aBS`mX5a)z?Czg(G*o816Aou z3#M5NMsG4P^PmWd7skU4D@hK2=U^xnu~NHj6@#*l0q?l+zwdPKiWA)hd!7EaV;dGb ziUKeI!Q+U~kE3Ulx!7|GZhyL6GXTkm6rpm4=4G9JKV=hNc*^;&F4o7?^4Ts$I(%^( zM~ewa`Y&d1e>K<1q%Xtutr^khQYKFn#|RHlef#k$2eeJ4KP8U2S^SQtljCydM$@s5 zz0HR+X~?EAd|b}onLIzyAb(GL%O7`_-fR~-j?b3gY%e}J>5(dCd=>x4epmj#&i|~m zpFBT^w%Y#(r$4CtKhTlhf8g;H}Z+tL3f9i8%hG(PSgA9ppJb~H3HE=yRY zq{@v>KoKetQQOkKD)?k$Jt|KBacCxu5=Lo z8N~KzLM1P>hCY`>9;q&>ld+CIZMH6R6>dC%HlZX(Ug(^X$W=nGFQZdV$ow;ilb#i4PT=|Vzftc(=sLJ=4dWA`HjS=AXQiqU=$2Bfrup(@`>lL$J3 zM@+(n1WQ|dNi*&h;&QLdW6o4kdXc7R4|V_(ep$hs7vuEH4wCbm+N=A2Wwh+}LJ{n> zDe6eQu{3zG6Z2Qno<}kIVQY??VkwkZrpEUguHB83Yo>^lme@Pd7&VrM&26?(&Vw|m zi6vt*+FcGW-Jq5Q77D!=?u9AjO48|jn9?0RR!Cj6mA}XP4Gbg!6N=qq6|A-ISx+oz zdtH-qVARv>rql3b(vy#a*jv`YERH4E>nxmxGRZc}Tg>GP-;hS3JY!gB`5buZ zRO;NZIGcOZq$EI3zHRPr^ZA6Hv+;-AF}S9cS66gkaUGhuwC)!Q)@i6mUr;IJ$n#dn z%>jB2R!xpN;(9y6+J;><;wsayU3YH3M($r9?b4)Tth1@oBzG)ROyAEVNzIhV1?*c_ zpt^z3%4rfemYz58?ayfvUi*I?exB&kaiTDA@ypWp&cAx#ze?#JN+30-On>YBjvu=M zd&aDbaC<(UEM*Er;TA{Yf3I@4x;L;C4lK+qZ&|`QFAgq`z?P{r_jEC1>k@1avu3@% zOZ73k5&ZE|#yXxd3`r-~9`b~$%Va=u`*X3xEJNOK+}o6cY2;5t(VY}~`bd^cQ7*HV z>ln**A#NtIYYp}OgI2dK&;8E)j-Fq6ar5lrS{wb4H0}&9;W*--ZlA|@zd9Blce(H; zR2NpolQ?P&RhJG&j( z@RV7a#w*JfS9GL-H4cxdj0Ota+CIfeFH(g%a(6;gXyLg`-r&B}X`Jh+2nC;=F{*{- zU=kcsk{pYYrC?%_p3MPevE0(bFRE@+?fDr&c*yosvhP9}* zzItXkNxc_V?&JbeRiiUp=+KbS%qA?Q(tVkip|`a+bjlys#O@E^Pfrk|98&Bo(r%Xz zkZ7hRP;F>>z&7un;-723eKCdlvaAEL+8XpnJ_g`bqgKlurX@CBGjO@ZG0iUt8>tfP z`eVHMHa7c+W5~kis!eZI)Q2T{q{`aP9rk1udyT0Y0gWVj%-gf$Ww76o_3pX-Q3mla zSid9Z)J?I8CkvD^m&^&LJ+6gRktw&hB(QQ2)uiTBw_{O%V8DO;9gCsU+K8f8qw#58 zZ{Dl$`bv&$NeXphYMOKN6$apm&{IdlNuXX?-4ZzNe};H8phB9Y%C?oVX7FA%!RE0d z-hu;+&o!*0hHUr*m2NC|TSXIMvr<@=6BN}lrK~IrT|HVn{qrHfaNsB^Wdf)!@_@GtzSJi# z85gJz3Y!JSfTRe2t788vf`1G~_T;rL8%w93-w}~l#=KK5-%vD*2!jO@ui zUW0rLN|=qeNh|8rmz82I-(sV2?-SOsKu!Gr0Ixt$zlAPS{l-nvAalXCnZIw8d;_i(0Ma5N6y2 z%GUc6-Bcf9Lu30{&|Bxfxx*puYbWG1l$%?6+njke7$aWnztVRY&E}L2z!lx*Znt&g z(b%O9%-i62yPR)vdQJIQ7o+ge$zEpX$j}6aM1H0VJc3w>*o#^hvBW{OcI8N#88FSN zPki;X2fph4_(|`_6}E?Rfu6TpmI5ym?)8@TS+}%uCZBN=sb{hJsB zW00vV?ib2dwB07#32R@9onEmYj8~M(&8<dT_@}AOrs6W*qm7mhfiOtX^JMHRwm9)e z;f?U?mNCH4zhoSk@*kjK($`o?djG7ybXQ6zFs;}8TIZ4tS*R(h=ApR@UNnCrv{3l) zDD;9$jk_g}HFdW9dnXQ~1alANlSb9>+<2g@21X*TrW9>Zple3{%}Q>K2B~2j-0yg8 z_9rXSKK!mnVdPCb!DZpW|N77W%Rf4(@$gB5-yQheRGT%=ms;N`b)ZTEw4x?2uJCNM zP{{5*(EJX>*z>illpFl*MvIae=hXK-USK(Y;J6XDgJF zIJ2B>^v%FEh-(9)P}ZU|mT0sKp=lB47W3?^+*;13g&bPMn`K=2Q2dz7i3L136Ze(y zT|UR<@>&6xrJL)C(?bGrajPcTL)5sxC|B@_>e<>Ef@P{=-AXVCXgN5i(R6}d;QW=- zfnV&SWrI~m|DCgr6r;VD8Q-tpkku{Jag9_xr=!Lcs2cfiKwkk}C8KpW4Hdent1_x& zGse!Bra3;{E21ov|ME}&@(=&`umAj?{~HrA2DFA&_n-c&y^_imx(kdB15`%osa&B> zw4<{Szbl0{g-R{0O(TyRoq-$sIl$8K{LBCOztV8hdX1)IHWF5a*6x2RZzso?l}TDV zSQu-2d}RpjQzapWc00=AVCt<(IQB(ZC+tIJO=LfxrL~0`NPpz78nryb@w|ilX7&d8 z%i6@)vXB&Vh~-om%6qJafG_DsuF6}8iW|Z5`k`V_SxUK6+IR}_j*i2WETiZzm!NQr zO82^d_BoIH>xuZk<>iKTkadok(%|>6FvrZMdX;YTA#%*$_%W2VkA^Z9ekl*)&D<(Qf2KGf6CGh-u`OwrQ$Lh{VaK8QKR zzJRc}i@*<je{ga4 z1M2&OS*of6zA9Dg`-A#HK>;*&Nb$L1Jj*UEREVd{fUSIO!FKpsIe@eb^YZRZpq249 z8`jq?k|!0Lns;haVVT()J%OtZixN8J5N4!jC490iMbvJ6f3V)mzS_O4zCT!RXp7v? z7PVT-AVbIFEW-yf{+57zew%{rx*+j1^e)%OQ;sGO}(O5)6N zw$V2Ox4u7E-yh8K;7r_C!gu)`m&24_4P#>idKB{lP|kfAAsh4}R76 z2J2V)zOGmLN-qM={7PTm#lI?VQsEkSiWmGAb#do@uk@8%x@ zzS6g~kjp#uD}5le-dtV=10Pkd8^GXIcoqL9Uh3O2h2PeD1J*=Uw?5lTeOvmiH4{sM zQGPj2R-Jjxf4ML9F~)WTXFJH+RuD5^rjspgm+G?X$=bB!g57%F1-tIn+Isi5c)<>j zLfCP#c+DQAbOdZmo${k*`J6m@3Eo6#!vW#MM-b=m+aNg$j|Hd7GWjJI56{25K9}Ok z{Q$BmUSpm7EZ%fKUwV)7aRu0I-jp*ut(MYt1>{!WY&3W+RAmRHmxvV#O(7Y zzLE}ZKtAwGkGkB}<1W}LPF;{fGVXb!V4R-Tv&z^LRsF+vQ1#`2S0Zsog+LH367BVw zv-kGw$2TX3XMf5G^W&T%_iCdO$u10n0WAr3+zT!@j6co4Q;FAHe)lWj0e_t@JwIQf zxE=A`dG0Jz!KbFtqUk^zh8Ju=WvCV5lGCfb+qBoYx|A>x)VH#i_wZ*` zxB?FUS!TaxTI-7`74FQP!v1BT&X-z;9%>(;v^>Wnn|Gb}Y@qDoVi8yaH*GoMBxOfs z06-76`l(0fQcdj>_xEZa#qP$I(S_8yV4G^d1|?UT=v@ZR^ib4ZC0&npi2|R4 z@lE)_XM5mEgW{^x8phxbW7sorRKewnltyd~qZj+q9maTh9Czm;#GDmHo}i-#dzX9C zN`u9B$qsUt@ZTV8ocm#T>qjeTLG|7hRbjSnco&4JUe$!-4u{Zdk7U)MXYD0ju27Hu z$PgaYoK(xEr2en7Mh8BA|`G7zwtr#ayHfJ0NMkT`ueL;A0ZGv-Rk+CKoV`D}N1q ze*R*mb$)*PR}C7i#uF*fMj0Yzch&KsS#YDsy}KCt<10{?V?Vh_wfz;#7@Iay!)gbZ z8YD~8hPJF7WGgng)&Y?sE|_!0!nSM>w0YY&u*ZPovI6-vM{}h(pTN9YL*rIQjwmOx zpVqM^q?;rUn;8YJnXbjA*?ZGOteG81v+5LPfMtqkLYk`ec0NXR&Dd9FO0j9JS|_S3 z_5FN>i7L0$)1(sUM;tg_V2%R$x2D(hsGb+XFO zpRBS}KHMu=W!aIy)6Y+7qmNAOxc-IYr<{Edb4q#vVR1*`515~_;G}QvQ?|wBrz~GO zv!0^Oae7vtn$@Rf`}L_=eQGuz67{K>Sze!-)u(22bXlL8)u(3lshJL^J~gXP&FWLL zs>fdSsoCd0HLGx1R$tHhx~^xH9)HbzJuC0HtIB1B$rC=-T9mu`epj?gj<4z~S~;kts8d{joFTAA(o1n9+5a9R|$3x2o zpbRKKgaVr#yo5u31Ov82=#2bPA59HF%XbIYN^LNs$AjV23&vM;Ofv?x9)>^kZ~P&( z$B$Q-$JGf&{U~75h#dnykxG+xCJrGRQ&Ap4WE|{e*a->JX(6}fh4+9C61c!(^eICBZVAkIE!@WZ^5f?+>Yrr@dgjm!|Sy2v7S86s%!XfF1S>wlP_30+@tx zA}bg)Ks31Dm5;o;y}q^G+1Y75bNiRA&E3vM%iZlhYwfIWukY^q+nsH{ztEA>n!tn~ zv1PbC#b0&Hi9}@N9js;dizdh`3zxKl;Oo z1#^%mQDR5>{U`W}>q35vVaMIz!{KbbTg25r{beW(Y>m6qHK_CRuIq1fcf9S^?k=$M z=3sNPwc`OlZ*~VRu=MWk`tA+^sML$ZT}eGoE@dKE&o zE9HD?G#w_vDNRTE@h{Ub;YSPv1H@r43TR56(+8^Kv5~LC-$Fy+ zpJ3Q>_YYGIGstR~I=8z!JN-?6v(xhXU09|aSgX5TZ>QCLHrUzN-dcAz`}0gF=J0uQ zsl^uFy5rt$6hd31h0KFCk%Pvz2`NjaQ6m7myIPIlbs z$)kdg_Q!#d-M`_8&KTon`=UJdW={5VOFo`^q$)6hM zQD+5pn)zl%ZK=Ns@txydg)6)3o>p_w^T?p4bJ@RBVXJklbMUmL;C|CE+f+Q{b?NDjvcwX%?exqlshiZhABJZ!$EgRj=K7|s_Bk9*aahTqqW=F z>9;oBjqO%{FxYH)ms{)J&gJHI=h@aAs;RWIQeE^E#+BM%!XJP`DON*&#fcETpW`R^ zhlTo{bM;V|UZV6J{DTvKT=y#qnsb6dW+eaPx%`X)4gA-p{K(KQsta>+o^~R>=JfG8 z6u*^rVXG?5UQwIQwLjtS41xFQuUP(xu^%HeNDOi`e&nX9$7SRZ@>_Rnx4TY1CXelW zdf!ydVYkmx$S#-@6`nz{%pNh&Z0inMD!InBa5~YGNRki9u_p2Hy?}ywIXx0SBJRyF z956Pgm5Bg)u^GzOAP>1aNc9v(zKHK8kEc5ZNsmWR=qMB~%&YZp++c_pq9inYmu)_m z^zT{dT;f|Jx7WeoT85}&cs{xlS(k1A*g2D-@5Vk9k&iP$zbE=GI5fnYV}u1E^Ua1V zqI@##4}*d8Ly-J9?Te^(E{!#81{6^(VLQ*AKe*0y|+x0g6b+_B*dD*6!t|-+H#azP;7i z-dbPxJ9F$aY9?rPU+FeYPX=tMn3L7K|9}p0<>o?`Z^cmqG)}!y`u&A-c7x&kJogTR zsy~g~5B>$k=u-%z@K{uSV;B3u_W-fG{P%US_*aXA=sE3BpYmIS>fFnCSJL-)v7zFX z6MD{V&Z~boMD|`Eqkp5q8-Frj{G8`{KS%eTt`ueJ_D~sGe9u zPR=5-FC5bt!f*8M)Mr~hx@tQC4I+L})i&J~VXNKJ_t}kR@jk09&w2$u_6n@>AT35K zQOpg2`c*9_tei?9bw3$F`J}GYhn5HxAI?1&Pv_1dM9Q~fZTnS3Px%IJYqbCsKsW&N zo)aksTku?(4gS9Ix=0n^W}7_B<9ofWYtYt82MblR^-S!tBeq~ApbNDu^BpX0;+enU}X9OQtL6yf|Fc*!;Ik-%+q+FJAcb zXP_zqk?*~r%g8fefvQpz-oC;h3hD-au%}?i`sJ*KJp1B~vjMs-@Is$yp-V=<+HWF{ zAXAhx0!$G`sYXzG;TW?@M9^+{N8U@yY~Z+T=$Z%cr4LF0$W;eDYRG!nlW<3> ztzzk><9PUCX%#NqlN z=3^I(i(HK5tc*Z?28Cb4od^QoVG{|JWnut3oyL=35QI~85L&JK^A#Qk_kHwwbJiE| zt-jB75#k3+2-YBNfPW0)pdSqJz8n{!+)uYm?W`^G=ejSU?~Jv!L7bn*YaR%bI0$m@3yu!{S6jf=kD%$t-impwXu2m zY`wG7pVI+WyOy7d8NPV47rztFlI>fevBeNRIXr3|fu!n(A4vel^BBboGF0<@)t}AH zrg*6@x3)SRx7%;+_Aj?vn>(%#i*$RZ)%7};JI{6pJN-*{&P7@;&U$e^=;HiZ+}=%9 zB{@22;Wmy0lD>)0?i%0xt+>V!MdES5@QW4!j+#lsT#&tjeeA0ff>i|6mwiz1U_$v3 zP9AIzbn~F)GA6a`2<0l;!=6UW;qk7|F`n!>#t=;U>4fhGU`c0q#b9=purrtA3y%-T zC0crLfS(U2KJY9A;Y<;{k94N+W%`;~?ApS7&8aWt5nMx`&B=@oJz0ud0Mt%D5bkl? zIUIXF2F?pFFZ(W%1E6MQkE+E)0*RIkz*T*eu`_@&*W)+&$Nnw9+@FM+Q<Q<(V-O-gh4t`;Mr28KZ5Jw86``|l#FLn+`6b*d9!;~Xgz>+KFcW8Qr&6?#d z-x-{}6QF?4Zv4pn317Smcyq4)wX5(IaWL}{6bqsmMB2lNshMQaH{X2Y{D|T1A>$i5 zEdf|;_E%Rs$d5!flnb1zR#%UdLH-}p(;pDtEAmpDBc zM%0gnR#&@9|IUEA(t76t=-N$$il60e9pVN+JfWOT1VBhb0z{zCI0;m%!OibZ8yO>p z+F{BPjL&l8=sU*VRcXpV&_{{Lje<)4D?XePLX?Y87|%YXPbABM4ej4KI$3`9QQII* z{W*|}KXC*cZUARN1MiAef#+qG0^UnTIE|p&BgRj4#WaXgU_%;bJgY5jKaTt5HfK z1rYq#2mJ4Zl#NNB1q$SCD71WGqrSAU55mKQLWRa076G9r<&k!zbLM#UCuR9aEZ1w%v2`=kRb9FU~7UA@#c+=q)8RSqjPhp&QF- zpK8(HYik7#lqL&w(wT!F>=zr}r|w93R6x?ldiPxC8nRn;-v|ECld2jAu9P2V)H$`z6ELyMBm1mTa2w6i z7_`YWnjk&V4ko3S)J}>&qw=nC!dGfxkKB)GYZ%YJVHFFN)H#K36*0@jr|zQVvup9v zmP%!Lq{Mib7{*}Uw4|7Sg*wI5CsjdkGaRaOu+n!C6C2f@03YXidJI%&aT1j`HFwsV`Kt4t%_?mzCfLGMID27N+&eHm@SW8NCdZd0ms)7}YZZ zBM%){tU4W92^SZd)A5s++=Ted61%XKO(Yv7;&@}e-hr&Txd?_yZNSHWCAH9I$f26f|C32&4aJHR$%hK|}2xvd#)!B^0dSy458g1<$faM>Ou6R6mV4m&(ef`Ny<62DI z;%q+9qZ3A)r{x6YTZMdy(G~`y`Y?n+KrT|YJ&C8^a{Y^}a-+!%3;9DYKAJnPK%}X3 z(R6;k_Q(5??@~rS`hy7XnaX=kcua9lwVmxvnNjU=0%@vnYN;RX!Ia{o6NZ~mPgd^1 z=gyO1bXB#h5JWiNIfn>!eLBN_Nfy`zC$g1bTc#NkP8fzD8|0c{P zivUyvj>t>@l?j~gLiWa5kUWMUF*3X74RZPL?DS8|O{Z*VU&gX8#ilWXV4$N)ezsX% zI&h=CliN{qpUhB^W1F=}U%p`3wEyKl{$Ky!|MNdPuftSRH=+z>K#9`m|M;Ku;1Av; zRio`%w>YkDs3L6r>l9&&QSWOJ_821UNe)|6hDcasqy_$zNQ~66=87l`C7uT50+VMw zDHiab*HaNZh2hmM6Ds^AGe%H`-IuwHq4iCG!O=V}gPMcX2hNHr+VEnPZ)IFqcK69+ zdylk)AMpPy&TVEdjuxnolcT{ky(bjBm~r!%evkE9FfK?!d{u(+DH)0NO}VOIwFXb~ zrd;k#W0AwJG-Y27+2_vL*UWV#-p^<7C5-UPb(Y$^qB+M`4;vVsZusmL6gywkHh;D_ zV&|SazPy?zZdMJh!`PSa+@^0j^J^h^gF$r7?_>m#@@%$6V}RZ`Gz7sf9Gv((dY{7j zFX=R9KyaHZDVYKiZ{+oTC-O((4JL@IqH`=Zm(=>R!HzrF*=TJ%>v*lrXY1XT+uz=9 zJ?pxDzw36_*S9v9(pjY!iTb`=@od%^>c~pPZ{N(S2q;R>Q&R>ip9q;JH>iMRa z7+Z_9*jxo^S52kTmwRe(uk%QKhpw<=K2qR`D&92|6|}fCxQxQlnLmQ9IPniX-XqAl zu|I4b2}+7JM*%IzBA^9#S&Rg0an?p0ejg96{gF#>L?)vvs5kAm0rxctacyrh8S+Qw zTZepdT0iq=vE#M=Fzm05pf^8SV<2hfu&~YaiBG_oW9!54T#n$2@E|_yZ^skM9D4Nh z{0&eP6(IidJaLCmOAo!g=jZW>s;e-%LlA;uOJ==K`iD;jpkK}UBpVT;BvkuN%EX6R zCSHSec@qFn#%sVfuIDCh7TYCv68teGN_V~6ZLN3k|0faM)wMK1mLci@v%*kUQc12* zX}Qr{PUp0J%5S7fJeQli^|F}R)^gLqLmhsH&mcY4IP^LMcDVsR7Sb=lh=C+Y;KzVp zhJsK5-!hB>y6=M{`0HN<=%4(%-fTSmtuqX-!tbF7*JE$*muci*obuUj$2V8sI!bRn zQgFpkF++qGu$Rn|(0oQs&4)`_8~W2=NVyPrB8fPFMd>?qm74iVTQU^|VyI=7K!;i8 zr8Wm7y*n0{as^tbNQbx1T{y+gu0nw0Pe2>Lp`^lGUsfG)V^3({W1gFWDbREY*>?xm zO6?}URvYk3#A83k;ScGGptwoRESX@`kGKH9jsc%YrAhl+eDu;qsUE-dCm8WK9>ARU zPVWHZh~FiA_nuXQU1bb^hEYjf&hLjKuq|RSt(JORg!DRXkRabWWEG{XlMDgi(?4nDxv@Kb?+5Ow}&7g2IS^KwH(iPo=$dSz>hg*oj?C5YOF z&(taD&kDX9_*k*6<~)L3wEd|-t}k(CpB%NRO=5#iYit=ehkhJ|-gHoepjk14XK;_U zGwesA73Vj>UUEI%N5$uO3VSV1am=dt8?E(CtBRkh_Lh+d(CFpB+3ISPSfZDC1tF{^ zK}%H88#1vPzZvVoaOoZSBM|M>;#!H)Uze*=3G9j-69u27FR)R>+_UwCaPk(HGP&>5 zk>!~qrWsPCMevMCLeEQeb>_(Cb0V}-X9Kj-ZH+%+%N~oVGj}avldF3s`_fLG>}?k} zP1;0RS-ggc-xv?A!R!sgyOF|rq>6r{i+HhCb0nj&Sh~g2La*otEG4Ub3fhcDvqAtNU!Qv$4Ik?r!$ynNZ6Sjxnj+NHSqRd5W^;#+~t%e;V``QBU>pCuy%(-I*G!6_W18I zm?qn-(OhoIoBjEwq%Er5Q~8NSdS}NyP!FmEKH48TV_w7!M?V3}_Juj&Gd*R(iqbjk zIV{W51zr}w30+A-`Rl5KzED%dw1ac_~Y}@$jSDjO?{@frkxvDQ)@Cny%PRB zH4b6O--k<72-P@+wRk9Q(V#DuW9(hc%`|3nX!U zBKDf5f;oOCoGxH0JI(CS(qB91C3%I~kqHmE@D(0R{WK15$Bx|HW(6()${kmvtr8va z;h_1Mqpm)#YTDW9T)N$zZp&R??}CMK*=f1n*0Yv(+27grE;l;6oBkZC={`kp_!pc! zs^Up6CM)JQ)j#BEq5IP$0dByM#%q7@0ST7ehQM=z%4ynp79_$WMr@iaT6<_cQU~ui z6aGqahsBVv2y%4$;SF1;3l$U!&&XtF z59#`Fcm4JC-Ce)6<@Y)RN5gnRRfOGap zRg*gWisGL4=V_d<18i8XPJ~U^sWix+u`~94k4~*|oEZ3xN4(;7Brggl9Rq-kqf6%Onw1>p)v&%quux?l|8=IY-olEz!^~^)j3i+194NwZMTN{QEb~zjY`G*4cY0pYF_zA9-=_rFEbx_TBBl_Kvr^-rDVM^;?^R zjX}%Z*?89SHwON|+uYghcfAE-eMB^< z02=|0LJuQ!Xx?IHWzU06>x8aQH=QH33{(K$Pi}pmNiOtfA`<%JrmL%m{QbKG-)-a1 z2%h3iZS{Rl95IWj@aXrEdxvP^OK+HFAJgh0EBWHBQhGF$HfizK4{r}&;*}Qm$lEwh zeAg3CywQ}%n%_?;3=himp^|WRS>iIxYZUV*y~$}yDGG>K;u$-DDJIEDfw$XjM;$+H zDHwM(CGQJeQHO0ci30BS<={A^wu6&53L}~1StV1`nGAh5_L&oz+R5E&brlsBYxobn zBc^5km$8c223sPkZ5?mvi3ZzoOvvJ14|^Veflq%!5byVk*HPJ+l&w@iuC#e|&DC+Q zj0iJ^Pszo96}rRNBnW<#FFi`i2lU7<*iuMP=YxNj2Bc}~0o}OL^@wnc0lp(pDP!&S zl-lu8$g)PIjg)u8_`}7wXx1Rp<0}oGa|cr%qgmsuAj6>+5;LYs00gWkR-@6zWPBMc z31T0YHNC})@@7Pt{BhRR!od`g^*zC~fTuDD9>X^XNtlgbZPRMHbpaKy2GJtKpg)&_ z3k5fkiYS&XrNjT1fB4_AJ}Lt+h{=>xWmunq=krG&0e$?7q3^8tH-MZv18E_SSWUq% zYfT~-SQj)6eti$G$@w?o@CGXd_;e@Ya~VW1#K@;L$ex%6ap7N0hi)YFL|hy`sw{4F zXDld#XTSttsnbv_T!*HLsm?NqAU;WHBE=MYFzSg#5QFrEYmzm_+ydrz*ddqyKt~)I z%n+{gap=4~OxLxBzT8tZfK9rHNSn%K0OatMx4&5!rl7VaW7*|lvx}Ca)5r^bCTU=a zkeRFy3T6lId*Ax*ha6=b*bg7dM{^3Iu#fkLE}SS<(MCH$y=fAfv= zx6=URJxU6E)E1{25s|z?hL_spC3^@~R^Xz6F%xdoM7==n%>3nR(mPmc9=Ar`mXBZYHkURDxkcBaEN(wu@ zbSfJpCMt%cj^$(CG(&PMf5c&vyh-16z};%^)hkrCy>LW+D*YC06vE82A_3=w}|U(wKoh z2LD3e{y3gSTuz60M;Znx=lzUi9JF&;OQC9xWim?`QH-OZv_hnfh6C8_NoxXAJi_~e zNGyX=vV#<3Qa~vaCv@|{$M?A5D=1Qlm=x|ik(1DLUi$s%l}dpFLKFLdT}hohH%+|2 za3uyeSz1LD-3?sIiOmo8OgSu3UnrHSNYiAR zlx$=jX`jAv4BKB@+5tU3&X`k5;}~}Xn5`t7D43`>?Af%^)%o6|(=Bi^oBS!>ro$epT;rwf{FaoeE5SFrOXZh%6`bT0zX*aZ zG`{6B^(`x<%=BV*QB_4!8C#8J#-duMTh_o;mp)yXLFEj$H6b!YHdvswBsF^gidRT8 z?TR(X6+g8Fdy7UkQA#+s2up|8ka`@mlcfYTjq!9CB*gH@my&6K%16IXfS{mupbnkD z!eBWsbNSz{qE%o<(qU69wdSN+=t{Htq_P+>e~%8xNSx=84eX#1Y(Yk?e*ET`nBnkf z@7U=1x#QDKCg3!X8G!lm5KS61X!oYbkcp7dirW6~Y_p{DXvlOOIhp}efXJUgC7MqS zlRzbbNk=4mo)fN|++4CLo$&RB%8vp!z0oDc1ZI_w;%Hx{^2k^$d%(AMBfJ>~V_$>0 zdozKRi+MHfQYa(XM4gwUY#}K_nB!Y6gtBv$B6Kpv6enhnFTf)A_QT2DS%^n7V-Np( z;(Gy@C3t6sgZUfap)p7%1VS?|KZtymhG`)h;s!NA;qj6yj?9^+658;22>-$%^W{HI zJ}K_8)DSsL*E?*%59)$Zl2UT3GhNVmo)TrhmYZ~{RWA#vhEH(eT$WK$g5B%o6hf$}p^daQIQF6R8ZX?sW@2}Do$n||z1Xz!~+V-OCfqwx_w_e-rK zk?)mB?u0*}*~CcA%cQU=n}CZ91usmxXW@6{hc^?p`SG0zAn{AFF6`5Mdm)N{Pt{pH zOa+8sogO%I{Kdcu^`5Rt019(;k4`&kfl?baUzR1K7A5- zC$$`p_zf1oK2PQIec%s0otE-3Qc>3Vr0tU+W&f55=xQf;tE-AM(H0X}*5rVYJg01O zvDo5PB0RPtmpd7x4cz`rdlPmrxf!+f*LFw%O)#<+1O5mQ5M?^_$Zm(t5I^6gkMguB z12NKt*iD9Rj4@ZS3M$pK06}u6FcXg(HL%0G& zJcoUE@Bz%jnCJ1pC<<7(0oZH~E<;ca@l^8VQM=tXj%3qliJ9~(dFWeFxB62io?M#d zNI3@XQIso%?;MTs9GNJ3ro%AeD>aiKV^o~w^i8LXCq?01lW&>JK2@WpG5M%}KINR^<00-jcru#?{pRWPf2Bk{#M?iXhg! zM;?j?R6jxTkWY|s7%BTJ)6S!+%ij4hK+XR~jfK(WGhjN)_6**Go-k1`{_(H>{9pd* zU;g1A|Mj2$^M9jCnWst{M)iOCudH6C`-YRbi(*!3W^k+Uq{*URG|8R2rt-Xr`tFHo zvg9OOf1EVxP1G*}Pq#**@b(odb*LfWH9e?w84MHkG3R?GU%&qri}%w=XCUt>SniCu zfoZ)vKrI-oyvyHUn)w^XdvS~G=-`w`CBw$+!XCZC_ig@F+q!XYR=@wMd{8&(eU?89 zOZoO&wyneFO=ktRZ5#-AK$r6LeY~mD1DvKtRzY-d^cI)Fye;QG$6vm;-0(P?tk`UNu7I}AF`S;)W?P}l!BanXl7d4&nF zB`42pV=Ok*T`azCCIGd}B6t+DL>%U_Fi?ldvjv+ZA@?W?YlC7s&`i#lpO0^2*iHfL zmPV0N!Aix|RfjMh=lK-0lWtC;6@G}FiQ)`NdNi1J&u&$*!$o<#jiFE!8pq+YV{uT_>LhLM&j`KOg}bH!-jIE20e^ouDvjg zZcIDING?1;Ao^g`9LE4yMIYk-`2XTd$tQZSo96If@nV<@Gz6&>4DWbAh0f7U8C#JP z$ikwtaAxUpH6LL5U{(rBv>1isAmMLx@w0Yrl9Sim9s0lw6qc9PV8UCR=e8Wz14~~& zwihA3tO4-O9e<1qwt4^v!X^k={B^*+ici8dgA8l;%gm{S{ATQYKRrsQ4eHvUt_|wi zpso$->efh^LEU6WQOpwgmFdMl`D~BLaJqJIg%FwIe{TSv*`WWL>}~w|dTmcdL7Lg= zR+_P|bD!Q@nA!cb*T7>L?Tc6~_XaSN_WLkSgAV*}Kb+jnu+DW!QDojfs(*oBb6m7z zf!Vltfd(&}p_Lm(%ruTkGr?P=Ps7Jx3qS&cHfHyee2&zD{Sl1nJhY*jA3{=;Ypyjw;A%jl_YHV)f@@6AK`ww&u_+$5X(5hd-xHG zy0ZltJZi*exefSKogKBKqjq%Ej*i;V@xVsjy$z>(1E?Jx=a1p&NbdyHj*i;VQBggA z;*Ji@&oIaE=DEP9=DO36lDW0SJvz;w@JJpQsa!MlG0*w3*zRX?@06R`E$2Ywk8m;3 zQ6}{QS@gzzc0KEYxQ6e5Zo?cQs_~EY{g0SkAmS<4)vLd4fyFC%lVTdXSL9wA`*d@W z8OUTCrxtV|Q^)87kas8$?W+JYB9Up$oKb22V{!Eu6KH${9%7gVVCB26K}1B1%* z7o`b0B;rSkQ)Q4|mC*b+oUxS5cW3lYCyQ9TXnp+n(OEfSqq+_z(xpP)C`NktE4~{K zu3?YIw$^NZYf9sYy>9v(^BJ_bQ?iLFhlmeNGe9Vv+g$*n)E0Rv%49|aJ;Tfc6AS0# zM~l>QRwxz>-Ne@}taH2@iC4LlrnoH+0~d3l*~YUs95SKDnAI_I)8H7g(Mh7AD&k0F znE7m2N!kdv3$Yl3SjMtZUIH*!8S>1dtE?)K7sQUD(p`GbjXOPkFBP+xJcG$V%Bz_U zny$1lGp*_1rAE)kJYkuoE%?#ekLc!@9G{@z;&nYmK-nDBajMjue^$R}&N;$jcm7oI zP%@;5JNtq>uv4h9aZ*T-4}zQzIZDKw7Ts*_TT~utyll0T?et_^x$@Z$)Az$FtgRKe zUo|r8KHMweTQuEQY{m+mPKO@A1kRN>=3g!6;Mo0fN#}B(D^)Yx*=h4@H@?8rD)Kw2 zyDt%+2${D-o^#)7p0}8lD$>>O{`Y^>tB4NaByCUAzQC#ekhW*X{ zGk4qdS{pkZx3#(BZMSxJH+EY6%V&fBPN&=7e74E>v`Q}$^^^lS*4;(O&Zi_bi!^8; z4nSc%V8$+FlIo@+a$bgIEtT$EFcXQ(V;i(1XJBuTP5@jsHYI8b)r|*=Kt;az z%ugmwg5fYucl8DJp)LdEIIHDsEF{EeZEd#2bMW!WEuGm0@T4^-9tK&UVu)CYU+J$; z)mA$l{^2@bpLG%Q{j+!p8|oEe!kepNrVxZuF$;wuaqNO>UI-+umxaMdP}rQRWLv)J zBc=9-Zd^hJrJ|*OH^w(s!m%})N0y!v@WR$XaOtc#>C1nPZ74dthVut{&#<+zz3nxc zk!wot294Vd_hQ4UhM7mA^25M(8eX%lSGzFHP8@yV)> zGnZJ*)bbyqfX7D7akMYhA!c|!)~P;ri!Zp@alxY;Od5Z}P+-nZ?>ktB<~AK?5$u4WC1bQRfGUbI7a`Nw5eg<3l`y%p_(Y(+PZhLS8?tp|*zUN~n|mIp#&jV)|a{F>0o>G5a;x&gmI zRtn8(?uI97p$EX?O^a~2qpKgORDg5!C_+7!Uw{y0+xhTs*oBz4(~3a?0NC0ep$(V3 z;oB^j*kwH{M|qwumh5(9rODy%X>r~(TaEZ3Q;wG+f($laFMG|?Wcdn<&R(SXaee~A ziNLIMJ?%+n34pPPOlqdq(_ zZ?)xFqyn8`h+#5K7Ec&qxAbmbrQnRw90ce??uOnv2i$_-1pY_@iYQdMTq?w>&d-w)?{Yja6bi=Cnr6;{U}0p2=3hQz_iV66 zFMFs?@AaNsBeDUCD$zk`Yc+vVfK;Bo!y}F-i{u(<_%1h4()~u|m0F;pkkx;;+=}$& zK5{SiJB_^>rQ0aoM(H+6w^6!=($!Soi^+HlY=olwv<+}{RVX_Anf!}vGAHjRb6ixK zt%{$*Bjky4#e`PT)$ubk0=I=6*;xdr$DSO6B=;O5BSC)QDke`@?JsWL`` z2ig_R53o0@_`-(>VMk0Y#kj+m^YRUvczI`F^$H~fC9TtWJqEs3&D)F6=>048czIo078rtEo>M70~OX%$AdL0AW?KKLy$512&7Ek zQz2J)9)P5|(JW+5fCkcLPaS!eXI$bI*CGS&Wf6k=%??tCH+6`?<&2*k9H^Thytk7i z;n(a!$YS@CY+rn%Zvp#V0C8-gYi|t;ut6Xjf=(h|#KIe{2q%!}V-iP1Gm3mOl!C0Hy&0VhkvgRyyu{aInI*(Gnyo{8-Gr|uzCK(z@pZVR z#J7XC0WUSs${`Wk5W;)AOWVm8+trLHZ<7FGdtD;itnv+G5ZMb)C-ChrlZVjO*IQ{* zcUW6jsGb%9g!Q?U4z=nY#2~8=nod<8pdwNIG5P>8?d>h8>I>#;Wc4-)p{vg&w+ZVT z#-ywdoKgPG`p3I>7AocP=#_!+Ys=kDsDGrS0wE)kS{N`Q)sBO`P(hge};< zaW~kC$mD23{wZn0Km5GRSXt-oXQah84~Fe&E{i=k#|I7_ zRWl6Dj}EN!y{K?N7nvsuh2=Nz7g0xC=ZK@?^6RTeOnwoq`H7)EW24_z84I#n5q_Y$ zsQ=4<`wv{wtM*$Fu{*1?!$SZ67}j6I-{bo0{pk*2AK#Feih~-R+@mxflEN-gCqp`+ z)l+TbsE1lyUpx}=aq+ttI<}t62&#G`)S-lFZNB0=u?^L8PY_9>6Rk5b4+st$g zC4zqEM$O)5sLK|9gHw{mV@Meb%{O*frseXp_#Vp|A6pTOUiNL3pKF(Xcz!3}HtAS3 z3o8p}+)F)?*Q@0N*6)y`!&^RlQ@~@QrQZO7g7RX{9&rcWWY?4=AJud57Bf7l)ePCroPp1VN zsvNG}-r^c+*t|)v7ZY5MpxL_nSlj>>8ralTH;H+xV(*ue`TK9O#Vh_DW2MJRq4|0h zp+oD*h)T-PJISsdHt+IQRRq);T6ibcom1KQ-MO&ifBm#kw*8xZcqm^MamnaAbOT|L~q{oT4owMm1`8`dW8);F$={zU^@ zYE9dqw)<&Dwb{=wqBmVdCRp!o#?Ud@qEWkz+HKTsqjnp$+o;`7M(s9*ckIGDh85vj z;o@?Vrt(f>sWg^KW2rQjN@J;f_LfRht*CmocH_bQRV&i;W>nNJkx~(n6!eiMtRttG zjY_Q7!6QF^#*;7Z}6>TU9HPj-*=UEl0DS&W? z1rU^%M`+pFj zYC1q0By_;g>E;d7SBL0B2A{W^e{&Jc@5NGEuMh)y^<0ZUH9JSSlxG}C)1D@7fX z>9&dXG=MOAn8{&>C}0K|^jRU7U)pgosMS`)A=1gYFKWPpPry;3x3lr>R5M)FERJ z<^EES#EF#nZSFb8b8+H9w0G5ox|FIHPxS4po;u>Wa;AF3Q#{n;gW5B>%{AOT!7({< zMI1*G))lOfbM!gka&F376^}}MFww;0VJOse%Ui)C{^4EF7}RF-hWvB+F$oe2<(2u+tyM zlj#yu1jq<)r%dS6JYACF^p=;&5?+8BNv2aYoZ#O%EY*jU%=n%sAOrFVn0#0XEz?RO zVsikS5ZLh3LG~jzbD$YaX9`9^iD9f< z(UG<}qpyqowcSw;L~H1V6au8I{~M5}3s_lhX;gu-n!BNbE<1bvvWh;~#(jEnaz*d& z3s9F!(07wLInAy?d|#&1X+*WFIW!sadQw6|4ztyCgtxD$ zk(pe<0{%Feq2%CjX{#}YfJP%4tEBex4*8lIAfVxIBKjJ~(z6ewCfg}ca|xUU#N6MA z5}Gy@x9&m%Z>ShWQ+2Br(RE(91=Z2xbQvunMuf1Wm%7qg#~jc>+}a{A6Jx94RDjs1 zU7!Q5r7VqQs%=yhdT-FMFd*NFabb)QOmCaqA$jSpA$2un_q)?-K(*w-W`uAf4jOS# zwP7Dr96a2XE~_-6ZE^AoD>h;YsSvRZWdGO;j%-22rBg=O=v~@Ki1xj=y5LFgpq6iL_W6Hxg@ya0$*GSuK<}2m>MBR!4_7DcsgBcp6Z9tQBOI1Wu_ax3QaY9~uVj@4mu^FbTLr7y+n645W4m{;9(9&aw3e>NA+ z`}cI=Tz)h0G@DL_H{>bom(?;GXN&8EWk{+s==0i_%}>T;dmG_>!{G7cjqPo`Q=W>_ z3`<~Pl0YlGf;J>eJd+xy3xZd(lIb+NPDlLSH-G^Fn9Q!G=~KMB4vaXNW7uq%#34Xp&yTxPW-FfOas&r{r?Eyvm>M?n0Zzd`ImF z;GbRjEAH;~ck^_(S^yXBW@FfrDL#wUGrov1?3h`6g)2Ep^H?AiQ#@lnG1x1AgL65` z5C-hC>F9bg;$fWa?UOmb$pyTyz0IDAcV|Obv&AGM?c%$?&sLIG5ZPIV$pb9uH5ZAk zNHJVan^^Fg)BD)*3fGus4+vgGGzsP?z=B>ezNMJ}OB~|$c+6pKvx5?tD=7fSyNqH0 zSiBjNx^#vMl|#yhO~zx`*Qk7WIxKR-V44lzOTM%S)cJ@Bq#(rP>?Vi(9OLd?p!_Nz zR3zXXlkqsG3VtyeKr`49Q;_jd`FvRh3tp~G6OaV+hzwRsIv%GgxlD4d;6?=0+JfMb zm+CRbYqdOmMJ1=?1|3lBB!fJgt}yw1nk;C1?go|=6d+!zRVzyqP|DT;Ih5wUC_c5g zr(5Kn+b{ZSjSqojH0g$nk=Iy`3{1#iO1g-2brdremYYfyC%X{${>$e5%j;DDRp~E7#7_oH`9bKhZF<4-xFDdbW%jOp_YnT?zwxoE|j^ypjGx+Cl zadU+XvvdBDqyT9cZY=)?j|9GbefACbdNnV>VQy(U5=O=uaOgLbLFJt|^3mi5amUIx zV{RXn9>$mVl_Lo!S^6O5{kYS*8NxG=e%d`C<+YQS8dr79Lr2UN#H8Z|;S39Y{;%;Q zQYCDGfBI{BieIr@h1t1z*qEyrqFuy{oa8UkaRMk*peCAG0JyL!@9rr+rVBmji2fsw zTG$}$rox{`1)|0MSak0%|Mg#UZ@y$&Hq5Q9+8v5Gy-@<0Ef+dE<>Ya8aRFuu=;dTK zS$@q;=+kuZEo%145&V5CMmm|VKT@G@#Ym@khug6%{!cfOvZePSa&J9lc4D z;Ux`=l`gQiqcz4?!{ON~zXFFQTjgR89*=}ZRk{1+BL;&Bn*bJMsKC+N&l&-|_sRH1 zmoMdz?e+m6C59E#F6rslUs7&GvU-cPg(J5Bje=Lk-4ZDp*^_oWl90-8Z`c)*x z*Ely1?A%OmnS2?r6-pMvOviLLGn0rzjb0^KM1SV7K%v%vHWK=fW5!*!*0>+Ar}hs^_o)7sD82 zV_rrD)Xg~>#z5wsi@VMibSD7ct4h+%vqmE|8mZApjYeuT(l1sc`SaI>>-tMdTd(rG z9b~uGn*?OBm#IyMj&Uhc4&u%|Z#J6ceOC5+R@+C!Th;|w{A0%4%y*7k zulUCruJGO~>IP;O@Vg~V9e4G%D>n?xv|`>@M^D z^piG5MLN7!V25b{b%JX?x2x^rAIIsg*}yGF3yqxe!EWQ<-lc5|yR(RacNdfbW&5$v zB$&BF`qA@jvz_B~yQ+a4)31uTfmgE_ilLT?ryPnorn}~dc}}`zcDbucDXaP9k6@e? z>ZQ~zmqKdROCkN)78)f5V~IYm-pb8}Wf(LYwrn2|cYzsmtLV&Tm=P>*@BG|X#^z(I z{o-PcrOk`Y)?pYlTSsRir_-#-%rNHAJHwlEi8SdSJ~_WJtaatbj$stmo(c!T^fj@i#9cQh>wWSv9a&k1hOrOFb@) z)CD3bo2$=4ix{5%QE2%r1W&oy9EeIt1xyQlB&q=s#V|}oV}YlLG%76RlK>or;IJ_i zP)z*H_5!dMgAXHc^*DaRA=;rAwXy<;d z(a+Z)fQBAzV$;zxhDpm(Xo8*|NDi7hwOANQ-CYGmoo_XQdfo@n)2(=Ia=J$_saXa~ z5Yr9EO-sMF52k4e2#vP>Rwj+h+J(`&#DH0&IAnfOQFm=2)!YzJ(PG?pIjW;C{ht%@1qWU0d3{bS>$rZpGTMHtVhx zb;twPhK>}l78=Y_+J~Q6hY{J)Pf*u!tgXoEdKo}ZN8rLHqyx4|K`#_Rx=ozOuSGls zz)wZlrj(potF`DV`v(zNjaEhJB3wVo6-=-Fg2D6fa;_@y;%y=#7TyN>1T~-4+ujiy z@U{&WmNh|8ndj}|*ugd0Du#7-+HzEo^{nHXRb&~o>yk>ctVP|+EzRjn6Yi#B%E2(M zL-dcg4zNDwrV#Kw7Xo&P1zRMPii1i~P$dRJML_8G58C<_+kTxbAF|y`w|dw%H@0|F z2KloogS_u7Epunpkl(O^k}p_YR@~v^3^zD25^rHn+oJO4JX`Xbt#)b2^Uc;v=9N5= zT3AIB90_vv>g}nhB8z?n)&mt=MO1XwYk;y+%U0p!L={@bcJ)dpC!%69D@Y2%u?ZQ) zO>uwH*$Hd@jZpzt&2gLJfi+vPwM`1z4oMI}!yAeUXuY{sfi+QhVWCjM>NMLGNGUQJ z8URfvrznG(t(N%&JOEm1RjUxYL*62;Sk9ST!e%AF=kLvW*#xkdEXfSFvMB639KzZx z>4?)bc~7uT=wikp>J)2=mu{$dX}zp{#+OV0Q1j%YDd8hh`>b4nfN1le-HG9i$_M{Tr9j#6!n)knEz3et%CMv-ak*eCLX$kCY3;fG z%0Jit{6GHh|Ngh@P1k_)U;fovK(>nP6(`qV33+*pn&N1S3wCL07OCj1a*0TOZn+gocgbxG`4}75vIGY zG2yOybcd|4ne7Kt1e$%e{9rHay)lHp=!n4~zo-HcMgDdWd#!R1x=j~H7$u%IwmAF$w&7{_Q&SNEY6IpBKvG!+MM@PjZR!mG7#1J=&06=M};8m=;+7{ zvD0E)F9V3-U{8xE4$ua1958eud3EEhZsusr;cerfrMs=`&dKKPn{4W<#WkhMM}Nye z*Y3?FgZsT?U1qN8F#!5jQ;lq4r$z6sN#BA$StWJjW$0%tSs%ZB)%C0?0g1r|~PX#3B$NAibgAy^VPo8t3!te0Z78653yU z|Mp_Cyj%_FXKy8>-Q%mPDd)-fgmX*$2jCVw+|PFh(`>LiOLCyfE(1wf319B81NEO_ z>&zcTfBjda@J9sQA3Y_H+B+?06UM_QBW&~i2cRx)$Nb4-$*ylw(d6;g4^9v;_w*uL z+#m=+sYk_jKbsGJE&%$e*q$CFAVf*1o!4qto!Gl-7X;Ub$p|ps1r|z1pkeIUK1!}8 z-zlPWTAfbZYUBUV0D%>BbV2^1)B$EeiK}FWMy1DF(POoyJAy6bJRe8A_hYfL@#Bb0 zVOefKUlx4kGTHK>zpjZU&zU-i62``WpXvgUWN64YO&!17raXM8TcE zNU!ix!W=(VeZ;=(yYqU0O7{C7ShMHZd=5XeMMYcAq$e}{o~&3CM?1dnkJ>x1?SDh4 zepKtN2qkICmK>zCSo9?qfNxUxd-5SYO_rB+AW+ft8po{Cz=0iQc~x_K&M8zV!5~ zlpuN^zEWq@z}4p4-D#PI>um(P==<9ex&DaTArkANxrZG(@!Wwohkm-qMyp}j1d9!= zc}{N8w}w6vy*R%K_LBSQHa0k)r*NclHAmY9@5Zg3(*{?zw*wOa8c)=5wYml+9!)dm zQ#lurPB#`!%#KW~=C9|bFnshq4HDtBl}q$wq5k%{Xt>o^B0PKg2Re99?kHk_z-MCW=n8mTAKRTpxUI>C=5{21p{=?U{8z&iIpoV zE#WikDw93gnI&^T8PC9X64aSghq8D1Zl~2gWGu7`i#N?~W*X;FOY{p(@nM_A13*V&XQbTCNxvvGPwfLj-Ee&y1}YE5`3yI+3#^ zYMy)mhX%Lo4mr+QmdUlo(Ssz1nPe=*gt4mR)R(}i>%OHh`eB|7G<;KSmY7j6Zg z3RX0(2P+2U95i83+3x;fr`_Hk#-qbdFYcwo{W$4%_TzSXFzTm=JwArjps{rJoTwKZr51B4!v)ACkIGN^@${RfW(%0i486NJXgKm7-J{ZKkq`ManhQnSw8uweH zgK=-Kz29GBJ!FcOT7)yei^%6f3AH@iSFOuWczh~GKgUP#R~y|@dg6+I36Un=eh+`) z>fnLqPk0J@PGPVF6ZYe&e2m#){GXA0$fjM^7S`lk4I-X;#`s+({#7}ItEoJM6RnX* z1alww1b$He#P^&x8KHq;snPl4(y>Q%!C>;(0p0N`S1%dh!TFgu%*4#vqi-cMScxVLw>A0G~Y_dCfrIXu`)#>3W_9eJkH z>38yE(>M)9uI`7A)uJUNW6I=1fT5oY%HRsc{K_*~Mm-t($(JM@x84 zTr|SaT~L-H{vCtGl`qj=8tN8dOju$T8gmJC7`UsT{Dh1i=YUNot-e1b%i$#jhr3ML zuFxBQQ&W`w<5f1FfFl8&WE*LY%BvtT8gMh%7%6&6OJ;St~o z1dsi0_;X&t;>iS70`%Soj0=jVTSnE7zx>PpgW2sTG>D^Dp`gRkJ0_G2QwDmT0-xnz zj*zPbm<{kg<)t|U{Ewzk1uPDAXg5}+0*x_P`soVD!)>!8dixg3Ibp0xfQlPfJ zzeLUurvb_PWM`J|nh>N}ge`x-gNP@LRp_nsVg7;2qRGV^81I|OB41)rs>SFCWzkl# z-~_+S{Oap7)3n3znsB)TJ#*HKfyFf;zk<#F#GHHK=JrXBTNRuA#La-8trlv3(RPOB zQLR;2fO6E6Eo5vp7uk$o2d0hQF}7p(ZP6mHyl?xG+qSgEj1Xzu&?O+kF%n8IP9@Op zuti3A!Apq+8FXBv$Vk9G>=tfHZ{U72NvEUVC5BTYmFHjmk*EiTOo33W_SIF!dwld1YSe|13w2hk>leS6$ zXlrhC?#KtP>ETK)Y9%wJ#VDlVbFoOSE(?@X3%1Oz0!Zj4-w=AGi?s-N zZ)BnKyi68LlLA9}d;T>>=Xq(4r=1pSOoOL?n2eSTgI?b>W3`eXjj;dhguVLEJj#Y_ zh4F_c9!~+i+!zl*ixjSk#R78e8qs1kqaoT0ZDNRyxY07>;euR#on|>MG=3wfYHDlqe!wuzE@;e~-~LQTMg*H(OvDKE zkV{q!UGrpm1j>g6BCh82OL{a+j#Z)YUM9?qCK>4p9v!JLHA-i&6p9 zI8UC!Si7+}{N`f!E>DhIt%J^fchruPR=XSbMhAQGVcLOz9Ui9r_I^J(=raiuG|Jqo zezdKi1iE(n%ys5C13sECemK{ZRmLUCV+v!GPI1H2oj@N%>zT5fwq!qoxKF9|CM#Z< zW{oJQM;~G>wiGtrFnuS=!0|o#_?-WFto>U)vr2q$a0$11?8D?l`=$jmK9nN)o*xW7 zeF{)meF@Lm^QahJ*ZV~qHFWfY{7!o?>ZQGYyw@Klac^)qh?Dl=FmCVfkM;)L{n0^d ze~mrF?nJRvYUfVkGt*F=|FKihjnUlPl**WQ(I`u$#NJxmX~ zqyDfPx5mQ(UQAEpK__X&<6(C^?)8$^pw(N0H5nb<;+=7r_O4;dyJboR*b=*H$OmOe z^Qz3%WID|^FOPj!We%E{*d}?mnsql75fZJR`1b-{s1c?LuZi~ZCH`lN&^xGxOvY80 zb?|<&wJY8t*FP;m(KS2ia*sAwYfwI%-PSjTYN-m=>tK(_WHNrjXbd>hTWr?Y{wj#z z=1`{6n{P#C@2$f4lHb|LYV88XFANXP6n(0&hru;c6o=+`ZU$#r%$P#L6le1ZvA)e= z?vF?X`?P_@{KbDym8Vs-5RA=Mi~*v4ti0v&EeMN@-yXlWh~64eJCHc5Wcr+5GNmwX z8@p?Fc>FbQ`vM#8BJqV1#AB`cZZ!Q=Nc5)6TT|w3lV#qz_gd!7 z#mXD4^7dJz+J7YV+gdyAlKO3)svP0v+dKg7t9qNe2nDHCa+El`fPVspY1Hg((%lmJ6?gK{W81wWmReG6*e0A9ICY0NYTFQ z?i~r>fvdC$JlAy{RrxE^eMAr!==fp%uY}|iV6K$lmww>|ty^VWSIPhK5C4femH=SF zKJ4zT3dXh$cPL>Nz~>}i!o+fn8q&Zhy*YscUQIq^?Azz7ISSh)zP-N8gpVrfktO4C zI^>uaK25=AqL(FG!->7OdU3r6trz!&@MBT%VIedY17?43ZxfT}7L1HJVR2B>h89m& zAdr#~Ua)eMRzud>GGYGWD!J|5<$b9A!*M(9b^GyX-0sA^;XyY(Jlxxl`>l2|=#Tf3 z(cbMVx$&7d1=}9FU|V3V2Q9eoZKL11=pXhD_6Ea2JQ^Gx#=R~U726*T<7BTp=_J(PH zzqP@+7wjRzO4ib+EJQ#F(;1L}hwv%qJ-5;-GJ85@=v|ZEekh|L< z_QhfJEa3YAI(sj(291%Vu)2*RU(FmZ7H~D;o&3$gz+7oTbL;u%RdO zR3>^>W2cba*TqKyLRxfsE_$fJYu_I7rDJJ9MG=;f_3R?z-is(Gl7WFz|)ijG; z)RklC%%Nz@LJ?=@ZI|?uq%+v{Iv#3?pK7c@z51t&>G&)rIy(%~VX{II!6v3-EI6`0 z7tn8*h!Hd#E)zOpI%n8mCiPHoEg;6YaR^?CqpxY9{md28DcbBz8AY}q(pu}X@a@Z7 zQaNuY{oZ-j%I9JWx$K)_z6DDpq4sAn*Cf!C`lu2!=xl#U$r*BZ4cQH%uZ@e~5E@^8 zb5g~ZVtVDdBNQ29l_PE18ttQ^Y!~pu(n(s8H=X1G6Gy5tH==WYAq)dwhN@WwY%bbZFf!Fej#Qiq*ALf4)1|$k6HC1EBsqz(-GrS&1yo9<-McYoLiJ)zn@QF z&7@lgwyl_$N3MM=tZ!Emw+m+re4p#=YbTQqofXo;YKuR2_w7W^B-Dp2EnZ6ow5_v6 z;X2-Xw6T#to0UIdda&RPXt0xDPoOAkilyD|Rh&4|%&nyE(B08#G~``!XiW|2WZ+12 zw>X)?T!)EG_SJReLvwPK-&>2h?^eJoa(<0r_j#gRxb(-XWIkdo1?6g;J{e!5lJy^5 zhZr=L2(sBEo^46Jn~sPUYW{$vL{g=_-+co?4K0$b5EFn$y$kA3tI)ik>>PWuot6T42( zm@$yh!@x|PG!@_xOynM9Ka#=9(fHMwoX0DfA4d5%#WQO862GwqR5m7eVvmP6>F{j# z<|@f^4Dn(E{lNS>n?GLSiK-HHlpZ=_2|dHbyKy-I6bW$MWj0bZCunQ5HH_JO@dbH{ z_fxe;FJX`VaWxrEZwO0{gL&KELFCbx&NBop@0St=dq_XCUDo$hA( znLu@V7?Wf1pyF_-LCIpe>+z@hZINLkvcp#J|!s5-`$0g>436CF~XW9^U2j}%8nP- z0SOK*nPrQ@7Y%`NFReQwbP3pTd<6V8PU)8n(N^`}Ct>F-YB;rMW^yQU)a%6sd37-} zmUm+dM@OKy7kEW#*k!1Ua+&s|B{b-wflAWcUWR7fE7!e3m*2JODXPt9P%(xBLvfP6@6ikNSS{s6U!wV6Bp3V5KD>!b^gcg1N84VD7pH zq*iqqFN_Tq2J?=QH-*8BiF+p16b5rCl%_D4^~W`xrZ5aenZ(*=2qeedX*sf&@aHl2CEgC zuv;0%=rl>|1uuGmP)_j(>+fBB`<7GxEx7x;&kK041Ay1#mw;#fHamMixq`MWV*zDJK-?gYgtuF_Rq-Tm}!np<$O*xbDG+oO`% z_>1YSTh+_IH#CuA*LW+lL2HQh!v0&^RDE={8h{+QOcyUqh)!!v-=E(uXVixL^6J@_ z;E`tYi)VO5^YqJI{)?PW(!t91(%M5?@hHLJl(O#ZWx)? zx*;GM?O-3Z#WPtp&NQ9VsDr4KC2kzh9?29C&DB%|%l#fh6w@2TU+san>F{!%!5|nG z!DzH%N)1;$4;E8jCht>Bb(CJfjR==3hFxkH_q zFT*d8krZ1zAy6_F)(7kWvEi~QL5U3WOkfOnFr7TJ=MIdum>1@r&f`_iuwsA5Gp4b3 zak+OfND~i%n$#tTK|=oxmYq4e%C14sU8a}_{ft$uV*H`z`(cuZs1ff@-h6%bmK>j+ zux$o&gqiMUQwfrglU`qtj%8mF%^bef3fXtF_lX?X@(cbl8eXeY>2JM{IRK z`z4Z-9aAKOY_)XMm7~l2XTRVuKuYN`%7!lRQu-+=Rc82?=_aB@XuZUFdp^)m^ zNcGo5s$WE^zdlm_qo+Dy(t6Ua5J`;-FW6@g*j<)(C+-+^@MW;q`dol!LaN6< z=w11}9+$N>%J3@;j!zIg(rz;unCYm9e``+P6YrF00000 z0000103ZMW0OSh*0BvDuZd7G$aBN|8WiD!SZ*EXa1qJ{B000620sw>n007dp00000 D#dF5| literal 0 HcmV?d00001 diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json b/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json index bafc23d5537..86b4bf71ed9 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20Online/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange Online configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)\n\n**Data Connectors:** 1, **Parsers:** 6, **Workbooks:** 4, **Watchlists:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20Online/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange Online configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)\n\n**Data Connectors:** 1, **Parsers:** 5, **Workbooks:** 4, **Watchlists:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -67,7 +67,7 @@ "name": "dataconnectors-parser-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The solution installs six (6) parsers that transform ingested data. The transformed logs can be accessed using the ExchangeConfiguration, MESCheckVIP and ExchangeEnvironmentList Kusto Function aliases." + "text": "The solution installs five (5) parsers that transform ingested data. The transformed logs can be accessed using the ExchangeConfiguration, MESCheckVIP and ExchangeEnvironmentList, MESOfficeActivityLogs and MESCompareDataMRA Kusto Function aliases." } }, { diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json b/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json index e06b0e19132..1ead482a520 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json @@ -46,7 +46,7 @@ }, "workbook3-name": { "type": "string", - "defaultValue": "Microsoft Exchange Online Admin Activity", + "defaultValue": "Microsoft Exchange Admin Activity - Online", "minLength": 1, "metadata": { "description": "Name for the workbook" @@ -70,12 +70,12 @@ } }, "variables": { - "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-esionline", - "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Microsoft Exchange Security - Exchange Online", - "_solutionVersion": "3.1.5", + "_solutionVersion": "3.1.6", + "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-esionline", + "_solutionId": "[variables('solutionId')]", "uiConfigId1": "ESI-ExchangeOnlineCollector", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "ESI-ExchangeOnlineCollector", @@ -100,32 +100,25 @@ "parserContentId2": "ExchangeEnvironmentList-Parser" }, "parserObject3": { - "_parserName3": "[concat(parameters('workspace'),'/','MESCheckVIP Data Parser')]", - "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckVIP Data Parser')]", - "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCheckVIP-Parser')))]", + "_parserName3": "[concat(parameters('workspace'),'/','MESCheckOnlineVIP Data Parser')]", + "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]", + "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCheckOnlineVIP-Parser')))]", "parserVersion3": "1.0.0", - "parserContentId3": "MESCheckVIP-Parser" + "parserContentId3": "MESCheckOnlineVIP-Parser" }, "parserObject4": { - "_parserName4": "[concat(parameters('workspace'),'/','MESCheckOnlineVIP Data Parser')]", - "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]", - "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCheckOnlineVIP-Parser')))]", - "parserVersion4": "1.0.0", - "parserContentId4": "MESCheckOnlineVIP-Parser" + "_parserName4": "[concat(parameters('workspace'),'/','MESCompareDataMRA Data Parser')]", + "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]", + "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCompareDataMRA-Parser')))]", + "parserVersion4": "1.1.0", + "parserContentId4": "MESCompareDataMRA-Parser" }, "parserObject5": { - "_parserName5": "[concat(parameters('workspace'),'/','MESCompareDataMRA Data Parser')]", - "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]", - "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCompareDataMRA-Parser')))]", + "_parserName5": "[concat(parameters('workspace'),'/','MESOfficeActivityLogs Data Parser')]", + "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]", + "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESOfficeActivityLogs-Parser')))]", "parserVersion5": "1.0.0", - "parserContentId5": "MESCompareDataMRA-Parser" - }, - "parserObject6": { - "_parserName6": "[concat(parameters('workspace'),'/','MESOfficeActivityLogs Data Parser')]", - "_parserId6": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]", - "parserTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESOfficeActivityLogs-Parser')))]", - "parserVersion6": "1.0.0", - "parserContentId6": "MESOfficeActivityLogs-Parser" + "parserContentId5": "MESOfficeActivityLogs-Parser" }, "workbookVersion1": "1.1.0", "workbookContentId1": "MicrosoftExchangeLeastPrivilegewithRBAC-Online", @@ -140,7 +133,7 @@ "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]", "_workbookContentId2": "[variables('workbookContentId2')]", "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", - "workbookVersion3": "1.0.0", + "workbookVersion3": "1.0.1", "workbookContentId3": "MicrosoftExchangeAdminActivity-Online", "workbookId3": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId3'))]", "workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))))]", @@ -166,7 +159,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Security - Exchange Online data connector with template version 3.1.5", + "description": "Microsoft Exchange Security - Exchange Online data connector with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -201,7 +194,7 @@ "dataTypes": [ { "name": "ESIExchangeOnlineConfig_CL", - "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)" + "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time" } ], "connectivityCriterias": [ @@ -518,7 +511,7 @@ "dataTypes": [ { "name": "ESIExchangeOnlineConfig_CL", - "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)" + "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time" } ], "connectivityCriterias": [ @@ -744,7 +737,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeConfiguration Data Parser with template version 3.1.5", + "description": "ExchangeConfiguration Data Parser with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -874,7 +867,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeEnvironmentList Data Parser with template version 3.1.5", + "description": "ExchangeEnvironmentList Data Parser with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject2').parserVersion2]", @@ -1004,7 +997,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MESCheckVIP Data Parser with template version 3.1.5", + "description": "MESCheckOnlineVIP Data Parser with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject3').parserVersion3]", @@ -1018,10 +1011,10 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for VIP Check for Exchange", + "displayName": "Parser for VIP Check for Exchange Online", "category": "Microsoft Sentinel Parser", - "functionAlias": "MESCheckVIP", - "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [\n \"NONE\",\"NONE\",\"NONE\",\"NONE\",\"00000001-0000-1000-0000-100000000000\",\"NONE\",\"NONE\"];\nlet Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != \"00000001-0000-1000-0000-100000000000\" | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ canonicalName \n or _UserToCheck =~ displayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck =~ objectSID \n or _UserToCheck == tostring(objectGUID) \n or _UserToCheck =~ distinguishedName\n or _UserToCheck == \"All\"\n | extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",displayName,\"#\",userPrincipalName,\"#\",sAMAccountName,\"#\",objectGUID,\"#\",objectSID,\"#\",distinguishedName,\"#\"),_UserToCheck);\nSearchUser\n", + "functionAlias": "MESCheckOnlineVIP", + "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ DisplayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck == \"All\"\n| extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",DisplayName,\"#\",userPrincipalName,\"#\",sAMAccountName),_UserToCheck);\nSearchUser\n", "functionParameters": "UserToCheck:string='All'", "version": 2, "tags": [ @@ -1040,7 +1033,7 @@ "[variables('parserObject3')._parserId3]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckVIP Data Parser')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]", "contentId": "[variables('parserObject3').parserContentId3]", "kind": "Parser", "version": "[variables('parserObject3').parserVersion3]", @@ -1069,7 +1062,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject3').parserContentId3]", "contentKind": "Parser", - "displayName": "Parser for VIP Check for Exchange", + "displayName": "Parser for VIP Check for Exchange Online", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]", "version": "[variables('parserObject3').parserVersion3]" @@ -1082,10 +1075,10 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for VIP Check for Exchange", + "displayName": "Parser for VIP Check for Exchange Online", "category": "Microsoft Sentinel Parser", - "functionAlias": "MESCheckVIP", - "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [\n \"NONE\",\"NONE\",\"NONE\",\"NONE\",\"00000001-0000-1000-0000-100000000000\",\"NONE\",\"NONE\"];\nlet Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != \"00000001-0000-1000-0000-100000000000\" | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ canonicalName \n or _UserToCheck =~ displayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck =~ objectSID \n or _UserToCheck == tostring(objectGUID) \n or _UserToCheck =~ distinguishedName\n or _UserToCheck == \"All\"\n | extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",displayName,\"#\",userPrincipalName,\"#\",sAMAccountName,\"#\",objectGUID,\"#\",objectSID,\"#\",distinguishedName,\"#\"),_UserToCheck);\nSearchUser\n", + "functionAlias": "MESCheckOnlineVIP", + "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ DisplayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck == \"All\"\n| extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",DisplayName,\"#\",userPrincipalName,\"#\",sAMAccountName),_UserToCheck);\nSearchUser\n", "functionParameters": "UserToCheck:string='All'", "version": 2, "tags": [ @@ -1105,7 +1098,7 @@ "[variables('parserObject3')._parserId3]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckVIP Data Parser')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]", "contentId": "[variables('parserObject3').parserContentId3]", "kind": "Parser", "version": "[variables('parserObject3').parserVersion3]", @@ -1134,7 +1127,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MESCheckOnlineVIP Data Parser with template version 3.1.5", + "description": "MESCompareDataMRA Data Parser with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject4').parserVersion4]", @@ -1148,11 +1141,11 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for VIP Check for Exchange Online", + "displayName": "Parser for MRA Configuration Data Comparison", "category": "Microsoft Sentinel Parser", - "functionAlias": "MESCheckOnlineVIP", - "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ DisplayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck == \"All\"\n| extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",DisplayName,\"#\",userPrincipalName,\"#\",sAMAccountName),_UserToCheck);\nSearchUser\n", - "functionParameters": "UserToCheck:string='All'", + "functionAlias": "MESCompareDataMRA", + "query": "// Version: 1.1.0\n// Last Updated: 30/08/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope))\n | extend CustomConfigWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope))\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope.Name))\n | extend CustomConfigWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope))\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeOnlineConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope,\n RecipientWriteScope,\n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n", + "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')", "version": 2, "tags": [ { @@ -1170,7 +1163,7 @@ "[variables('parserObject4')._parserId4]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]", "contentId": "[variables('parserObject4').parserContentId4]", "kind": "Parser", "version": "[variables('parserObject4').parserVersion4]", @@ -1199,9 +1192,9 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject4').parserContentId4]", "contentKind": "Parser", - "displayName": "Parser for VIP Check for Exchange Online", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", + "displayName": "Parser for MRA Configuration Data Comparison", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.1.0')))]", "version": "[variables('parserObject4').parserVersion4]" } }, @@ -1212,11 +1205,11 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for VIP Check for Exchange Online", + "displayName": "Parser for MRA Configuration Data Comparison", "category": "Microsoft Sentinel Parser", - "functionAlias": "MESCheckOnlineVIP", - "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ DisplayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck == \"All\"\n| extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",DisplayName,\"#\",userPrincipalName,\"#\",sAMAccountName),_UserToCheck);\nSearchUser\n", - "functionParameters": "UserToCheck:string='All'", + "functionAlias": "MESCompareDataMRA", + "query": "// Version: 1.1.0\n// Last Updated: 30/08/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope))\n | extend CustomConfigWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope))\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope.Name))\n | extend CustomConfigWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope))\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeOnlineConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope,\n RecipientWriteScope,\n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n", + "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')", "version": 2, "tags": [ { @@ -1235,7 +1228,7 @@ "[variables('parserObject4')._parserId4]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]", "contentId": "[variables('parserObject4').parserContentId4]", "kind": "Parser", "version": "[variables('parserObject4').parserVersion4]", @@ -1264,7 +1257,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MESCompareDataMRA Data Parser with template version 3.1.5", + "description": "MESOfficeActivityLogs Data Parser with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject5').parserVersion5]", @@ -1278,11 +1271,11 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for MRA Configuration Data Comparison", + "displayName": "Parser for Office Activity Logs", "category": "Microsoft Sentinel Parser", - "functionAlias": "MESCompareDataMRA", - "query": "// Version: 1.0.0\n// Last Updated: 25/02/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeOnlineConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope,\n RecipientWriteScope,\n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n", - "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')", + "functionAlias": "MESOfficeActivityLogs", + "query": "// Version: 1.0.0\n// Last Updated: 25/02/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\nlet CmdletCheck = externaldata (Cmdlet:string, UserOriented:string, RestrictToParameter:string, Parameters:string)[h\"https://aka.ms/CmdletWatchlist\"]with(format=\"csv\",ignoreFirstRecord=true);\nlet SensitiveCmdlets = CmdletCheck | project tostring(Cmdlet) ;\nlet Check = (T:(*)) {\n let fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\n let SearchUserDisplayName = T | join Watchlist on $left.TargetObject == $right.DisplayName | project TargetObject,SearchKey;\n let SearchUserSAMAccountName = T | join Watchlist on $left.TargetObject == $right.sAMAccountName | project TargetObject,SearchKey;\n let SearchUserUPN = T | join Watchlist on $left.TargetObject == $right.userPrincipalName | project TargetObject,SearchKey;\n union isfuzzy=true withsource=TableName \n SearchUserDisplayName,\n SearchUserSAMAccountName, \n SearchUserUPN\n };\nlet EventList = OfficeActivity\n | where RecordType == \"ExchangeAdmin\"\n | where UserType <> \"DcAdmin\" and UserKey !contains \"NT AUTHORITY\"\n | extend CmdletName = Operation\n | extend Param = replace_string(replace_string((replace_string(Parameters,'[{\"Name\":\"','-')),'\",\"Value\":\"',' : '),'\"},{\"Name\":\"',', -')\n // | extend Param = replace_string((replace_string(Parameters,'\",\"Value\":\"',' : ')),'\"},{\"Name\":\"',' -')\n | extend Param = replace_string((replace_string(Param,'\"},{\"',' ; ')),'\"}]','')\n | extend Param = replace_string(Param,'\\\\\\\\','\\\\')\n | extend TargetObject = tostring(split(split(Param,\"-Identity : \")[1],' -')[0])\n | extend TargetObject = replace_string(TargetObject,',','')\n | extend TargetObject = iff(TargetObject==\"\",TargetObject=\"N/A\",TargetObject);\nlet Office_Activity = (){\nEventList\n | join kind=leftouter (EventList | project TargetObject | invoke Check()) on TargetObject\n | extend IsVIP = iif(SearchKey == \"\", false, true)\n | join kind=leftouter ( \n MESCheckOnlineVIP() ) on SearchKey\n | extend CmdletNameJoin = tolower(CmdletName)\n | join kind=leftouter ( \n CmdletCheck\n | extend CmdletNameJoin = tolower(Cmdlet)\n ) on CmdletNameJoin\n | extend Caller = UserId\n | extend CmdletParameters = Param\n | extend IsSenstiveCmdlet = iif( isnotempty(CmdletNameJoin1) , true, false) \n | extend IsRestrictedCmdLet = iif(IsSenstiveCmdlet == true, iif( RestrictToParameter == \"Yes\", true, false), dynamic(null))\n | extend RestrictedParameters = iif(IsSenstiveCmdlet == true, split(tolower(Parameters1),';'), dynamic(null))\n | extend ExtractedParameters = iif(IsSenstiveCmdlet == true,extract_all(@\"\\B(-\\w+)\", tolower(CmdletParameters)), dynamic(null))\n | extend IsSenstiveCmdletParameters = iif(IsSenstiveCmdlet == true,iif( array_length(set_difference(ExtractedParameters,RestrictedParameters)) == array_length(ExtractedParameters), false, true ) , false)\n | extend IsSensitive = iif( ( IsSenstiveCmdlet == true and IsRestrictedCmdLet == false ) or (IsSenstiveCmdlet == true and IsRestrictedCmdLet == true and IsSenstiveCmdletParameters == true ), true, false )\n | project TimeGenerated,Caller,TargetObject,IsVIP,userPrincipalName,CmdletName,CmdletParameters,IsSenstiveCmdlet,IsRestrictedCmdLet,ExtractedParameters,RestrictedParameters,IsSenstiveCmdletParameters,IsSensitive,UserOriented\n};\nOffice_Activity\n", + "functionParameters": "", "version": 2, "tags": [ { @@ -1300,7 +1293,7 @@ "[variables('parserObject5')._parserId5]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]", "contentId": "[variables('parserObject5').parserContentId5]", "kind": "Parser", "version": "[variables('parserObject5').parserVersion5]", @@ -1329,7 +1322,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject5').parserContentId5]", "contentKind": "Parser", - "displayName": "Parser for MRA Configuration Data Comparison", + "displayName": "Parser for Office Activity Logs", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", "version": "[variables('parserObject5').parserVersion5]" @@ -1340,136 +1333,6 @@ "apiVersion": "2022-10-01", "name": "[variables('parserObject5')._parserName5]", "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for MRA Configuration Data Comparison", - "category": "Microsoft Sentinel Parser", - "functionAlias": "MESCompareDataMRA", - "query": "// Version: 1.0.0\n// Last Updated: 25/02/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeOnlineConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope,\n RecipientWriteScope,\n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n", - "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", - "dependsOn": [ - "[variables('parserObject5')._parserId5]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]", - "contentId": "[variables('parserObject5').parserContentId5]", - "kind": "Parser", - "version": "[variables('parserObject5').parserVersion5]", - "source": { - "kind": "Solution", - "name": "Microsoft Exchange Security - Exchange Online", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Community", - "tier": "Community", - "link": "https://github.com/Azure/Azure-Sentinel/issues" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject6').parserTemplateSpecName6]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MESOfficeActivityLogs Data Parser with template version 3.1.5", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject6').parserVersion6]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject6')._parserName6]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for Office Activity Logs", - "category": "Microsoft Sentinel Parser", - "functionAlias": "MESOfficeActivityLogs", - "query": "// Version: 1.0.0\n// Last Updated: 25/02/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\nlet CmdletCheck = externaldata (Cmdlet:string, UserOriented:string, RestrictToParameter:string, Parameters:string)[h\"https://aka.ms/CmdletWatchlist\"]with(format=\"csv\",ignoreFirstRecord=true);\nlet SensitiveCmdlets = CmdletCheck | project tostring(Cmdlet) ;\nlet Check = (T:(*)) {\n let fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\n let SearchUserDisplayName = T | join Watchlist on $left.TargetObject == $right.DisplayName | project TargetObject,SearchKey;\n let SearchUserSAMAccountName = T | join Watchlist on $left.TargetObject == $right.sAMAccountName | project TargetObject,SearchKey;\n let SearchUserUPN = T | join Watchlist on $left.TargetObject == $right.userPrincipalName | project TargetObject,SearchKey;\n union isfuzzy=true withsource=TableName \n SearchUserDisplayName,\n SearchUserSAMAccountName, \n SearchUserUPN\n };\nlet EventList = OfficeActivity\n | where RecordType == \"ExchangeAdmin\"\n | where UserType <> \"DcAdmin\" and UserKey !contains \"NT AUTHORITY\"\n | extend CmdletName = Operation\n | extend Param = replace_string(replace_string((replace_string(Parameters,'[{\"Name\":\"','-')),'\",\"Value\":\"',' : '),'\"},{\"Name\":\"',', -')\n // | extend Param = replace_string((replace_string(Parameters,'\",\"Value\":\"',' : ')),'\"},{\"Name\":\"',' -')\n | extend Param = replace_string((replace_string(Param,'\"},{\"',' ; ')),'\"}]','')\n | extend Param = replace_string(Param,'\\\\\\\\','\\\\')\n | extend TargetObject = tostring(split(split(Param,\"-Identity : \")[1],' -')[0])\n | extend TargetObject = replace_string(TargetObject,',','')\n | extend TargetObject = iff(TargetObject==\"\",TargetObject=\"N/A\",TargetObject);\nlet Office_Activity = (){\nEventList\n | join kind=leftouter (EventList | project TargetObject | invoke Check()) on TargetObject\n | extend IsVIP = iif(SearchKey == \"\", false, true)\n | join kind=leftouter ( \n MESCheckOnlineVIP() ) on SearchKey\n | extend CmdletNameJoin = tolower(CmdletName)\n | join kind=leftouter ( \n CmdletCheck\n | extend CmdletNameJoin = tolower(Cmdlet)\n ) on CmdletNameJoin\n | extend Caller = UserId\n | extend CmdletParameters = Param\n | extend IsSenstiveCmdlet = iif( isnotempty(CmdletNameJoin1) , true, false) \n | extend IsRestrictedCmdLet = iif(IsSenstiveCmdlet == true, iif( RestrictToParameter == \"Yes\", true, false), dynamic(null))\n | extend RestrictedParameters = iif(IsSenstiveCmdlet == true, split(tolower(Parameters1),';'), dynamic(null))\n | extend ExtractedParameters = iif(IsSenstiveCmdlet == true,extract_all(@\"\\B(-\\w+)\", tolower(CmdletParameters)), dynamic(null))\n | extend IsSenstiveCmdletParameters = iif(IsSenstiveCmdlet == true,iif( array_length(set_difference(ExtractedParameters,RestrictedParameters)) == array_length(ExtractedParameters), false, true ) , false)\n | extend IsSensitive = iif( ( IsSenstiveCmdlet == true and IsRestrictedCmdLet == false ) or (IsSenstiveCmdlet == true and IsRestrictedCmdLet == true and IsSenstiveCmdletParameters == true ), true, false )\n | project TimeGenerated,Caller,TargetObject,IsVIP,userPrincipalName,CmdletName,CmdletParameters,IsSenstiveCmdlet,IsRestrictedCmdLet,ExtractedParameters,RestrictedParameters,IsSenstiveCmdletParameters,IsSensitive,UserOriented\n};\nOffice_Activity\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject6')._parserId6,'/'))))]", - "dependsOn": [ - "[variables('parserObject6')._parserId6]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]", - "contentId": "[variables('parserObject6').parserContentId6]", - "kind": "Parser", - "version": "[variables('parserObject6').parserVersion6]", - "source": { - "name": "Microsoft Exchange Security - Exchange Online", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Community", - "tier": "Community", - "link": "https://github.com/Azure/Azure-Sentinel/issues" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject6').parserContentId6]", - "contentKind": "Parser", - "displayName": "Parser for Office Activity Logs", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.0.0')))]", - "version": "[variables('parserObject6').parserVersion6]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject6')._parserName6]", - "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", "displayName": "Parser for Office Activity Logs", @@ -1490,15 +1353,15 @@ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject6')._parserId6,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", "dependsOn": [ - "[variables('parserObject6')._parserId6]" + "[variables('parserObject5')._parserId5]" ], "properties": { "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]", - "contentId": "[variables('parserObject6').parserContentId6]", + "contentId": "[variables('parserObject5').parserContentId5]", "kind": "Parser", - "version": "[variables('parserObject6').parserVersion6]", + "version": "[variables('parserObject5').parserVersion5]", "source": { "kind": "Solution", "name": "Microsoft Exchange Security - Exchange Online", @@ -1524,7 +1387,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Least Privilege with RBAC - Online Workbook with template version 3.1.5", + "description": "Microsoft Exchange Least Privilege with RBAC - Online Workbook with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1542,7 +1405,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"e59f0f7f-fd05-4ec8-9f59-e4d9c3b589f2\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Current RBAC Delegation\",\"subTarget\":\"RBACDelegation\",\"preText\":\"RBAC Delegation\",\"postText\":\"\",\"style\":\"link\"},{\"id\":\"26056188-7abf-4913-a927-806099e616eb\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Custom Roles\",\"subTarget\":\"CustomRole\",\"style\":\"link\"},{\"id\":\"5eeebe10-be67-4f8a-9d91-4bc6c70c3e16\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"start\",\"style\":\"link\"}]},\"name\":\"links - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9ae328d6-99c8-4c44-8d59-42ca4d999098\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"Online\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The current delegation are compared to an export of default delegation available on Exchange Online.\\r\\n\\r\\nTo find which is used for the comparaison please follow this link.\\r\\nThe export is located on the public GitHub of the project.\\r\\n\\r\\ncheck this link : https://aka.ms/esiwatchlist\\r\\n\\r\\nIt will be updated by the team project.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation on User Accounts\",\"items\":[{\"type\":1,\"content\":{\"json\":\" Custom Delegation on User Accounts\"},\"name\":\"text - 2 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d9d4e0a2-b75d-4825-9f4e-7606516500e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"cf5959fa-a833-4bb2-90bd-d4c90dca5506\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Role\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Role=tostring (CmdletResultValue.Role)\\r\\n| distinct Role\\r\\n| sort by Role asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.RoleAssigneeName endswith \\\"{RoleAssignee}\\\" \\r\\n| where CmdletResultValue.Role contains \\\"{Role}\\\"\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| project Name, Role, RoleAssigneeName,Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope\\r\\n| sort by RoleAssigneeName asc\\r\\n\",\"size\":3,\"showAnalytics\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Custom Delegation on User Accounts\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays all the nonstandard delegations done directly to a user account.\\r\\n\\r\\nDetailed information for the user accounts will be displayed.\\r\\n\\r\\nThis status is done by comparing current delegation with the default delegation for Exchange 2019 CU11.\\r\\n\\r\\nThese types of delegations are not available on the Exchange Admin Center.\\r\\n\\r\\nUsual results :\\r\\n\\r\\n - Delegations done directly to service account. Being able to see this delegation will help to sanityze the environment as some delegations may be no more necessary\\r\\n\\r\\n - Delegation done by mistake directly to Administrator Accounts\\r\\n\\r\\n - Suspicious delegations\\r\\n\\r\\n\\r\\nDetailed information for the user accounts will be displayed in below sections\\r\\n\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation on Groups\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Custom Delegation on Groups\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c548eb09-54e3-41bf-a99d-be3534f7018b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f5511a2b-9bf6-48ae-a968-2d1f879c8bfa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Role\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Role=tostring (CmdletResultValue.Role)\\r\\n| distinct Role\\r\\n| sort by Role asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"MR-CustMailRecipients\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nlet RoleG = ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n | project RoleAssigneeName=tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.RoleAssigneeName endswith \\\"{RoleAssignee}\\\" \\r\\n| where CmdletResultValue.Role contains \\\"{Role}\\\"\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| project CmdletResultValue\\r\\n| extend ManagementRoleAssignment = tostring(CmdletResultValue.Name)\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n|lookup RoleG on RoleAssigneeName \\r\\n| project-away CmdletResultValue\\r\\n| sort by RoleAssigneeName asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Custom Delegation on Groups\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays all the nonstandard delegations done for standard and non standard groups. Indeed, default groups have a list of default delegations but an Exchange administrators can add also new roles to the default groups.\\r\\n\\r\\nThis status is done by comparing current delegation with the default delegation for Exchange 2019 CU11.\\r\\n\\r\\nUsual results :\\r\\n\\r\\n - Delegations done for Organization Management to role like Mailbox Import Export or Mailbox Search\\r\\n\\r\\n - Delegation done by mistake\\r\\n\\r\\n - Suspicious delegations\\r\\n\\r\\nDetailed information for the user accounts present in the groups will be displayed in below sections\\r\\n\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"RBACDelegation\"},\"name\":\"Custom Delegation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### How to user this tab\\r\\n**1 - Select an account** : All the Cmdlet launched by the account during the selected time frame will be displayer.\\r\\n\\r\\n**2 - Select a cmdlet** : All the roles that contain will be displayed\\r\\n\\r\\n**3 - Review the list of roles** : This table contains all the roles that contain the selected Cmdlet\\r\\n\\r\\n\",\"style\":\"info\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### How to undertand the \\\"List of Roles with this CmdLet\\\" table ? \\r\\n\\r\\n**WeightRole :** Display the wieight of this role based on its importance in terms of security risk\\r\\n\\r\\n**SumRole :** Among all the Cmdlet launched by the account during the defined time frame, this role available for x cmdlet. This role include x cmdlet run by the user.\\r\\n\\r\\n**OrgMgmtRole :** This role is really in the scope of Organization Management group. If the selected Cmdlet is not included is any other role, it make sense that this user is member of the Organization Management group\\r\\n\\r\\n \",\"style\":\"upsell\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CounUserCmdlet = (ExchangeAdminAuditLogs\\r\\n| where Status == \\\"Success\\\"\\r\\n| extend Caller = tostring(split(Caller,\\\"/\\\")[countof(Caller,\\\"/\\\")])\\r\\n| summarize Count=count() by Caller);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"Organization Management\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where CmdletResultValue.ObjectClass == \\\"user\\\"\\r\\n//| project CmdletResultValue,Count\\r\\n| extend Account = tostring(CmdletResultValue.SamAccountName)\\r\\n| join kind=leftouter (CounUserCmdlet) on $left.Account == $right.Caller\\r\\n| project Account,Count\\r\\n//| project-away CmdletResultValue\\r\\n| sort by Account asc\",\"size\":3,\"title\":\"Organization Management Members\",\"exportFieldName\":\"Account\",\"exportParameterName\":\"Account\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purple\"}}]}},\"customWidth\":\"20\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"100%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeAdminAuditLogs\\r\\n| where Caller contains \\\"{Account}\\\"\\r\\n| where Status == \\\"Success\\\"\\r\\n| distinct CmdletName\\r\\n| sort by CmdletName asc\",\"size\":3,\"title\":\"List of CmdLet run by the account\",\"exportFieldName\":\"CmdletName\",\"exportParameterName\":\"CmdletName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"CmdletName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"CmdletName\",\"sortOrder\":1}]},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RBACRoleCmdlet = _GetWatchlist('RBACRoleCmdlet');\\r\\nlet UserRoleList = ExchangeAdminAuditLogs | where Caller contains \\\"{Account}\\\" | where Status == \\\"Success\\\" | distinct CmdletName;\\r\\nlet countRole = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize SumRole = count()by Role);\\r\\nlet RolevsCmdlet = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize make_set(Name) by Role);\\r\\nRolevsCmdlet\\r\\n| join kind=leftouter ( countRole ) on Role\\r\\n| project Role,CmdletList=set_Name,SumRole\\r\\n| join kind=leftouter ( RBACRoleCmdlet ) on Role\\r\\n| where Name has \\\"{CmdletName}\\\"\\r\\n| extend PossibleRoles = Role\\r\\n| extend OrgMgmtRole = OrgM\\r\\n| extend RoleWeight = Priority\\r\\n|distinct PossibleRoles,RoleWeight,tostring(SumRole),OrgMgmtRole,tostring(CmdletList)\\r\\n|sort by SumRole,RoleWeight\\r\\n\",\"size\":3,\"title\":\"List of Roles with this CmdLet\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"PossibleRoles\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"PossibleRoles\",\"sortOrder\":1}]},\"customWidth\":\"40\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"0\",\"maxWidth\":\"100%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RBACRoleCmdlet = _GetWatchlist('RBACRoleCmdlet');\\r\\nlet UserRoleList = ExchangeAdminAuditLogs | where TimeGenerated {TimeRange} | where Caller contains \\\"{Account}\\\" | where Status == \\\"Success\\\" | distinct CmdletName;\\r\\nlet countRole = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize SumRole = count()by Role);\\r\\nlet RolevsCmdlet = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize make_set(Name) by Role);\\r\\nRolevsCmdlet\\r\\n| join kind=leftouter ( countRole ) on Role\\r\\n| project Role,CmdletList=set_Name,SumRole\\r\\n| join kind=leftouter ( RBACRoleCmdlet ) on Role\\r\\n| extend Roles = Role\\r\\n| extend OrgMgmtRole = OrgM\\r\\n| extend RoleWeight = Priority\\r\\n| extend CmdletList=tostring(CmdletList)\\r\\n| summarize by Roles,CmdletList,RoleWeight,tostring(SumRole),OrgMgmtRole\\r\\n| distinct Roles,RoleWeight,tostring(SumRole),OrgMgmtRole,tostring(CmdletList)\\r\\n|sort by Roles asc\",\"size\":0,\"title\":\"Recommended Roles for selected users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Roles\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Roles\",\"sortOrder\":1}]},\"name\":\"query - 3\"}]},\"name\":\"group - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Leastprivileges\"},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Role details\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"List of Custom Roles\",\"items\":[{\"type\":1,\"content\":{\"json\":\"List of existing custom Roles\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"List of Custom with a Management Role Assignement (associated with a group or a user). Display the target account and scope if set\"},\"customWidth\":\"50\",\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| extend ParentRole =split(tostring(CmdletResultValue.Parent),\\\"\\\\\\\\\\\")[1]\\r\\n| project Identity, ParentRole, WhenCreated, WhenChanged\",\"size\":3,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Scope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| project Role, Scope, RoleAssigneeName\\r\\n| join kind=inner (MRcustomRoles) on Role\\r\\n| project Role,RoleAssigneeName,Scope\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='ITSY', Target = \\\"Online\\\")\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Scope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| project Role= tostring(CmdletResultValue.Role), Scope, RoleAssigneeName\\r\\n| join kind=rightouter (MRcustomRoles) on Role\\r\\n| project Role = Role1, Scope, RoleAssigneeName,Comment = iff(Role == \\\"\\\", \\\"⚠️ No existing delegation for this role\\\", \\\"✅ This role is delegated with a Management Role Assignment\\\")\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Role)\\r\\n| join kind=rightouter (MRcustomRoles) on Role\\r\\n| summarize acount = count() by iff( Role==\\\"\\\",\\\"Number of non assigned roles\\\", Role)\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 5\"}]},\"name\":\"List of Custom Roles\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Roles delegation on group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows delegation associated with the Custom Roles\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| project RoleAssigneeName, Role, Status,CustomRecipientWriteScope, CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,WhenCreated, WhenChanged\\r\\n| join kind=inner (MRcustomRoles) on Role\\r\\n| project RoleAssigneeName, Role, Status,CustomRecipientWriteScope, CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,WhenCreated, WhenChanged\",\"size\":3,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Details for Custom Roles Cmdlets \",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays for the chosen custom management roles all Cmdlets and their parameters associated with this custom role.\\r\\nRemember that for a cmdlet, some parameters can be removed.\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"07c8ac83-371d-4702-ab66-72aeb2a20053\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CustomRole\",\"type\":2,\"isRequired\":true,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| project Identity\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"MR-CustPF\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustomDetails\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"{CustomRole}\\\"\\r\\n| extend CmdletName = CmdletResultValue.Name\\r\\n| extend Parameters = CmdletResultValue.Parameters\\r\\n| project CmdletName,Parameters\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Details for Custom Roles Cmdlets \"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"CustomRole\"},\"name\":\"Custom Role\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeLeastPrivilegewithRBAC-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"e59f0f7f-fd05-4ec8-9f59-e4d9c3b589f2\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Current RBAC Delegation\",\"subTarget\":\"RBACDelegation\",\"preText\":\"RBAC Delegation\",\"postText\":\"\",\"style\":\"link\"},{\"id\":\"26056188-7abf-4913-a927-806099e616eb\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Custom Roles\",\"subTarget\":\"CustomRole\",\"style\":\"link\"},{\"id\":\"5eeebe10-be67-4f8a-9d91-4bc6c70c3e16\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"start\",\"style\":\"link\"}]},\"name\":\"links - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9ae328d6-99c8-4c44-8d59-42ca4d999098\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"Online\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The current delegation are compared to an export of default delegation available on Exchange Online.\\r\\n\\r\\nTo find which is used for the comparaison please follow this link.\\r\\nThe export is located on the public GitHub of the project.\\r\\n\\r\\ncheck this link : https://aka.ms/esiwatchlist\\r\\n\\r\\nIt will be updated by the team project.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation on User Accounts\",\"items\":[{\"type\":1,\"content\":{\"json\":\" Custom Delegation on User Accounts\"},\"name\":\"text - 2 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d9d4e0a2-b75d-4825-9f4e-7606516500e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"cf5959fa-a833-4bb2-90bd-d4c90dca5506\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Role\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Role=tostring (CmdletResultValue.Role)\\r\\n| distinct Role\\r\\n| sort by Role asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.RoleAssigneeName endswith \\\"{RoleAssignee}\\\" \\r\\n| where CmdletResultValue.Role contains \\\"{Role}\\\"\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| project Name, Role, RoleAssigneeName,Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope\\r\\n| sort by RoleAssigneeName asc\\r\\n\",\"size\":3,\"showAnalytics\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Custom Delegation on User Accounts\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays all the nonstandard delegations done directly to a user account.\\r\\n\\r\\nDetailed information for the user accounts will be displayed.\\r\\n\\r\\nThis status is done by comparing current delegation with the default delegation for Exchange 2019 CU11.\\r\\n\\r\\nThese types of delegations are not available on the Exchange Admin Center.\\r\\n\\r\\nUsual results :\\r\\n\\r\\n - Delegations done directly to service account. Being able to see this delegation will help to sanityze the environment as some delegations may be no more necessary\\r\\n\\r\\n - Delegation done by mistake directly to Administrator Accounts\\r\\n\\r\\n - Suspicious delegations\\r\\n\\r\\n\\r\\nDetailed information for the user accounts will be displayed in below sections\\r\\n\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation on Groups\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Custom Delegation on Groups\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c548eb09-54e3-41bf-a99d-be3534f7018b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f5511a2b-9bf6-48ae-a968-2d1f879c8bfa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Role\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Role=tostring (CmdletResultValue.Role)\\r\\n| distinct Role\\r\\n| sort by Role asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"MR-CustMailRecipients\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nlet RoleG = ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n | project RoleAssigneeName=tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.RoleAssigneeName endswith \\\"{RoleAssignee}\\\" \\r\\n| where CmdletResultValue.Role contains \\\"{Role}\\\"\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| project CmdletResultValue\\r\\n| extend ManagementRoleAssignment = tostring(CmdletResultValue.Name)\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n|lookup RoleG on RoleAssigneeName \\r\\n| project-away CmdletResultValue\\r\\n| sort by RoleAssigneeName asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Custom Delegation on Groups\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays all the nonstandard delegations done for standard and non standard groups. Indeed, default groups have a list of default delegations but an Exchange administrators can add also new roles to the default groups.\\r\\n\\r\\nThis status is done by comparing current delegation with the default delegation for Exchange 2019 CU11.\\r\\n\\r\\nUsual results :\\r\\n\\r\\n - Delegations done for Organization Management to role like Mailbox Import Export or Mailbox Search\\r\\n\\r\\n - Delegation done by mistake\\r\\n\\r\\n - Suspicious delegations\\r\\n\\r\\nDetailed information for the user accounts present in the groups will be displayed in below sections\\r\\n\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"RBACDelegation\"},\"name\":\"Custom Delegation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### How to user this tab\\r\\n**1 - Select an account** : All the Cmdlet launched by the account during the selected time frame will be displayer.\\r\\n\\r\\n**2 - Select a cmdlet** : All the roles that contain will be displayed\\r\\n\\r\\n**3 - Review the list of roles** : This table contains all the roles that contain the selected Cmdlet\\r\\n\\r\\n\",\"style\":\"info\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### How to undertand the \\\"List of Roles with this CmdLet\\\" table ? \\r\\n\\r\\n**WeightRole :** Display the wieight of this role based on its importance in terms of security risk\\r\\n\\r\\n**SumRole :** Among all the Cmdlet launched by the account during the defined time frame, this role available for x cmdlet. This role include x cmdlet run by the user.\\r\\n\\r\\n**OrgMgmtRole :** This role is really in the scope of Organization Management group. If the selected Cmdlet is not included is any other role, it make sense that this user is member of the Organization Management group\\r\\n\\r\\n \",\"style\":\"upsell\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CounUserCmdlet = (ExchangeAdminAuditLogs\\r\\n| where Status == \\\"Success\\\"\\r\\n| extend Caller = tostring(split(Caller,\\\"/\\\")[countof(Caller,\\\"/\\\")])\\r\\n| summarize Count=count() by Caller);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"Organization Management\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where CmdletResultValue.ObjectClass == \\\"user\\\"\\r\\n//| project CmdletResultValue,Count\\r\\n| extend Account = tostring(CmdletResultValue.SamAccountName)\\r\\n| join kind=leftouter (CounUserCmdlet) on $left.Account == $right.Caller\\r\\n| project Account,Count\\r\\n//| project-away CmdletResultValue\\r\\n| sort by Account asc\",\"size\":3,\"title\":\"Organization Management Members\",\"exportFieldName\":\"Account\",\"exportParameterName\":\"Account\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purple\"}}]}},\"customWidth\":\"20\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"100%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeAdminAuditLogs\\r\\n| where Caller contains \\\"{Account}\\\"\\r\\n| where Status == \\\"Success\\\"\\r\\n| distinct CmdletName\\r\\n| sort by CmdletName asc\",\"size\":3,\"title\":\"List of CmdLet run by the account\",\"exportFieldName\":\"CmdletName\",\"exportParameterName\":\"CmdletName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"CmdletName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"CmdletName\",\"sortOrder\":1}]},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RBACRoleCmdlet = _GetWatchlist('RBACRoleCmdlet');\\r\\nlet UserRoleList = ExchangeAdminAuditLogs | where Caller contains \\\"{Account}\\\" | where Status == \\\"Success\\\" | distinct CmdletName;\\r\\nlet countRole = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize SumRole = count()by Role);\\r\\nlet RolevsCmdlet = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize make_set(Name) by Role);\\r\\nRolevsCmdlet\\r\\n| join kind=leftouter ( countRole ) on Role\\r\\n| project Role,CmdletList=set_Name,SumRole\\r\\n| join kind=leftouter ( RBACRoleCmdlet ) on Role\\r\\n| where Name has \\\"{CmdletName}\\\"\\r\\n| extend PossibleRoles = Role\\r\\n| extend OrgMgmtRole = OrgM\\r\\n| extend RoleWeight = Priority\\r\\n|distinct PossibleRoles,RoleWeight,tostring(SumRole),OrgMgmtRole,tostring(CmdletList)\\r\\n|sort by SumRole,RoleWeight\\r\\n\",\"size\":3,\"title\":\"List of Roles with this CmdLet\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"PossibleRoles\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"PossibleRoles\",\"sortOrder\":1}]},\"customWidth\":\"40\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"0\",\"maxWidth\":\"100%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RBACRoleCmdlet = _GetWatchlist('RBACRoleCmdlet');\\r\\nlet UserRoleList = ExchangeAdminAuditLogs | where TimeGenerated {TimeRange} | where Caller contains \\\"{Account}\\\" | where Status == \\\"Success\\\" | distinct CmdletName;\\r\\nlet countRole = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize SumRole = count()by Role);\\r\\nlet RolevsCmdlet = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize make_set(Name) by Role);\\r\\nRolevsCmdlet\\r\\n| join kind=leftouter ( countRole ) on Role\\r\\n| project Role,CmdletList=set_Name,SumRole\\r\\n| join kind=leftouter ( RBACRoleCmdlet ) on Role\\r\\n| extend Roles = Role\\r\\n| extend OrgMgmtRole = OrgM\\r\\n| extend RoleWeight = Priority\\r\\n| extend CmdletList=tostring(CmdletList)\\r\\n| summarize by Roles,CmdletList,RoleWeight,tostring(SumRole),OrgMgmtRole\\r\\n| distinct Roles,RoleWeight,tostring(SumRole),OrgMgmtRole,tostring(CmdletList)\\r\\n|sort by Roles asc\",\"size\":0,\"title\":\"Recommended Roles for selected users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Roles\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Roles\",\"sortOrder\":1}]},\"name\":\"query - 3\"}]},\"name\":\"group - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Leastprivileges\"},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Role details\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"List of Custom Roles\",\"items\":[{\"type\":1,\"content\":{\"json\":\"List of existing custom Roles\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"List of Custom with a Management Role Assignement (associated with a group or a user). Display the target account and scope if set\"},\"customWidth\":\"50\",\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| extend ParentRole =split(tostring(CmdletResultValue.Parent),\\\"\\\\\\\\\\\")[1]\\r\\n| project Identity, ParentRole, WhenCreated, WhenChanged\",\"size\":3,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Scope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| project Role, Scope, RoleAssigneeName\\r\\n| join kind=inner (MRcustomRoles) on Role\\r\\n| project Role,RoleAssigneeName,Scope\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='ITSY', Target = \\\"Online\\\")\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Scope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| project Role= tostring(CmdletResultValue.Role), Scope, RoleAssigneeName\\r\\n| join kind=rightouter (MRcustomRoles) on Role\\r\\n| project Role = Role1, Scope, RoleAssigneeName,Comment = iff(Role == \\\"\\\", \\\"⚠️ No existing delegation for this role\\\", \\\"✅ This role is delegated with a Management Role Assignment\\\")\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Role)\\r\\n| join kind=rightouter (MRcustomRoles) on Role\\r\\n| summarize acount = count() by iff( Role==\\\"\\\",\\\"Number of non assigned roles\\\", Role)\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 5\"}]},\"name\":\"List of Custom Roles\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Roles delegation on group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows delegation associated with the Custom Roles\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| project RoleAssigneeName, Role, Status,CustomRecipientWriteScope, CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,WhenCreated, WhenChanged\\r\\n| join kind=inner (MRcustomRoles) on Role\\r\\n| project RoleAssigneeName, Role, Status,CustomRecipientWriteScope, CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,WhenCreated, WhenChanged\",\"size\":3,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Details for Custom Roles Cmdlets \",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays for the chosen custom management roles all Cmdlets and their parameters associated with this custom role.\\r\\nRemember that for a cmdlet, some parameters can be removed.\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"07c8ac83-371d-4702-ab66-72aeb2a20053\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CustomRole\",\"type\":2,\"isRequired\":true,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| project Identity\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"MR-CustPF\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustomDetails\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"{CustomRole}\\\"\\r\\n| extend CmdletName = CmdletResultValue.Name\\r\\n| extend Parameters = CmdletResultValue.Parameters\\r\\n| project CmdletName,Parameters\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Details for Custom Roles Cmdlets \"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"CustomRole\"},\"name\":\"Custom Role\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeLeastPrivilegewithRBAC-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -1611,7 +1474,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Security Review - Online Workbook with template version 3.1.5", + "description": "Microsoft Exchange Security Review - Online Workbook with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -1629,7 +1492,7 @@ }, "properties": { "displayName": "[parameters('workbook2-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Security Review Online\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9ae328d6-99c8-4c44-8d59-42ca4d999098\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"Online\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"181fa282-a002-42f1-ad57-dfb86df3194e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Compare_Collect\",\"type\":10,\"description\":\"If this button is checked, two collections will be compared\",\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a9e0099e-5eb1-43b8-915c-587aa05bccf0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateCompare\",\"type\":2,\"description\":\"Date to Comapre\",\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"This workbook helps review your Exchange Security configuration.\\r\\nAdjust the time range, and when needed select an item in the dropdownlist\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Mailbox Access\",\"subTarget\":\"Delegation\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true},{\"id\":\"be02c735-6150-4b6e-a386-b2b023e754e5\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"EXO & Azure AD Groups\",\"subTarget\":\"ExchAD\",\"style\":\"link\"},{\"id\":\"26c68d90-925b-4c3c-a837-e3cecd489b2d\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Transport Configuration\",\"subTarget\":\"Transport\",\"style\":\"link\"},{\"id\":\"eb2888ca-7fa6-4e82-88db-1bb3663a801e\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"TopMenuTabs\"},{\"type\":1,\"content\":{\"json\":\"To compare collects, select **Yes** and choose the initial date.\\r\\nFor each role, a new table will be displayed with **all** the modifications (Add, Remove, Modifications) beetween the two dates.\\r\\n\\r\\n**Important notes** : Some information are limited are may be not 100% accurate :\\r\\n - Date\\r\\n - GUID of user instead of the name\\r\\n - Fusion of modifications when a role assisgnment is changed within the same collect \\r\\n - ... \\r\\n\\r\\nThis is due to some restrictions in the collect. For more details information, please check the workbook **\\\"Microsoft Exchange Search AdminAuditLog - Online\\\"**\\r\\n.\\r\\n\\r\\nThe compare functionnality is not available for all sections in this workbook.\\r\\n\"},\"name\":\"text - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\n\\r\\nThe goal of this workbook is to outline key security configurations of your Exchange on-premises environment.\\r\\n\\r\\nMost of Exchange organizations have were installed years ago (sometimes more than 10 years). Many configurations have been done and might not have been documented. For most environments, the core commitment was maintaining a high availability of the users’ mailboxes putting aside other consideration (even security considerations). Recommended security practices have also evolved since the first released and a regular review is necessary.\\r\\n\\r\\nThis workbook is designed to show your Exchange organization is configured with a security point of view. Indeed, some configurations easy to display as there are no UI available.\\r\\n\\r\\nFor each configuration, you will find explanations and recommendations when applicable.\\r\\n\\r\\n- This workbook does not pretend to show you every weak Security configurations, but the most common issues and known to be used by attackers. \\r\\n- It will not show you if you have been comprised, but will help you identify unexpected configuration.\\r\\n\\r\\n----\\r\\n\\r\\n## Quick reminder of how Exchange works\\r\\n\\r\\nDuring Exchange installation two very important groups are created :\\r\\n- Exchange Trusted Subsystem : Contain all the computer accounts for Exchange Server\\r\\n- Exchange Windows Permissions : Contain the group Exchange trusted Subsystem\\r\\n\\r\\nThese groups have :\\r\\n- Very high privileges in ALL AD domains including the root domain\\r\\n- Right on any Exchange including mailboxes\\r\\n\\r\\nAs each Exchange server computer account is member of Exchange Trusted Subsystem, it means by taking control of the computer account or being System on an Exchange server you will gain access to all the permissions granted to Exchange Trusted Subsystem and Exchange Windows Permissions.\\r\\n\\r\\nTo protect AD and Exchange, it is very important to ensure the following:\\r\\n- There is a very limited number of persons that are local Administrator on Exchange server\\r\\n- To protect user right like : Act part of the operating System, Debug\\r\\n\\r\\nEvery service account or application that have high privileges on Exchange need to be considered as sensitive\\r\\n\\r\\n** 💡 Exchange servers need to be considered as very sensitive servers**\\r\\n\\r\\n-----\\r\\n\\r\\n\\r\\n## Tabs\\r\\n\\r\\n### Mailbox Access\\r\\n\\r\\nThis tab will show you several top sensitive delegations that allow an account to access, modify, act as another user, search, export the content of a mailbox.\\r\\n\\r\\n### Exchange & AD Groups\\r\\n\\r\\nThis tab will show you the members of Exchange groups and Sensitive AD groups.\\r\\n\\r\\n### Local Administrators\\r\\n\\r\\nThis tab will show you the non standard content of the local Administrators group. Remember that a member of the local Administrators group can take control of the computer account of the server and then it will have all the permissions associated with Exchange Trusted Subsytem and Exchange Windows Permissions\\r\\n\\r\\nThe information is displayed with different views : \\r\\n- List of nonstandard users\\r\\n- Number of servers with a nonstandard a user\\r\\n- Nonstandard groups content\\r\\n- For each user important information are displayed like last logon, last password set, enabled\\r\\n\\r\\n### Exchange Security configuration\\r\\n\\r\\nThis tab will show you some important configuration for your Exchange Organization\\r\\n- Status of Admin Audit Log configuration\\r\\n- Status of POP and IMAP configuration : especially, is Plaintext Authentication configured ?\\r\\n- Nonstandard permissions on the Exchange container in the Configuration Partition\\r\\n\\r\\n### Transport Configuration\\r\\n\\r\\nThis tab will show you the configuration of the main Transport components\\r\\n- Receive Connectors configured with Anonymous and/or Open Relay\\r\\n- Remote Domain Autoforward configuration\\r\\n- Transport Rules configured with BlindCopyTo, SendTo, RedirectTo\\r\\n- Journal Rule and Journal Recipient configurations\\r\\n- Accepted Domains with *\\r\\n\\r\\n\"},\"name\":\"WorkbookInfo\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"InformationTab\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Display important security configurations that allow to access mailboxes' content. Direct delegations on mailboxes are not listed (Full Access permission mailboxes or direct delegations on mailboxes folders)\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !contains \\\"Deleg\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| where CmdletResultValue.Role contains \\\"Export\\\" or CmdletResultValue.Role contains \\\"Impersonation\\\" or CmdletResultValue.Role contains \\\"Search\\\"\\r\\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role)\",\"size\":3,\"title\":\"Number of accounts with sensitive RBAC roles\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"role\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_RoleAssigneeName\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"role\",\"sortOrderField\":1}},\"name\":\"MRAQuery\"},{\"type\":1,\"content\":{\"json\":\"**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes. This role is very powerfull and should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\\r\\n\\r\\nIt is common to see service accounts for backup solution, antivirus software, MDM...\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SensitiveRBACHelp\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Application Impersonation Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows the delegated account to access and modify the content of every mailboxes using EWS.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"Impersonation\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"RoleGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExclusionsAcctValue = dynamic([\\\"Hygiene Management\\\", \\\"RIM-MailboxAdmins\\\"]);\\r\\nMESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\\\"Impersonation\\\")\",\"size\":3,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 2\"}]},\"name\":\"Application Impersonation Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Import Export Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to import contents in all mailboxes.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Import Export** is an RBAC role that allows an account to import (export is not available online) contant in a user mailbox. It also allows searches in all mailboxes.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n- create an empty group with this delegation\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"export\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"RoleGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = \\\"N/A\\\",CurrentRole=\\\"export\\\")\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Import Export Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Search Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to search inside all or in a scope of mailboxes.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\\r\\nDiscovery Management has been excluded\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Search** is an RBAC role that allows an account to search in any mailbox.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n\\r\\n- add the administrators in the Discovery Management group\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"search\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| where CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"Group\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = \\\"N/A\\\",CurrentRole=\\\"Search\\\")\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Search Role\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Delegation\"},\"name\":\"Importantsecurityconfiguration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange Group\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Ensure that no service account are a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\\r\\n- Limit the usage of nested group for administration.\\r\\n- Ensure that accounts are given only the required pernissions to execute their tasks.\\r\\n- Use just in time administration principle by adding users in a group only when they need the permissions, then remove them when their operation is over.\\r\\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\\r\\n- Monitor the content of the following groups:\\r\\n - TenantAdmins_-xxx (Membership in this role group is synchronized across services and managed centrally)\\r\\n - Organization Management\\r\\n - ExchangeServiceAdmins_-xxx (Membership in this role group is synchronized across services and managed centrally)\\r\\n - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\\r\\n - Discovery Management\\r\\n - Hygiene Management\\r\\n - Security Administrator (Membership in this role group is synchronized across services and managed centrally)\\r\\n - xxx High privilege group (not an exhaustive list)\\r\\n - Compliance Management\\r\\n - All RBAC groups that have high roles delegation\\r\\n - All nested groups in high privileges groups\\r\\n - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\\r\\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\\r\\n- Periodically review the members of the groups\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\" Number of direct members per group with RecipientType User\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n//| where CmdletResultValue.RecipientType !contains \\\"group\\\"\\r\\n| extend Members= tostring(CmdletResultValue.Identity)\\r\\n| summarize dcount(tostring(Members)) by RoleGroup = tostring(CmdletResultValue.RoleGroup)\\r\\n| where RoleGroup has_any (\\\"TenantAdmins\\\",\\\"Organization Management\\\", \\\"Discovery Management\\\", \\\"Compliance Management\\\", \\\"Server Management\\\", \\\"ExchangeServiceAdmins\\\",\\\"Security Administrator\\\", \\\"SecurityAdmins\\\", \\\"Recipient Manangement\\\", \\\"Records Manangement\\\",\\\"Impersonation\\\",\\\"Export\\\")\\r\\n| sort by dcount_Members\\r\\n\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleGroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_Members\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"sortCriteriaField\":\"dcount_Members\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Number of direct members per group with RecipientType User\",\"expandable\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.RecipientType !contains \\\"group\\\"\\r\\n| extend Members= tostring(CmdletResultValue.Identity)\\r\\n| summarize dcount(tostring(Members)) by RoleGroup = tostring(CmdletResultValue.RoleGroup)\\r\\n| sort by dcount_Members\\r\\n\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleGroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_Members\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"sortCriteriaField\":\"dcount_Members\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList - Copy\"},{\"type\":1,\"content\":{\"json\":\"Exchange Online groups content.\\r\\nSelect a group to display detailed information of its contents.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Trusted Subsystem\\\"\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Windows Permissions\\\"\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Name)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\nExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| search CmdletResultValue.RoleGroup == \\\"{Group}\\\"\\r\\n//| where CmdletResultValue.Level != 0\\r\\n| project CmdletResultValue\\r\\n| extend Members = tostring(CmdletResultValue.Identity)\\r\\n//| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n//| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n//| extend Level = tostring(CmdletResultValue.Level)\\r\\n//| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n//| extend LastLogon = CmdletResultValue.LastLogonString\\r\\n//| extend LastLogon = iif ( todatetime (CmdletResultValue.LastLogonString) < ago(-366d), CmdletResultValue.LastLogonString,strcat(\\\"💥\\\",CmdletResultValue.LastLogonString))\\r\\n//| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend Members = case( CmdletResultValue.RecipientType == \\\"Group\\\", strcat( \\\"👪 \\\", Members), strcat( \\\"🧑‍🦰 \\\", Members) )\\r\\n| extend RecipientType = tostring(CmdletResultValue.RecipientType)\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Exchange group\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"ExchAD\"},\"name\":\"Exchange and AD GRoup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Security configuration\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Inbound Connector configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows the configuration of the Inbound connnectors\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend State = tostring(CmdletResultValue.Enabled)\\r\\n| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n| extend WhenChanged = tostring(CmdletResultValue.WhenChanged)\\r\\n| extend WhenCreated = tostring(CmdletResultValue.WhenCreated)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Name asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"InBoundC\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend State = iff( Identity == prev(Identity) and State != prev(State) and prev(State) !=\\\"\\\" , strcat(\\\"📍 \\\", State, \\\" (\\\",prev(State),\\\"->\\\", State,\\\" )\\\"),State)\\r\\n| extend ConnectorType = iff( Identity == prev(Identity) and ConnectorType != prev(ConnectorType) and prev(ConnectorType) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorType, \\\" (\\\",prev(ConnectorType),\\\"->\\\", ConnectorType,\\\" )\\\"),ConnectorType)\\r\\n| extend ConnectorSource = iff( Identity == prev(Identity) and ConnectorSource != prev(ConnectorSource) and prev(ConnectorSource) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorSource, \\\" (\\\",prev(ConnectorSource),\\\"->\\\", ConnectorSource,\\\" )\\\"),ConnectorSource)\\r\\n| extend SenderIPAddresses = iff( Identity == prev(Identity) and SenderIPAddresses != prev(SenderIPAddresses) and prev(SenderIPAddresses) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderIPAddresses, \\\" (\\\",prev(SenderIPAddresses),\\\"->\\\", SenderIPAddresses,\\\" )\\\"),SenderIPAddresses)\\r\\n| extend SenderDomains = iff( Identity == prev(Identity) and SenderDomains != prev(SenderDomains) and prev(SenderDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderDomains, \\\" (\\\",prev(SenderDomains),\\\"->\\\", SenderDomains,\\\" )\\\"),SenderDomains)\\r\\n| extend TrustedOrganizations = iff( Identity == prev(Identity) and TrustedOrganizations != prev(TrustedOrganizations) and prev(TrustedOrganizations) !=\\\"\\\" , strcat(\\\"📍 \\\", TrustedOrganizations, \\\" (\\\",prev(TrustedOrganizations),\\\"->\\\", TrustedOrganizations,\\\" )\\\"),TrustedOrganizations)\\r\\n| extend AssociatedAcceptedDomainsRequireTls = iff (Identity == prev(Identity) and AssociatedAcceptedDomainsRequireTls != prev(AssociatedAcceptedDomainsRequireTls) and prev(AssociatedAcceptedDomainsRequireTls) !=\\\"\\\" , strcat(\\\"📍 \\\", AssociatedAcceptedDomainsRequireTls, \\\" (\\\",prev(AssociatedAcceptedDomainsRequireTls),\\\"->\\\", AssociatedAcceptedDomainsRequireTls,\\\" )\\\"),AssociatedAcceptedDomainsRequireTls)\\r\\n| extend RestrictDomainsToIPAddresses = iff(Identity == prev(Identity) and RestrictDomainsToIPAddresses != prev(RestrictDomainsToIPAddresses) and prev(RestrictDomainsToIPAddresses) !=\\\"\\\" , strcat(\\\"📍 \\\", RestrictDomainsToIPAddresses, \\\" (\\\",prev(RestrictDomainsToIPAddresses),\\\"->\\\", RestrictDomainsToIPAddresses,\\\" )\\\"),RestrictDomainsToIPAddresses)\\r\\n| extend RestrictDomainsToCertificate = iff( Identity == prev(Identity) and RestrictDomainsToCertificate != prev(RestrictDomainsToCertificate) and prev(RestrictDomainsToCertificate) !=\\\"\\\" , strcat(\\\"📍 \\\", RestrictDomainsToCertificate, \\\" (\\\",prev(RestrictDomainsToCertificate),\\\"->\\\", RestrictDomainsToCertificate,\\\" )\\\"),RestrictDomainsToCertificate)\\r\\n| extend CloudServicesMailEnabled = iff( Identity == prev(Identity) and CloudServicesMailEnabled != prev(CloudServicesMailEnabled) and prev(CloudServicesMailEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", CloudServicesMailEnabled, \\\" (\\\",prev(CloudServicesMailEnabled),\\\"->\\\", CloudServicesMailEnabled,\\\" )\\\"),CloudServicesMailEnabled)\\r\\n| extend TreatMessagesAsInternal = iff( Identity == prev(Identity) and TreatMessagesAsInternal != prev(TreatMessagesAsInternal) and prev(TreatMessagesAsInternal) !=\\\"\\\" , strcat(\\\"📍 \\\", TreatMessagesAsInternal, \\\" (\\\",prev(TreatMessagesAsInternal),\\\"->\\\", TreatMessagesAsInternal,\\\" )\\\"),TreatMessagesAsInternal)\\r\\n| extend TlsSenderCertificateName = iff(Identity == prev(Identity) and TlsSenderCertificateName != prev(TlsSenderCertificateName) and prev(TlsSenderCertificateName) !=\\\"\\\" , strcat(\\\"📍 \\\", TlsSenderCertificateName, \\\" (\\\",prev(TlsSenderCertificateName),\\\"->\\\", TlsSenderCertificateName,\\\" )\\\"),TlsSenderCertificateName)\\r\\n| extend ScanAndDropRecipients = iff( Identity == prev(Identity) and ScanAndDropRecipients != prev(ScanAndDropRecipients) and prev(ScanAndDropRecipients) !=\\\"\\\" , strcat(\\\"📍 \\\", ScanAndDropRecipients, \\\" (\\\",prev(ScanAndDropRecipients),\\\"->\\\", ScanAndDropRecipients,\\\" )\\\"),ScanAndDropRecipients)\\r\\n| extend Comment = iff( Identity == prev(Identity) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or State contains \\\"📍\\\" or ConnectorType contains \\\"📍\\\" or ConnectorSource contains \\\"📍\\\" or SenderIPAddresses contains \\\"📍\\\" or SenderDomains contains \\\"📍\\\" or TrustedOrganizations contains \\\"📍\\\" or AssociatedAcceptedDomainsRequireTls contains \\\"📍\\\" or RestrictDomainsToIPAddresses contains \\\"📍\\\" or RestrictDomainsToCertificate contains \\\"📍\\\" or CloudServicesMailEnabled contains \\\"📍\\\" or TreatMessagesAsInternal contains \\\"📍\\\" or TlsSenderCertificateName contains \\\"📍\\\" or ScanAndDropRecipients contains \\\"📍\\\" or Comment contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n State,\\r\\n ConnectorType,\\r\\n ConnectorSource,\\r\\n Comment,\\r\\n SenderIPAddresses,\\r\\n SenderDomains,\\r\\n TrustedOrganizations,\\r\\n AssociatedAcceptedDomainsRequireTls,\\r\\n RestrictDomainsToIPAddresses,\\r\\n RestrictDomainsToCertificate,\\r\\n CloudServicesMailEnabled,\\r\\n TreatMessagesAsInternal,\\r\\n TlsSenderCertificateName,\\r\\n ScanAndDropRecipients,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 2\"}]},\"name\":\"Inbound Connector configuration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Outbound Connector configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows the configuration of the Outbound connnectors\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend State = tostring(CmdletResultValue.Enabled)\\r\\n| extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n| extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n| extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n| extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n| extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n| extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n| extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n| extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n| extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n| extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n| extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n| extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n| extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n| extend WhenChanged = tostring(CmdletResultValue.WhenChanged)\\r\\n| extend WhenCreated = tostring(CmdletResultValue.WhenCreated)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Name asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Outbound Connector configuration - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"OutBoundC\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend State = iff( Identity == prev(Identity) and State != prev(State) and prev(State) !=\\\"\\\" , strcat(\\\"📍 \\\", State, \\\" (\\\",prev(State),\\\"->\\\", State,\\\" )\\\"),State)\\r\\n| extend ConnectorType = iff( Identity == prev(Identity) and ConnectorType != prev(ConnectorType) and prev(ConnectorType) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorType, \\\" (\\\",prev(ConnectorType),\\\"->\\\", ConnectorType,\\\" )\\\"),ConnectorType)\\r\\n| extend ConnectorSource = iff( Identity == prev(Identity) and ConnectorSource != prev(ConnectorSource) and prev(ConnectorSource) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorSource, \\\" (\\\",prev(ConnectorSource),\\\"->\\\", ConnectorSource,\\\" )\\\"),ConnectorSource)\\r\\n| extend CloudServicesMailEnabled = iff( Identity == prev(Identity) and CloudServicesMailEnabled != prev(CloudServicesMailEnabled) and prev(CloudServicesMailEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", CloudServicesMailEnabled, \\\" (\\\",prev(CloudServicesMailEnabled),\\\"->\\\", CloudServicesMailEnabled,\\\" )\\\"),CloudServicesMailEnabled)\\r\\n| extend Comment = iff( Comment == prev(Comment) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend RecipientDomains = iff( Identity == prev(Identity) and RecipientDomains != prev(RecipientDomains) and prev(RecipientDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", RecipientDomains, \\\" (\\\",prev(RecipientDomains),\\\"->\\\", RecipientDomains,\\\" )\\\"),RecipientDomains)\\r\\n| extend SmartHosts = iff( Identity == prev(Identity) and SmartHosts != prev(SmartHosts) and prev(SmartHosts) !=\\\"\\\" , strcat(\\\"📍 \\\", SmartHosts, \\\" (\\\",prev(SmartHosts),\\\"->\\\", SmartHosts,\\\" )\\\"),SmartHosts)\\r\\n| extend TlsDomain = iff( Identity == prev(Identity) and TlsDomain != prev(TlsDomain) and prev(TlsDomain) !=\\\"\\\" , strcat(\\\"📍 \\\", TlsDomain, \\\" (\\\",prev(TlsDomain),\\\"->\\\", TlsDomain,\\\" )\\\"),TlsDomain)\\r\\n| extend IsTransportRuleScoped = iff( Identity == prev(Identity) and IsTransportRuleScoped != prev(IsTransportRuleScoped) and prev(IsTransportRuleScoped) !=\\\"\\\" , strcat(\\\"📍 \\\", IsTransportRuleScoped, \\\" (\\\",prev(IsTransportRuleScoped),\\\"->\\\", IsTransportRuleScoped,\\\" )\\\"),IsTransportRuleScoped)\\r\\n| extend RouteAllMessagesViaOnPremises = iff( Identity == prev(Identity) and RouteAllMessagesViaOnPremises != prev(RouteAllMessagesViaOnPremises) and prev(RouteAllMessagesViaOnPremises) !=\\\"\\\" , strcat(\\\"📍 \\\", RouteAllMessagesViaOnPremises, \\\" (\\\",prev(RouteAllMessagesViaOnPremises),\\\"->\\\", RouteAllMessagesViaOnPremises,\\\" )\\\"),RouteAllMessagesViaOnPremises)\\r\\n| extend AllAcceptedDomains = iff( Identity == prev(Identity) and AllAcceptedDomains != prev(AllAcceptedDomains) and prev(AllAcceptedDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", AllAcceptedDomains, \\\" (\\\",prev(AllAcceptedDomains),\\\"->\\\", AllAcceptedDomains,\\\" )\\\"),AllAcceptedDomains)\\r\\n| extend SenderRewritingEnabled = iff( Identity == prev(Identity) and SenderRewritingEnabled != prev(SenderRewritingEnabled) and prev(SenderRewritingEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderRewritingEnabled, \\\" (\\\",prev(SenderRewritingEnabled),\\\"->\\\", SenderRewritingEnabled,\\\" )\\\"),SenderRewritingEnabled)\\r\\n| extend TestMode = iff( Identity == prev(Identity)and TestMode != prev(TestMode) and prev(TestMode) !=\\\"\\\" , strcat(\\\"📍 \\\", TestMode, \\\" (\\\",prev(TestMode),\\\"->\\\", TestMode,\\\" )\\\"),TestMode)\\r\\n| extend LinkForModifiedConnector = iff( Identity == prev(Identity) and LinkForModifiedConnector != prev(LinkForModifiedConnector) and prev(LinkForModifiedConnector) !=\\\"\\\" , strcat(\\\"📍 \\\", LinkForModifiedConnector, \\\" (\\\",prev(LinkForModifiedConnector),\\\"->\\\", LinkForModifiedConnector,\\\" )\\\"),LinkForModifiedConnector)\\r\\n| extend ValidationRecipients = iff( Identity == prev(Identity) and ValidationRecipients != prev(ValidationRecipients) and prev(ValidationRecipients) !=\\\"\\\" , strcat(\\\"📍 \\\", ValidationRecipients, \\\" (\\\",prev(ValidationRecipients),\\\"->\\\", ValidationRecipients,\\\" )\\\"),ValidationRecipients)\\r\\n| extend IsValidated = iff( Identity == prev(Identity) and IsValidated != prev(IsValidated) and prev(IsValidated) !=\\\"\\\" , strcat(\\\"📍 \\\", IsValidated, \\\" (\\\",prev(IsValidated),\\\"->\\\", IsValidated,\\\" )\\\"),IsValidated)\\r\\n| extend LastValidationTimestamp = iff( Identity == prev(Identity) and LastValidationTimestamp != prev(LastValidationTimestamp) and prev(LastValidationTimestamp) !=\\\"\\\" , strcat(\\\"📍 \\\", LastValidationTimestamp, \\\" (\\\",prev(LastValidationTimestamp),\\\"->\\\", LastValidationTimestamp,\\\" )\\\"),LastValidationTimestamp)\\r\\n| extend Comment = iff( Identity == prev(Identity) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or State contains \\\"📍\\\" or ConnectorType contains \\\"📍\\\" or ConnectorSource contains \\\"📍\\\"or CloudServicesMailEnabled contains \\\"📍\\\" or Comment contains \\\"📍\\\" or UseMXRecord contains \\\"📍\\\" or RecipientDomains contains \\\"📍\\\" or SmartHosts contains \\\"📍\\\" or TlsDomain contains \\\"📍\\\" or TlsSettings contains \\\"📍\\\" or IsTransportRuleScoped contains \\\"📍\\\" or RouteAllMessagesViaOnPremises contains \\\"📍\\\" or AllAcceptedDomains contains \\\"📍\\\" or SenderRewritingEnabled contains \\\"📍\\\" or TestMode contains \\\"📍\\\" or LinkForModifiedConnector contains \\\"📍\\\" or ValidationRecipients contains \\\"📍\\\" or IsValidated contains \\\"📍\\\" or LastValidationTimestamp contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n State,\\r\\n ConnectorType,\\r\\n ConnectorSource, \\r\\n CloudServicesMailEnabled,\\r\\n Comment,\\r\\n UseMXRecord,\\r\\n RecipientDomains,\\r\\n SmartHosts,\\r\\n TlsDomain,\\r\\n TlsSettings,\\r\\n IsTransportRuleScoped,\\r\\n RouteAllMessagesViaOnPremises,\\r\\n AllAcceptedDomains,\\r\\n SenderRewritingEnabled,\\r\\n TestMode,\\r\\n LinkForModifiedConnector,\\r\\n ValidationRecipients,\\r\\n IsValidated,\\r\\n LastValidationTimestamp,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Rules with specific actions to monitor\",\"items\":[{\"type\":1,\"content\":{\"json\":\"A common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\\r\\n\\r\\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\\r\\n- BlindCopyTo\\r\\n- SentTo\\r\\n- CopyTo\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n| extend State = tostring(CmdletResultValue.State)\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n| extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n| extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Transport Rules actions to monitor\"},{\"type\":1,\"content\":{\"json\":\"** Due to lack of informaiton in Powershell, the Transport Rule compare section could display approximate information for Add and Modif. Especially, for the WhenCreated parameter.\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n | extend CmdletResultValue.RedirectMessageToString\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange =\\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"TransportRule\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| sort by Identity,TimeGenerated asc\\r\\n | extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n | extend CmdletResultValue.RedirectMessageToString\\r\\n | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n | extend WhenChanged = todatetime(bin(WhenChanged,1m))\\r\\n | extend aa=prev(WhenCreated)\\r\\n | extend WhenCreated = iff( Identity == prev(Identity) and WhenChanged != prev(WhenChanged),aa ,WhenChanged)\\r\\n | extend WhenCreated =bin(WhenCreated,1m)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = inner (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,Mode,SetSCL,SenderIpRangesString,MessageTypeMatchesString,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData1 = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffAddData2 = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\"\\r\\n| distinct Identity;\\r\\nlet DiffAddData = DiffAddData1\\r\\n| join DiffAddData2 on Identity\\r\\n;\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenChanged,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo, SetSCL, SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend SentTo = iff( Identity == prev(Identity) and SentTo != prev(SentTo) and prev(SentTo) !=\\\"\\\" , strcat(\\\"📍 \\\", SentTo, \\\" (\\\",prev(SentTo),\\\"->\\\", SentTo,\\\" )\\\"),SentTo)\\r\\n| extend BlindCopyTo = iff( Identity == prev(Identity) and BlindCopyTo != prev(BlindCopyTo) and prev(BlindCopyTo) !=\\\"\\\" , strcat(\\\"📍 \\\", BlindCopyTo, \\\" (\\\",prev(BlindCopyTo),\\\"->\\\", BlindCopyTo,\\\" )\\\"),BlindCopyTo)\\r\\n| extend CopyTo = iff( Identity == prev(Identity) and CopyTo != prev(CopyTo) and prev(CopyTo) !=\\\"\\\" , strcat(\\\"📍 \\\", CopyTo, \\\" (\\\",prev(CopyTo),\\\"->\\\", CopyTo,\\\" )\\\"),CopyTo)\\r\\n| extend SetSCL = iff( Identity == prev(Identity)and SetSCL != prev(SetSCL) and prev(SetSCL) !=\\\"\\\" , strcat(\\\"📍 \\\", SetSCL, \\\" (\\\",prev(SetSCL),\\\"->\\\", SetSCL,\\\" )\\\"),SetSCL)\\r\\n| extend SenderIpRangesString = iff( Identity == prev(Identity)and SenderIpRangesString != prev(SenderIpRangesString) and prev(SenderIpRangesString) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderIpRangesString, \\\" (\\\",prev(SenderIpRangesString),\\\"->\\\", SenderIpRangesString,\\\" )\\\"),SenderIpRangesString)\\r\\n| extend MessageTypeMatchesString = iff( Identity == prev(Identity)and MessageTypeMatchesString != prev(MessageTypeMatchesString) and prev(MessageTypeMatchesString) !=\\\"\\\" , strcat(\\\"📍 \\\", MessageTypeMatchesString, \\\" (\\\",prev(MessageTypeMatchesString),\\\"->\\\", MessageTypeMatchesString,\\\" )\\\"),MessageTypeMatchesString)\\r\\n| extend Mode = iff( Identity == prev(Identity)and Mode != prev(Mode) and prev(Mode) !=\\\"\\\" , strcat(\\\"📍 \\\", Mode, \\\" (\\\",prev(Mode),\\\"->\\\", Mode,\\\" )\\\"),Mode)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or SentTo contains \\\"📍\\\" or BlindCopyTo contains \\\"📍\\\" or CopyTo contains \\\"📍\\\" or SetSCL contains \\\"📍\\\" or SenderIpRangesString contains \\\"📍\\\" or MessageTypeMatchesString contains \\\"📍\\\" or Mode contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n SentTo,\\r\\n BlindCopyTo,\\r\\n CopyTo,\\r\\n RedirectMessageTo,\\r\\n SetSCL,\\r\\n SenderIpRangesString,\\r\\n MessageTypeMatchesString,\\r\\n Mode,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Outbound Policy : Autoforward configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is enabled, then automatic transfer are allowed.\\r\\nFor example: users in Outlook will be able set automatic transfer of all their emails to external addresses.\\r\\nThere are several methods to authorized automatic forward. \\r\\nPlease review this article : https://learn.microsoft.com/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding?view=o365-worldwide\\r\\n**In summary :**\\r\\n\\r\\n**Scenario 1 :**\\r\\n\\r\\nYou configure remote domain settings to allow automatic forwarding.\\r\\nAutomatic forwarding in the outbound spam filter policy is set to Off.\\r\\n*Result :* \\r\\nAutomatically forwarded messages to recipients in the affected domains are blocked.\\r\\n\\r\\n**Scenario 2 :**\\r\\n\\r\\nYou configure remote domain settings to allow automatic forwarding.\\r\\nAutomatic forwarding in the outbound spam filter policy is set to Automatic - System-controlled.\\r\\n\\r\\n*Result :* \\r\\n\\r\\nAutomatically forwarded messages to recipients in the affected domains are blocked.\\r\\nAs described earlier, Automatic - System-controlled used to mean On, but the setting has changed over time to mean Off in all organizations.\\r\\n\\r\\nFor absolute clarity, you should configure your outbound spam filter policy to On or Off.\\r\\n\\r\\n**Scenario 3 :**\\r\\n\\r\\nAutomatic forwarding in the outbound spam filter policy is set to On\\r\\nYou use mail flow rules or remote domains to block automatically forwarded email\\r\\n\\r\\n*Result : *\\r\\n\\r\\nAutomatically forwarded messages to affected recipients are blocked by mail flow rules or remote domains.\\r\\n****\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let HOSFR = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterRule\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n| project Identity,HostedOutboundSpamFilterPolicy;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n| join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n| extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n| extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n| extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n| extend AutoForwardingMode= iff (CmdletResultValue.AutoForwardingMode == \\\"On\\\" , strcat (\\\"❌ \\\", tostring(CmdletResultValue.AutoForwardingMode)), tostring(CmdletResultValue.AutoForwardingMode))\\r\\n| extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n| extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n| extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n| extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n| extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n| extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n| extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n| extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n| extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n| project Identity,IsDefault,Enabled,AutoForwardingMode,OutboundSpamFilterRule,BccSuspiciousOutboundAdditionalRecipients,BccSuspiciousOutboundMail,NotifyOutboundSpam,NotifyOutboundSpamRecipient,WhenChanged,WhenCreated\\r\\n| sort by Identity asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"OutboundPol - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet HOSFR = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterRule\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n| project Identity,HostedOutboundSpamFilterPolicy;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | extend Identity = tostring(Identity)\\r\\n | join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n | extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n | extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n | extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n | extend AutoForwardingMode= tostring(CmdletResultValue.AutoForwardingMode)\\r\\n | extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n | extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n | extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | extend Identity = tostring(Identity)\\r\\n | join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n | extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n | extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n | extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n | extend AutoForwardingMode= tostring(CmdletResultValue.AutoForwardingMode)\\r\\n | extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n | extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n | extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRangeOSFR = ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"HostedOutboundSpamFilterRule\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n | extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n | project Identity, HostedOutboundSpamFilterPolicy;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"HostedOutboundSpamFilterPolicy\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n | project\\r\\n TimeGenerated,\\r\\n Identity,\\r\\n CmdletResultValue,\\r\\n WhenChanged = todatetime(bin(WhenChanged_t,1m)),\\r\\n WhenCreated=todatetime(bin(WhenCreated_t,1m))\\r\\n | join kind=fullouter allDataRangeOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n | extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n | extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n | extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n | extend AutoForwardingMode= tostring(CmdletResultValue.AutoForwardingMode)\\r\\n | extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n | extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n | extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData\\r\\n | where WhenCreated >= _DateCompareB)\\r\\n on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange) on WhenCreated\\r\\n | where WhenCreated >= _DateCompareB\\r\\n | where bin(WhenCreated, 5m) == bin(WhenChanged, 5m)\\r\\n | distinct\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffAddData = union DiffAddDataP1, DiffAddDataP2\\r\\n | extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n | project\\r\\n WhenChanged=_CurrentDateB,\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated\\r\\n;\\r\\nlet DiffModifData = union AfterData, allDataRange\\r\\n | sort by Identity, WhenChanged asc\\r\\n | project\\r\\n WhenChanged,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n | extend Identity = iff(Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) != \\\"\\\", strcat(\\\"📍 \\\", Identity, \\\" (\\\", prev(Identity), \\\"->\\\", Identity, \\\" )\\\"), Identity)\\r\\n | extend IsDefault = iff(Identity == prev(Identity) and IsDefault != prev(IsDefault) and prev(IsDefault) != \\\"\\\", strcat(\\\"📍 \\\", IsDefault, \\\" (\\\", prev(IsDefault), \\\"->\\\", IsDefault, \\\" )\\\"), IsDefault)\\r\\n | extend Enabled = iff(Identity == prev(Identity) and Enabled != prev(Enabled) and prev(Enabled) != \\\"\\\", strcat(\\\"📍 \\\", Enabled, \\\" (\\\", prev(Enabled), \\\"->\\\", Enabled, \\\" )\\\"), Enabled)\\r\\n | extend AutoForwardingMode = iff(Identity == prev(Identity) and AutoForwardingMode != prev(AutoForwardingMode) and prev(AutoForwardingMode) != \\\"\\\", strcat(\\\"📍 \\\", AutoForwardingMode, \\\" (\\\", prev(AutoForwardingMode), \\\"->\\\", AutoForwardingMode, \\\" )\\\"), AutoForwardingMode)\\r\\n | extend OutboundSpamFilterRule = iff(Identity == prev(Identity) and OutboundSpamFilterRule != prev(OutboundSpamFilterRule) and prev(OutboundSpamFilterRule) != \\\"\\\", strcat(\\\"📍 \\\", OutboundSpamFilterRule, \\\" (\\\", prev(OutboundSpamFilterRule), \\\"->\\\", OutboundSpamFilterRule, \\\" )\\\"), OutboundSpamFilterRule)\\r\\n | extend RecommendedPolicyType = iff(Identity == prev(Identity) and RecommendedPolicyType != prev(RecommendedPolicyType) and prev(RecommendedPolicyType) != \\\"\\\", strcat(\\\"📍 \\\", RecommendedPolicyType, \\\" (\\\", prev(RecommendedPolicyType), \\\"->\\\", RecommendedPolicyType, \\\" )\\\"), RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = iff(Identity == prev(Identity) and RecipientLimitExternalPerHour != prev(RecipientLimitExternalPerHour) and prev(RecipientLimitExternalPerHour) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitExternalPerHour, \\\" (\\\", prev(RecipientLimitExternalPerHour), \\\"->\\\", RecipientLimitExternalPerHour, \\\" )\\\"), RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = iff(Identity == prev(Identity) and RecipientLimitInternalPerHour != prev(RecipientLimitInternalPerHour) and prev(RecipientLimitInternalPerHour) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitInternalPerHour, \\\" (\\\", prev(RecipientLimitInternalPerHour), \\\"->\\\", RecipientLimitInternalPerHour, \\\" )\\\"), RecipientLimitInternalPerHour)\\r\\n | extend ActionWhenThresholdReached = iff(Identity == prev(Identity) and ActionWhenThresholdReached != prev(ActionWhenThresholdReached) and prev(ActionWhenThresholdReached) != \\\"\\\", strcat(\\\"📍 \\\", ActionWhenThresholdReached, \\\" (\\\", prev(ActionWhenThresholdReached), \\\"->\\\", ActionWhenThresholdReached, \\\" )\\\"), ActionWhenThresholdReached)\\r\\n | extend RecipientLimitPerDay = iff(Identity == prev(Identity) and RecipientLimitPerDay != prev(RecipientLimitPerDay) and prev(RecipientLimitPerDay) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitPerDay, \\\" (\\\", prev(RecipientLimitPerDay), \\\"->\\\", RecipientLimitPerDay, \\\" )\\\"), RecipientLimitPerDay)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients = iff(Identity == prev(Identity) and BccSuspiciousOutboundAdditionalRecipients != prev(BccSuspiciousOutboundAdditionalRecipients) and prev(BccSuspiciousOutboundAdditionalRecipients) != \\\"\\\", strcat(\\\"📍 \\\", BccSuspiciousOutboundAdditionalRecipients, \\\" (\\\", prev(BccSuspiciousOutboundAdditionalRecipients), \\\"->\\\", BccSuspiciousOutboundAdditionalRecipients, \\\" )\\\"), BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = iff(Identity == prev(Identity) and BccSuspiciousOutboundMail != prev(BccSuspiciousOutboundMail) and prev(BccSuspiciousOutboundMail) != \\\"\\\", strcat(\\\"📍 \\\", BccSuspiciousOutboundMail, \\\" (\\\", prev(BccSuspiciousOutboundMail), \\\"->\\\", BccSuspiciousOutboundMail, \\\" )\\\"), BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam = iff(Identity == prev(Identity) and NotifyOutboundSpam != prev(NotifyOutboundSpam) and prev(NotifyOutboundSpam) != \\\"\\\", strcat(\\\"📍 \\\", NotifyOutboundSpam, \\\" (\\\", prev(NotifyOutboundSpam), \\\"->\\\", NotifyOutboundSpam, \\\" )\\\"), NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = iff(Identity == prev(Identity) and NotifyOutboundSpamRecipient != prev(NotifyOutboundSpamRecipient) and prev(NotifyOutboundSpamRecipient) != \\\"\\\", strcat(\\\"📍 \\\", NotifyOutboundSpamRecipient, \\\" (\\\", prev(NotifyOutboundSpamRecipient), \\\"->\\\", NotifyOutboundSpamRecipient, \\\" )\\\"), NotifyOutboundSpamRecipient)\\r\\n | extend ActiontypeR =iff((Identity contains \\\"📍\\\" or IsDefault contains \\\"📍\\\" or Enabled contains \\\"📍\\\" or OutboundSpamFilterRule contains \\\"📍\\\" or AutoForwardingMode contains \\\"📍\\\" or BccSuspiciousOutboundAdditionalRecipients contains \\\"📍\\\" or BccSuspiciousOutboundMail contains \\\"📍\\\" or NotifyOutboundSpam contains \\\"📍\\\" or NotifyOutboundSpamRecipient contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 7 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is set to True for an SMTP domain and the Outbound Policy is set to On then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\\r\\n\\r\\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \\r\\n\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Address = tostring(CmdletResultValue.DomainName)\\r\\n| extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.DomainName == \\\"*\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.DomainName != \\\"*\\\", strcat (\\\"⚠️ \\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅ \\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n| project-away CmdletResultValue\\r\\n| sort by Address asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ForwardGroup\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n \\t | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"RemoteDomain\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,DomainName,AutoForwardEnabled,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend DomainName = iff( Identity == prev(Identity) and DomainName != prev(DomainName) and prev(DomainName) !=\\\"\\\" , strcat(\\\"📍 \\\", DomainName, \\\" (\\\",prev(DomainName),\\\"->\\\", DomainName,\\\" )\\\"),DomainName)\\r\\n| extend AutoForwardEnabled = iff( Identity == prev(Identity) and AutoForwardEnabled != prev(AutoForwardEnabled) and prev(AutoForwardEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", AutoForwardEnabled, \\\" (\\\",prev(AutoForwardEnabled),\\\"->\\\", AutoForwardEnabled,\\\" )\\\"),AutoForwardEnabled)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or DomainName contains \\\"📍\\\" or AutoForwardEnabled contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n DomainName,\\r\\n AutoForwardEnabled,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 7\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Transport\"},\"name\":\"Transport Security configuration\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityReview-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Security Review Online\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9ae328d6-99c8-4c44-8d59-42ca4d999098\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"Online\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"181fa282-a002-42f1-ad57-dfb86df3194e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Compare_Collect\",\"type\":10,\"description\":\"If this button is checked, two collections will be compared\",\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a9e0099e-5eb1-43b8-915c-587aa05bccf0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateCompare\",\"type\":2,\"description\":\"Date to Comapre\",\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"This workbook helps review your Exchange Security configuration.\\r\\nAdjust the time range, and when needed select an item in the dropdownlist\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Mailbox Access\",\"subTarget\":\"Delegation\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true},{\"id\":\"be02c735-6150-4b6e-a386-b2b023e754e5\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"EXO & Azure AD Groups\",\"subTarget\":\"ExchAD\",\"style\":\"link\"},{\"id\":\"26c68d90-925b-4c3c-a837-e3cecd489b2d\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Transport Configuration\",\"subTarget\":\"Transport\",\"style\":\"link\"},{\"id\":\"eb2888ca-7fa6-4e82-88db-1bb3663a801e\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"TopMenuTabs\"},{\"type\":1,\"content\":{\"json\":\"To compare collects, select **Yes** and choose the initial date.\\r\\nFor each role, a new table will be displayed with **all** the modifications (Add, Remove, Modifications) beetween the two dates.\\r\\n\\r\\n**Important notes** : Some information are limited are may be not 100% accurate :\\r\\n - Date\\r\\n - GUID of user instead of the name\\r\\n - Fusion of modifications when a role assisgnment is changed within the same collect \\r\\n - ... \\r\\n\\r\\nThis is due to some restrictions in the collect. For more details information, please check the workbook **\\\"Microsoft Exchange Search AdminAuditLog - Online\\\"**\\r\\n.\\r\\n\\r\\nThe compare functionnality is not available for all sections in this workbook.\\r\\n\"},\"name\":\"text - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\n\\r\\nThe goal of this workbook is to outline key security configurations of your Exchange on-premises environment.\\r\\n\\r\\nMost of Exchange organizations have were installed years ago (sometimes more than 10 years). Many configurations have been done and might not have been documented. For most environments, the core commitment was maintaining a high availability of the users’ mailboxes putting aside other consideration (even security considerations). Recommended security practices have also evolved since the first released and a regular review is necessary.\\r\\n\\r\\nThis workbook is designed to show your Exchange organization is configured with a security point of view. Indeed, some configurations easy to display as there are no UI available.\\r\\n\\r\\nFor each configuration, you will find explanations and recommendations when applicable.\\r\\n\\r\\n- This workbook does not pretend to show you every weak Security configurations, but the most common issues and known to be used by attackers. \\r\\n- It will not show you if you have been comprised, but will help you identify unexpected configuration.\\r\\n\\r\\n----\\r\\n\\r\\n## Quick reminder of how Exchange works\\r\\n\\r\\nDuring Exchange installation two very important groups are created :\\r\\n- Exchange Trusted Subsystem : Contain all the computer accounts for Exchange Server\\r\\n- Exchange Windows Permissions : Contain the group Exchange trusted Subsystem\\r\\n\\r\\nThese groups have :\\r\\n- Very high privileges in ALL AD domains including the root domain\\r\\n- Right on any Exchange including mailboxes\\r\\n\\r\\nAs each Exchange server computer account is member of Exchange Trusted Subsystem, it means by taking control of the computer account or being System on an Exchange server you will gain access to all the permissions granted to Exchange Trusted Subsystem and Exchange Windows Permissions.\\r\\n\\r\\nTo protect AD and Exchange, it is very important to ensure the following:\\r\\n- There is a very limited number of persons that are local Administrator on Exchange server\\r\\n- To protect user right like : Act part of the operating System, Debug\\r\\n\\r\\nEvery service account or application that have high privileges on Exchange need to be considered as sensitive\\r\\n\\r\\n** 💡 Exchange servers need to be considered as very sensitive servers**\\r\\n\\r\\n-----\\r\\n\\r\\n\\r\\n## Tabs\\r\\n\\r\\n### Mailbox Access\\r\\n\\r\\nThis tab will show you several top sensitive delegations that allow an account to access, modify, act as another user, search, export the content of a mailbox.\\r\\n\\r\\n### Exchange & AD Groups\\r\\n\\r\\nThis tab will show you the members of Exchange groups and Sensitive AD groups.\\r\\n\\r\\n### Local Administrators\\r\\n\\r\\nThis tab will show you the non standard content of the local Administrators group. Remember that a member of the local Administrators group can take control of the computer account of the server and then it will have all the permissions associated with Exchange Trusted Subsytem and Exchange Windows Permissions\\r\\n\\r\\nThe information is displayed with different views : \\r\\n- List of nonstandard users\\r\\n- Number of servers with a nonstandard a user\\r\\n- Nonstandard groups content\\r\\n- For each user important information are displayed like last logon, last password set, enabled\\r\\n\\r\\n### Exchange Security configuration\\r\\n\\r\\nThis tab will show you some important configuration for your Exchange Organization\\r\\n- Status of Admin Audit Log configuration\\r\\n- Status of POP and IMAP configuration : especially, is Plaintext Authentication configured ?\\r\\n- Nonstandard permissions on the Exchange container in the Configuration Partition\\r\\n\\r\\n### Transport Configuration\\r\\n\\r\\nThis tab will show you the configuration of the main Transport components\\r\\n- Receive Connectors configured with Anonymous and/or Open Relay\\r\\n- Remote Domain Autoforward configuration\\r\\n- Transport Rules configured with BlindCopyTo, SendTo, RedirectTo\\r\\n- Journal Rule and Journal Recipient configurations\\r\\n- Accepted Domains with *\\r\\n\\r\\n\"},\"name\":\"WorkbookInfo\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"InformationTab\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Display important security configurations that allow to access mailboxes' content. Direct delegations on mailboxes are not listed (Full Access permission mailboxes or direct delegations on mailboxes folders)\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !contains \\\"Deleg\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| where CmdletResultValue.Role contains \\\"Export\\\" or CmdletResultValue.Role contains \\\"Impersonation\\\" or CmdletResultValue.Role contains \\\"Search\\\"\\r\\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role)\",\"size\":3,\"title\":\"Number of accounts with sensitive RBAC roles\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"role\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_RoleAssigneeName\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"role\",\"sortOrderField\":1}},\"name\":\"MRAQuery\"},{\"type\":1,\"content\":{\"json\":\"**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes. This role is very powerfull and should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\\r\\n\\r\\nIt is common to see service accounts for backup solution, antivirus software, MDM...\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SensitiveRBACHelp\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Application Impersonation Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows the delegated account to access and modify the content of every mailboxes using EWS.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"Impersonation\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"RoleGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExclusionsAcctValue = dynamic([\\\"Hygiene Management\\\", \\\"RIM-MailboxAdmins\\\"]);\\r\\nMESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\\\"Impersonation\\\")\",\"size\":3,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 2\"}]},\"name\":\"Application Impersonation Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Import Export Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to import contents in all mailboxes.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Import Export** is an RBAC role that allows an account to import (export is not available online) contant in a user mailbox. It also allows searches in all mailboxes.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n- create an empty group with this delegation\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"export\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"RoleGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = \\\"N/A\\\",CurrentRole=\\\"export\\\")\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Import Export Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Search Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to search inside all or in a scope of mailboxes.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\\r\\nDiscovery Management has been excluded\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Search** is an RBAC role that allows an account to search in any mailbox.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n\\r\\n- add the administrators in the Discovery Management group\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"search\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| where CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"Group\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = \\\"N/A\\\",CurrentRole=\\\"Search\\\")\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Search Role\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Delegation\"},\"name\":\"Importantsecurityconfiguration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange Group\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Ensure that no service account are a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\\r\\n- Limit the usage of nested group for administration.\\r\\n- Ensure that accounts are given only the required pernissions to execute their tasks.\\r\\n- Use just in time administration principle by adding users in a group only when they need the permissions, then remove them when their operation is over.\\r\\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\\r\\n- Monitor the content of the following groups:\\r\\n - TenantAdmins_-xxx (Membership in this role group is synchronized across services and managed centrally)\\r\\n - Organization Management\\r\\n - ExchangeServiceAdmins_-xxx (Membership in this role group is synchronized across services and managed centrally)\\r\\n - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\\r\\n - Discovery Management\\r\\n - Hygiene Management\\r\\n - Security Administrator (Membership in this role group is synchronized across services and managed centrally)\\r\\n - xxx High privilege group (not an exhaustive list)\\r\\n - Compliance Management\\r\\n - All RBAC groups that have high roles delegation\\r\\n - All nested groups in high privileges groups\\r\\n - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\\r\\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\\r\\n- Periodically review the members of the groups\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\" Number of direct members per group with RecipientType User\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n//| where CmdletResultValue.RecipientType !contains \\\"group\\\"\\r\\n| extend Members= tostring(CmdletResultValue.Identity)\\r\\n| summarize dcount(tostring(Members)) by RoleGroup = tostring(CmdletResultValue.RoleGroup)\\r\\n| where RoleGroup has_any (\\\"TenantAdmins\\\",\\\"Organization Management\\\", \\\"Discovery Management\\\", \\\"Compliance Management\\\", \\\"Server Management\\\", \\\"ExchangeServiceAdmins\\\",\\\"Security Administrator\\\", \\\"SecurityAdmins\\\", \\\"Recipient Manangement\\\", \\\"Records Manangement\\\",\\\"Impersonation\\\",\\\"Export\\\")\\r\\n| sort by dcount_Members\\r\\n\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleGroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_Members\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"sortCriteriaField\":\"dcount_Members\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Number of direct members per group with RecipientType User\",\"expandable\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.RecipientType !contains \\\"group\\\"\\r\\n| extend Members= tostring(CmdletResultValue.Identity)\\r\\n| summarize dcount(tostring(Members)) by RoleGroup = tostring(CmdletResultValue.RoleGroup)\\r\\n| sort by dcount_Members\\r\\n\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleGroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_Members\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"sortCriteriaField\":\"dcount_Members\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList - Copy\"},{\"type\":1,\"content\":{\"json\":\"Exchange Online groups content.\\r\\nSelect a group to display detailed information of its contents.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Trusted Subsystem\\\"\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Windows Permissions\\\"\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Name)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\nExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| search CmdletResultValue.RoleGroup == \\\"{Group}\\\"\\r\\n//| where CmdletResultValue.Level != 0\\r\\n| project CmdletResultValue\\r\\n| extend Members = tostring(CmdletResultValue.Identity)\\r\\n//| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n//| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n//| extend Level = tostring(CmdletResultValue.Level)\\r\\n//| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n//| extend LastLogon = CmdletResultValue.LastLogonString\\r\\n//| extend LastLogon = iif ( todatetime (CmdletResultValue.LastLogonString) < ago(-366d), CmdletResultValue.LastLogonString,strcat(\\\"💥\\\",CmdletResultValue.LastLogonString))\\r\\n//| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend Members = case( CmdletResultValue.RecipientType == \\\"Group\\\", strcat( \\\"👪 \\\", Members), strcat( \\\"🧑‍🦰 \\\", Members) )\\r\\n| extend RecipientType = tostring(CmdletResultValue.RecipientType)\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Exchange group\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"ExchAD\"},\"name\":\"Exchange and AD GRoup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Security configuration\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Inbound Connector configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows the configuration of the Inbound connnectors\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend State = tostring(CmdletResultValue.Enabled)\\r\\n| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n| extend WhenChanged = tostring(CmdletResultValue.WhenChanged)\\r\\n| extend WhenCreated = tostring(CmdletResultValue.WhenCreated)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Name asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"InBoundC\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend State = iff( Identity == prev(Identity) and State != prev(State) and prev(State) !=\\\"\\\" , strcat(\\\"📍 \\\", State, \\\" (\\\",prev(State),\\\"->\\\", State,\\\" )\\\"),State)\\r\\n| extend ConnectorType = iff( Identity == prev(Identity) and ConnectorType != prev(ConnectorType) and prev(ConnectorType) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorType, \\\" (\\\",prev(ConnectorType),\\\"->\\\", ConnectorType,\\\" )\\\"),ConnectorType)\\r\\n| extend ConnectorSource = iff( Identity == prev(Identity) and ConnectorSource != prev(ConnectorSource) and prev(ConnectorSource) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorSource, \\\" (\\\",prev(ConnectorSource),\\\"->\\\", ConnectorSource,\\\" )\\\"),ConnectorSource)\\r\\n| extend SenderIPAddresses = iff( Identity == prev(Identity) and SenderIPAddresses != prev(SenderIPAddresses) and prev(SenderIPAddresses) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderIPAddresses, \\\" (\\\",prev(SenderIPAddresses),\\\"->\\\", SenderIPAddresses,\\\" )\\\"),SenderIPAddresses)\\r\\n| extend SenderDomains = iff( Identity == prev(Identity) and SenderDomains != prev(SenderDomains) and prev(SenderDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderDomains, \\\" (\\\",prev(SenderDomains),\\\"->\\\", SenderDomains,\\\" )\\\"),SenderDomains)\\r\\n| extend TrustedOrganizations = iff( Identity == prev(Identity) and TrustedOrganizations != prev(TrustedOrganizations) and prev(TrustedOrganizations) !=\\\"\\\" , strcat(\\\"📍 \\\", TrustedOrganizations, \\\" (\\\",prev(TrustedOrganizations),\\\"->\\\", TrustedOrganizations,\\\" )\\\"),TrustedOrganizations)\\r\\n| extend AssociatedAcceptedDomainsRequireTls = iff (Identity == prev(Identity) and AssociatedAcceptedDomainsRequireTls != prev(AssociatedAcceptedDomainsRequireTls) and prev(AssociatedAcceptedDomainsRequireTls) !=\\\"\\\" , strcat(\\\"📍 \\\", AssociatedAcceptedDomainsRequireTls, \\\" (\\\",prev(AssociatedAcceptedDomainsRequireTls),\\\"->\\\", AssociatedAcceptedDomainsRequireTls,\\\" )\\\"),AssociatedAcceptedDomainsRequireTls)\\r\\n| extend RestrictDomainsToIPAddresses = iff(Identity == prev(Identity) and RestrictDomainsToIPAddresses != prev(RestrictDomainsToIPAddresses) and prev(RestrictDomainsToIPAddresses) !=\\\"\\\" , strcat(\\\"📍 \\\", RestrictDomainsToIPAddresses, \\\" (\\\",prev(RestrictDomainsToIPAddresses),\\\"->\\\", RestrictDomainsToIPAddresses,\\\" )\\\"),RestrictDomainsToIPAddresses)\\r\\n| extend RestrictDomainsToCertificate = iff( Identity == prev(Identity) and RestrictDomainsToCertificate != prev(RestrictDomainsToCertificate) and prev(RestrictDomainsToCertificate) !=\\\"\\\" , strcat(\\\"📍 \\\", RestrictDomainsToCertificate, \\\" (\\\",prev(RestrictDomainsToCertificate),\\\"->\\\", RestrictDomainsToCertificate,\\\" )\\\"),RestrictDomainsToCertificate)\\r\\n| extend CloudServicesMailEnabled = iff( Identity == prev(Identity) and CloudServicesMailEnabled != prev(CloudServicesMailEnabled) and prev(CloudServicesMailEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", CloudServicesMailEnabled, \\\" (\\\",prev(CloudServicesMailEnabled),\\\"->\\\", CloudServicesMailEnabled,\\\" )\\\"),CloudServicesMailEnabled)\\r\\n| extend TreatMessagesAsInternal = iff( Identity == prev(Identity) and TreatMessagesAsInternal != prev(TreatMessagesAsInternal) and prev(TreatMessagesAsInternal) !=\\\"\\\" , strcat(\\\"📍 \\\", TreatMessagesAsInternal, \\\" (\\\",prev(TreatMessagesAsInternal),\\\"->\\\", TreatMessagesAsInternal,\\\" )\\\"),TreatMessagesAsInternal)\\r\\n| extend TlsSenderCertificateName = iff(Identity == prev(Identity) and TlsSenderCertificateName != prev(TlsSenderCertificateName) and prev(TlsSenderCertificateName) !=\\\"\\\" , strcat(\\\"📍 \\\", TlsSenderCertificateName, \\\" (\\\",prev(TlsSenderCertificateName),\\\"->\\\", TlsSenderCertificateName,\\\" )\\\"),TlsSenderCertificateName)\\r\\n| extend ScanAndDropRecipients = iff( Identity == prev(Identity) and ScanAndDropRecipients != prev(ScanAndDropRecipients) and prev(ScanAndDropRecipients) !=\\\"\\\" , strcat(\\\"📍 \\\", ScanAndDropRecipients, \\\" (\\\",prev(ScanAndDropRecipients),\\\"->\\\", ScanAndDropRecipients,\\\" )\\\"),ScanAndDropRecipients)\\r\\n| extend Comment = iff( Identity == prev(Identity) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or State contains \\\"📍\\\" or ConnectorType contains \\\"📍\\\" or ConnectorSource contains \\\"📍\\\" or SenderIPAddresses contains \\\"📍\\\" or SenderDomains contains \\\"📍\\\" or TrustedOrganizations contains \\\"📍\\\" or AssociatedAcceptedDomainsRequireTls contains \\\"📍\\\" or RestrictDomainsToIPAddresses contains \\\"📍\\\" or RestrictDomainsToCertificate contains \\\"📍\\\" or CloudServicesMailEnabled contains \\\"📍\\\" or TreatMessagesAsInternal contains \\\"📍\\\" or TlsSenderCertificateName contains \\\"📍\\\" or ScanAndDropRecipients contains \\\"📍\\\" or Comment contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n State,\\r\\n ConnectorType,\\r\\n ConnectorSource,\\r\\n Comment,\\r\\n SenderIPAddresses,\\r\\n SenderDomains,\\r\\n TrustedOrganizations,\\r\\n AssociatedAcceptedDomainsRequireTls,\\r\\n RestrictDomainsToIPAddresses,\\r\\n RestrictDomainsToCertificate,\\r\\n CloudServicesMailEnabled,\\r\\n TreatMessagesAsInternal,\\r\\n TlsSenderCertificateName,\\r\\n ScanAndDropRecipients,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 2\"}]},\"name\":\"Inbound Connector configuration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Outbound Connector configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows the configuration of the Outbound connnectors\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend State = tostring(CmdletResultValue.Enabled)\\r\\n| extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n| extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n| extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n| extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n| extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n| extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n| extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n| extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n| extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n| extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n| extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n| extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n| extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n| extend WhenChanged = tostring(CmdletResultValue.WhenChanged)\\r\\n| extend WhenCreated = tostring(CmdletResultValue.WhenCreated)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Name asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Outbound Connector configuration - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"OutBoundC\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend State = iff( Identity == prev(Identity) and State != prev(State) and prev(State) !=\\\"\\\" , strcat(\\\"📍 \\\", State, \\\" (\\\",prev(State),\\\"->\\\", State,\\\" )\\\"),State)\\r\\n| extend ConnectorType = iff( Identity == prev(Identity) and ConnectorType != prev(ConnectorType) and prev(ConnectorType) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorType, \\\" (\\\",prev(ConnectorType),\\\"->\\\", ConnectorType,\\\" )\\\"),ConnectorType)\\r\\n| extend ConnectorSource = iff( Identity == prev(Identity) and ConnectorSource != prev(ConnectorSource) and prev(ConnectorSource) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorSource, \\\" (\\\",prev(ConnectorSource),\\\"->\\\", ConnectorSource,\\\" )\\\"),ConnectorSource)\\r\\n| extend CloudServicesMailEnabled = iff( Identity == prev(Identity) and CloudServicesMailEnabled != prev(CloudServicesMailEnabled) and prev(CloudServicesMailEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", CloudServicesMailEnabled, \\\" (\\\",prev(CloudServicesMailEnabled),\\\"->\\\", CloudServicesMailEnabled,\\\" )\\\"),CloudServicesMailEnabled)\\r\\n| extend Comment = iff( Comment == prev(Comment) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend RecipientDomains = iff( Identity == prev(Identity) and RecipientDomains != prev(RecipientDomains) and prev(RecipientDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", RecipientDomains, \\\" (\\\",prev(RecipientDomains),\\\"->\\\", RecipientDomains,\\\" )\\\"),RecipientDomains)\\r\\n| extend SmartHosts = iff( Identity == prev(Identity) and SmartHosts != prev(SmartHosts) and prev(SmartHosts) !=\\\"\\\" , strcat(\\\"📍 \\\", SmartHosts, \\\" (\\\",prev(SmartHosts),\\\"->\\\", SmartHosts,\\\" )\\\"),SmartHosts)\\r\\n| extend TlsDomain = iff( Identity == prev(Identity) and TlsDomain != prev(TlsDomain) and prev(TlsDomain) !=\\\"\\\" , strcat(\\\"📍 \\\", TlsDomain, \\\" (\\\",prev(TlsDomain),\\\"->\\\", TlsDomain,\\\" )\\\"),TlsDomain)\\r\\n| extend IsTransportRuleScoped = iff( Identity == prev(Identity) and IsTransportRuleScoped != prev(IsTransportRuleScoped) and prev(IsTransportRuleScoped) !=\\\"\\\" , strcat(\\\"📍 \\\", IsTransportRuleScoped, \\\" (\\\",prev(IsTransportRuleScoped),\\\"->\\\", IsTransportRuleScoped,\\\" )\\\"),IsTransportRuleScoped)\\r\\n| extend RouteAllMessagesViaOnPremises = iff( Identity == prev(Identity) and RouteAllMessagesViaOnPremises != prev(RouteAllMessagesViaOnPremises) and prev(RouteAllMessagesViaOnPremises) !=\\\"\\\" , strcat(\\\"📍 \\\", RouteAllMessagesViaOnPremises, \\\" (\\\",prev(RouteAllMessagesViaOnPremises),\\\"->\\\", RouteAllMessagesViaOnPremises,\\\" )\\\"),RouteAllMessagesViaOnPremises)\\r\\n| extend AllAcceptedDomains = iff( Identity == prev(Identity) and AllAcceptedDomains != prev(AllAcceptedDomains) and prev(AllAcceptedDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", AllAcceptedDomains, \\\" (\\\",prev(AllAcceptedDomains),\\\"->\\\", AllAcceptedDomains,\\\" )\\\"),AllAcceptedDomains)\\r\\n| extend SenderRewritingEnabled = iff( Identity == prev(Identity) and SenderRewritingEnabled != prev(SenderRewritingEnabled) and prev(SenderRewritingEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderRewritingEnabled, \\\" (\\\",prev(SenderRewritingEnabled),\\\"->\\\", SenderRewritingEnabled,\\\" )\\\"),SenderRewritingEnabled)\\r\\n| extend TestMode = iff( Identity == prev(Identity)and TestMode != prev(TestMode) and prev(TestMode) !=\\\"\\\" , strcat(\\\"📍 \\\", TestMode, \\\" (\\\",prev(TestMode),\\\"->\\\", TestMode,\\\" )\\\"),TestMode)\\r\\n| extend LinkForModifiedConnector = iff( Identity == prev(Identity) and LinkForModifiedConnector != prev(LinkForModifiedConnector) and prev(LinkForModifiedConnector) !=\\\"\\\" , strcat(\\\"📍 \\\", LinkForModifiedConnector, \\\" (\\\",prev(LinkForModifiedConnector),\\\"->\\\", LinkForModifiedConnector,\\\" )\\\"),LinkForModifiedConnector)\\r\\n| extend ValidationRecipients = iff( Identity == prev(Identity) and ValidationRecipients != prev(ValidationRecipients) and prev(ValidationRecipients) !=\\\"\\\" , strcat(\\\"📍 \\\", ValidationRecipients, \\\" (\\\",prev(ValidationRecipients),\\\"->\\\", ValidationRecipients,\\\" )\\\"),ValidationRecipients)\\r\\n| extend IsValidated = iff( Identity == prev(Identity) and IsValidated != prev(IsValidated) and prev(IsValidated) !=\\\"\\\" , strcat(\\\"📍 \\\", IsValidated, \\\" (\\\",prev(IsValidated),\\\"->\\\", IsValidated,\\\" )\\\"),IsValidated)\\r\\n| extend LastValidationTimestamp = iff( Identity == prev(Identity) and LastValidationTimestamp != prev(LastValidationTimestamp) and prev(LastValidationTimestamp) !=\\\"\\\" , strcat(\\\"📍 \\\", LastValidationTimestamp, \\\" (\\\",prev(LastValidationTimestamp),\\\"->\\\", LastValidationTimestamp,\\\" )\\\"),LastValidationTimestamp)\\r\\n| extend Comment = iff( Identity == prev(Identity) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or State contains \\\"📍\\\" or ConnectorType contains \\\"📍\\\" or ConnectorSource contains \\\"📍\\\"or CloudServicesMailEnabled contains \\\"📍\\\" or Comment contains \\\"📍\\\" or UseMXRecord contains \\\"📍\\\" or RecipientDomains contains \\\"📍\\\" or SmartHosts contains \\\"📍\\\" or TlsDomain contains \\\"📍\\\" or TlsSettings contains \\\"📍\\\" or IsTransportRuleScoped contains \\\"📍\\\" or RouteAllMessagesViaOnPremises contains \\\"📍\\\" or AllAcceptedDomains contains \\\"📍\\\" or SenderRewritingEnabled contains \\\"📍\\\" or TestMode contains \\\"📍\\\" or LinkForModifiedConnector contains \\\"📍\\\" or ValidationRecipients contains \\\"📍\\\" or IsValidated contains \\\"📍\\\" or LastValidationTimestamp contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n State,\\r\\n ConnectorType,\\r\\n ConnectorSource, \\r\\n CloudServicesMailEnabled,\\r\\n Comment,\\r\\n UseMXRecord,\\r\\n RecipientDomains,\\r\\n SmartHosts,\\r\\n TlsDomain,\\r\\n TlsSettings,\\r\\n IsTransportRuleScoped,\\r\\n RouteAllMessagesViaOnPremises,\\r\\n AllAcceptedDomains,\\r\\n SenderRewritingEnabled,\\r\\n TestMode,\\r\\n LinkForModifiedConnector,\\r\\n ValidationRecipients,\\r\\n IsValidated,\\r\\n LastValidationTimestamp,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Rules with specific actions to monitor\",\"items\":[{\"type\":1,\"content\":{\"json\":\"A common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\\r\\n\\r\\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\\r\\n- BlindCopyTo\\r\\n- SentTo\\r\\n- CopyTo\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n| extend State = tostring(CmdletResultValue.State)\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n| extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n| extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Transport Rules actions to monitor\"},{\"type\":1,\"content\":{\"json\":\"** Due to lack of informaiton in Powershell, the Transport Rule compare section could display approximate information for Add and Modif. Especially, for the WhenCreated parameter.\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n | extend CmdletResultValue.RedirectMessageToString\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange =\\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"TransportRule\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| sort by Identity,TimeGenerated asc\\r\\n | extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n | extend CmdletResultValue.RedirectMessageToString\\r\\n | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n | extend WhenChanged = todatetime(bin(WhenChanged,1m))\\r\\n | extend aa=prev(WhenCreated)\\r\\n | extend WhenCreated = iff( Identity == prev(Identity) and WhenChanged != prev(WhenChanged),aa ,WhenChanged)\\r\\n | extend WhenCreated =bin(WhenCreated,1m)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = inner (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,Mode,SetSCL,SenderIpRangesString,MessageTypeMatchesString,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData1 = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffAddData2 = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\"\\r\\n| distinct Identity;\\r\\nlet DiffAddData = DiffAddData1\\r\\n| join DiffAddData2 on Identity\\r\\n;\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenChanged,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo, SetSCL, SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend SentTo = iff( Identity == prev(Identity) and SentTo != prev(SentTo) and prev(SentTo) !=\\\"\\\" , strcat(\\\"📍 \\\", SentTo, \\\" (\\\",prev(SentTo),\\\"->\\\", SentTo,\\\" )\\\"),SentTo)\\r\\n| extend BlindCopyTo = iff( Identity == prev(Identity) and BlindCopyTo != prev(BlindCopyTo) and prev(BlindCopyTo) !=\\\"\\\" , strcat(\\\"📍 \\\", BlindCopyTo, \\\" (\\\",prev(BlindCopyTo),\\\"->\\\", BlindCopyTo,\\\" )\\\"),BlindCopyTo)\\r\\n| extend CopyTo = iff( Identity == prev(Identity) and CopyTo != prev(CopyTo) and prev(CopyTo) !=\\\"\\\" , strcat(\\\"📍 \\\", CopyTo, \\\" (\\\",prev(CopyTo),\\\"->\\\", CopyTo,\\\" )\\\"),CopyTo)\\r\\n| extend SetSCL = iff( Identity == prev(Identity)and SetSCL != prev(SetSCL) and prev(SetSCL) !=\\\"\\\" , strcat(\\\"📍 \\\", SetSCL, \\\" (\\\",prev(SetSCL),\\\"->\\\", SetSCL,\\\" )\\\"),SetSCL)\\r\\n| extend SenderIpRangesString = iff( Identity == prev(Identity)and SenderIpRangesString != prev(SenderIpRangesString) and prev(SenderIpRangesString) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderIpRangesString, \\\" (\\\",prev(SenderIpRangesString),\\\"->\\\", SenderIpRangesString,\\\" )\\\"),SenderIpRangesString)\\r\\n| extend MessageTypeMatchesString = iff( Identity == prev(Identity)and MessageTypeMatchesString != prev(MessageTypeMatchesString) and prev(MessageTypeMatchesString) !=\\\"\\\" , strcat(\\\"📍 \\\", MessageTypeMatchesString, \\\" (\\\",prev(MessageTypeMatchesString),\\\"->\\\", MessageTypeMatchesString,\\\" )\\\"),MessageTypeMatchesString)\\r\\n| extend Mode = iff( Identity == prev(Identity)and Mode != prev(Mode) and prev(Mode) !=\\\"\\\" , strcat(\\\"📍 \\\", Mode, \\\" (\\\",prev(Mode),\\\"->\\\", Mode,\\\" )\\\"),Mode)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or SentTo contains \\\"📍\\\" or BlindCopyTo contains \\\"📍\\\" or CopyTo contains \\\"📍\\\" or SetSCL contains \\\"📍\\\" or SenderIpRangesString contains \\\"📍\\\" or MessageTypeMatchesString contains \\\"📍\\\" or Mode contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n SentTo,\\r\\n BlindCopyTo,\\r\\n CopyTo,\\r\\n RedirectMessageTo,\\r\\n SetSCL,\\r\\n SenderIpRangesString,\\r\\n MessageTypeMatchesString,\\r\\n Mode,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Outbound Policy : Autoforward configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is enabled, then automatic transfer are allowed.\\r\\nFor example: users in Outlook will be able set automatic transfer of all their emails to external addresses.\\r\\nThere are several methods to authorized automatic forward. \\r\\nPlease review this article : https://learn.microsoft.com/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding?view=o365-worldwide\\r\\n**In summary :**\\r\\n\\r\\n**Scenario 1 :**\\r\\n\\r\\nYou configure remote domain settings to allow automatic forwarding.\\r\\nAutomatic forwarding in the outbound spam filter policy is set to Off.\\r\\n*Result :* \\r\\nAutomatically forwarded messages to recipients in the affected domains are blocked.\\r\\n\\r\\n**Scenario 2 :**\\r\\n\\r\\nYou configure remote domain settings to allow automatic forwarding.\\r\\nAutomatic forwarding in the outbound spam filter policy is set to Automatic - System-controlled.\\r\\n\\r\\n*Result :* \\r\\n\\r\\nAutomatically forwarded messages to recipients in the affected domains are blocked.\\r\\nAs described earlier, Automatic - System-controlled used to mean On, but the setting has changed over time to mean Off in all organizations.\\r\\n\\r\\nFor absolute clarity, you should configure your outbound spam filter policy to On or Off.\\r\\n\\r\\n**Scenario 3 :**\\r\\n\\r\\nAutomatic forwarding in the outbound spam filter policy is set to On\\r\\nYou use mail flow rules or remote domains to block automatically forwarded email\\r\\n\\r\\n*Result : *\\r\\n\\r\\nAutomatically forwarded messages to affected recipients are blocked by mail flow rules or remote domains.\\r\\n****\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let HOSFR = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterRule\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n| project Identity,HostedOutboundSpamFilterPolicy;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n| join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n| extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n| extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n| extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n| extend AutoForwardingMode= iff (CmdletResultValue.AutoForwardingMode == \\\"On\\\" , strcat (\\\"❌ \\\", tostring(CmdletResultValue.AutoForwardingMode)), tostring(CmdletResultValue.AutoForwardingMode))\\r\\n| extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n| extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n| extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n| extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n| extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n| extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n| extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n| extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n| extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n| project Identity,IsDefault,Enabled,AutoForwardingMode,OutboundSpamFilterRule,BccSuspiciousOutboundAdditionalRecipients,BccSuspiciousOutboundMail,NotifyOutboundSpam,NotifyOutboundSpamRecipient,WhenChanged,WhenCreated\\r\\n| sort by Identity asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"OutboundPol - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet HOSFR = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterRule\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n| project Identity,HostedOutboundSpamFilterPolicy;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | extend Identity = tostring(Identity)\\r\\n | join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n | extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n | extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n | extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n | extend AutoForwardingMode= tostring(CmdletResultValue.AutoForwardingMode)\\r\\n | extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n | extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n | extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | extend Identity = tostring(Identity)\\r\\n | join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n | extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n | extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n | extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n | extend AutoForwardingMode= tostring(CmdletResultValue.AutoForwardingMode)\\r\\n | extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n | extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n | extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRangeOSFR = ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"HostedOutboundSpamFilterRule\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n | extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n | project Identity, HostedOutboundSpamFilterPolicy;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"HostedOutboundSpamFilterPolicy\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n | project\\r\\n TimeGenerated,\\r\\n Identity,\\r\\n CmdletResultValue,\\r\\n WhenChanged = todatetime(bin(WhenChanged_t,1m)),\\r\\n WhenCreated=todatetime(bin(WhenCreated_t,1m))\\r\\n | join kind=fullouter allDataRangeOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n | extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n | extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n | extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n | extend AutoForwardingMode= tostring(CmdletResultValue.AutoForwardingMode)\\r\\n | extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n | extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n | extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData\\r\\n | where WhenCreated >= _DateCompareB)\\r\\n on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange) on WhenCreated\\r\\n | where WhenCreated >= _DateCompareB\\r\\n | where bin(WhenCreated, 5m) == bin(WhenChanged, 5m)\\r\\n | distinct\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffAddData = union DiffAddDataP1, DiffAddDataP2\\r\\n | extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n | project\\r\\n WhenChanged=_CurrentDateB,\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated\\r\\n;\\r\\nlet DiffModifData = union AfterData, allDataRange\\r\\n | sort by Identity, WhenChanged asc\\r\\n | project\\r\\n WhenChanged,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n | extend Identity = iff(Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) != \\\"\\\", strcat(\\\"📍 \\\", Identity, \\\" (\\\", prev(Identity), \\\"->\\\", Identity, \\\" )\\\"), Identity)\\r\\n | extend IsDefault = iff(Identity == prev(Identity) and IsDefault != prev(IsDefault) and prev(IsDefault) != \\\"\\\", strcat(\\\"📍 \\\", IsDefault, \\\" (\\\", prev(IsDefault), \\\"->\\\", IsDefault, \\\" )\\\"), IsDefault)\\r\\n | extend Enabled = iff(Identity == prev(Identity) and Enabled != prev(Enabled) and prev(Enabled) != \\\"\\\", strcat(\\\"📍 \\\", Enabled, \\\" (\\\", prev(Enabled), \\\"->\\\", Enabled, \\\" )\\\"), Enabled)\\r\\n | extend AutoForwardingMode = iff(Identity == prev(Identity) and AutoForwardingMode != prev(AutoForwardingMode) and prev(AutoForwardingMode) != \\\"\\\", strcat(\\\"📍 \\\", AutoForwardingMode, \\\" (\\\", prev(AutoForwardingMode), \\\"->\\\", AutoForwardingMode, \\\" )\\\"), AutoForwardingMode)\\r\\n | extend OutboundSpamFilterRule = iff(Identity == prev(Identity) and OutboundSpamFilterRule != prev(OutboundSpamFilterRule) and prev(OutboundSpamFilterRule) != \\\"\\\", strcat(\\\"📍 \\\", OutboundSpamFilterRule, \\\" (\\\", prev(OutboundSpamFilterRule), \\\"->\\\", OutboundSpamFilterRule, \\\" )\\\"), OutboundSpamFilterRule)\\r\\n | extend RecommendedPolicyType = iff(Identity == prev(Identity) and RecommendedPolicyType != prev(RecommendedPolicyType) and prev(RecommendedPolicyType) != \\\"\\\", strcat(\\\"📍 \\\", RecommendedPolicyType, \\\" (\\\", prev(RecommendedPolicyType), \\\"->\\\", RecommendedPolicyType, \\\" )\\\"), RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = iff(Identity == prev(Identity) and RecipientLimitExternalPerHour != prev(RecipientLimitExternalPerHour) and prev(RecipientLimitExternalPerHour) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitExternalPerHour, \\\" (\\\", prev(RecipientLimitExternalPerHour), \\\"->\\\", RecipientLimitExternalPerHour, \\\" )\\\"), RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = iff(Identity == prev(Identity) and RecipientLimitInternalPerHour != prev(RecipientLimitInternalPerHour) and prev(RecipientLimitInternalPerHour) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitInternalPerHour, \\\" (\\\", prev(RecipientLimitInternalPerHour), \\\"->\\\", RecipientLimitInternalPerHour, \\\" )\\\"), RecipientLimitInternalPerHour)\\r\\n | extend ActionWhenThresholdReached = iff(Identity == prev(Identity) and ActionWhenThresholdReached != prev(ActionWhenThresholdReached) and prev(ActionWhenThresholdReached) != \\\"\\\", strcat(\\\"📍 \\\", ActionWhenThresholdReached, \\\" (\\\", prev(ActionWhenThresholdReached), \\\"->\\\", ActionWhenThresholdReached, \\\" )\\\"), ActionWhenThresholdReached)\\r\\n | extend RecipientLimitPerDay = iff(Identity == prev(Identity) and RecipientLimitPerDay != prev(RecipientLimitPerDay) and prev(RecipientLimitPerDay) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitPerDay, \\\" (\\\", prev(RecipientLimitPerDay), \\\"->\\\", RecipientLimitPerDay, \\\" )\\\"), RecipientLimitPerDay)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients = iff(Identity == prev(Identity) and BccSuspiciousOutboundAdditionalRecipients != prev(BccSuspiciousOutboundAdditionalRecipients) and prev(BccSuspiciousOutboundAdditionalRecipients) != \\\"\\\", strcat(\\\"📍 \\\", BccSuspiciousOutboundAdditionalRecipients, \\\" (\\\", prev(BccSuspiciousOutboundAdditionalRecipients), \\\"->\\\", BccSuspiciousOutboundAdditionalRecipients, \\\" )\\\"), BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = iff(Identity == prev(Identity) and BccSuspiciousOutboundMail != prev(BccSuspiciousOutboundMail) and prev(BccSuspiciousOutboundMail) != \\\"\\\", strcat(\\\"📍 \\\", BccSuspiciousOutboundMail, \\\" (\\\", prev(BccSuspiciousOutboundMail), \\\"->\\\", BccSuspiciousOutboundMail, \\\" )\\\"), BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam = iff(Identity == prev(Identity) and NotifyOutboundSpam != prev(NotifyOutboundSpam) and prev(NotifyOutboundSpam) != \\\"\\\", strcat(\\\"📍 \\\", NotifyOutboundSpam, \\\" (\\\", prev(NotifyOutboundSpam), \\\"->\\\", NotifyOutboundSpam, \\\" )\\\"), NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = iff(Identity == prev(Identity) and NotifyOutboundSpamRecipient != prev(NotifyOutboundSpamRecipient) and prev(NotifyOutboundSpamRecipient) != \\\"\\\", strcat(\\\"📍 \\\", NotifyOutboundSpamRecipient, \\\" (\\\", prev(NotifyOutboundSpamRecipient), \\\"->\\\", NotifyOutboundSpamRecipient, \\\" )\\\"), NotifyOutboundSpamRecipient)\\r\\n | extend ActiontypeR =iff((Identity contains \\\"📍\\\" or IsDefault contains \\\"📍\\\" or Enabled contains \\\"📍\\\" or OutboundSpamFilterRule contains \\\"📍\\\" or AutoForwardingMode contains \\\"📍\\\" or BccSuspiciousOutboundAdditionalRecipients contains \\\"📍\\\" or BccSuspiciousOutboundMail contains \\\"📍\\\" or NotifyOutboundSpam contains \\\"📍\\\" or NotifyOutboundSpamRecipient contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 7 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is set to True for an SMTP domain and the Outbound Policy is set to On then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\\r\\n\\r\\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \\r\\n\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Address = tostring(CmdletResultValue.DomainName)\\r\\n| extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.DomainName == \\\"*\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.DomainName != \\\"*\\\", strcat (\\\"⚠️ \\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅ \\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n| project-away CmdletResultValue\\r\\n| sort by Address asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ForwardGroup\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n \\t | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"RemoteDomain\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,DomainName,AutoForwardEnabled,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend DomainName = iff( Identity == prev(Identity) and DomainName != prev(DomainName) and prev(DomainName) !=\\\"\\\" , strcat(\\\"📍 \\\", DomainName, \\\" (\\\",prev(DomainName),\\\"->\\\", DomainName,\\\" )\\\"),DomainName)\\r\\n| extend AutoForwardEnabled = iff( Identity == prev(Identity) and AutoForwardEnabled != prev(AutoForwardEnabled) and prev(AutoForwardEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", AutoForwardEnabled, \\\" (\\\",prev(AutoForwardEnabled),\\\"->\\\", AutoForwardEnabled,\\\" )\\\"),AutoForwardEnabled)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or DomainName contains \\\"📍\\\" or AutoForwardEnabled contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n DomainName,\\r\\n AutoForwardEnabled,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 7\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Transport\"},\"name\":\"Transport Security configuration\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityReview-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -1698,7 +1561,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Admin Activity - Online Workbook with template version 3.1.5", + "description": "Microsoft Exchange Admin Activity - Online Workbook with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion3')]", @@ -1716,7 +1579,7 @@ }, "properties": { "displayName": "[parameters('workbook3-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Admin Activity\\r\\n\\r\\nThis workbook helps you visualize what is happening in your Exchange environment.\\r\\nResults removed :\\r\\n\\t- All Test-* and Set-AdServerSetting Cmdlets\\r\\n\\r\\n**Selection of an environment is unavailable. As this workbook is based on the OfficeActivity Logs (Microsoft 365 Solution) directly linked to the Microsoft Sentinel Environment, we cannot provide a view of another one.**\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3792117c-d924-4ec7-a327-1e8d5e9f291a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"value\":{\"durationMs\":14400000}},{\"id\":\"743317e2-ebcf-4958-861d-4ff97fc7cce1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"query\":\"OfficeActivity | where TimeGenerated {TimeRange}\\r\\n| summarize by OrganizationName\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cmdlet Analysis\",\"subTarget\":\"Cmdlet\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Cmdlet summary\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab parses the events from OfficeActivity logs :\\r\\n\\r\\n- list of cmdlets\\r\\n- filter on a VIP and/or Sensitive objects (based on Watchlist \\\"Exchange VIP\\\" and \\\" Monitored Exchange Cmdlets\\\")\\r\\n- anomalies detections are based on the KQL function series_decompose_anomalies\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"CmdletGroupHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5a942eba-c991-4b84-9a94-c153bca86e12\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"VIPOnly\",\"label\":\"Show VIP Only\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"83befa26-eee0-49ab-9785-72653943bc6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SensitiveOnly\",\"label\":\"Sensitive CmdLet Only\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\\r\\n\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"This section show all the Cmdlets executed in the selected time range. Possible filters are: \\r\\n- **VIP Only selected** Cmdlets used against VIP objects (based on the \\\"Exchange VIP\\\" watchlist)\\r\\n- **Sensitive Cmdlets** Cmdlets considered as Sensitive (based on the \\\"Monitored Exchange Cmdlets\\\" watchlist)\\r\\n\\r\\nThese informations can be useful to detect unexpected behaviors or to determine what are the action performed by the accounts (ie. service accounts).\\r\\n\\r\\nℹ️ It is recommended to delegated only the necessary privileges to an account.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"CmdtListHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize count() by CmdletName\\r\\n| sort by count_\",\"size\":2,\"showAnalytics\":true,\"title\":\"List of all executed cmdlets during the last 90 days (based on Sentinel retention)\",\"exportFieldName\":\"Cmdlet\",\"exportParameterName\":\"CmdletFilter\",\"exportDefaultValue\":\"\\\"\\\"\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Cmdlet\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":20}},\"customWidth\":\"45\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize count() by CmdletName\\r\\n| join kind=leftouter ( MESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n | make-series Count=count() on TimeGenerated from ago(30d) to now() step 1d by CmdletName\\r\\n | extend Anomalies=series_decompose_anomalies(Count)\\r\\n) on CmdletName\\r\\n| project CmdletName, Total=count_, Count, Anomalies\\r\\n| sort by Total\",\"size\":2,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Cmdlet\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"rowLimit\":10000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"Count\",\"label\":\"Count for the last 30 days\"}]}},\"customWidth\":\"55\",\"name\":\"CmdletTrends\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet: string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\", ignoreFirstRecord=true)\\r\\n | project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize Total = count() by Caller\\r\\n| join kind=leftouter ( MESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n | make-series Count=count() on TimeGenerated from ago(30d) to now() step 1d by Caller\\r\\n | extend Anomalies=series_decompose_anomalies(Count)\\r\\n) on Caller\\r\\n| project Caller, Total, Count, Anomalies\\r\\n| sort by Total desc\",\"size\":1,\"showAnalytics\":true,\"exportFieldName\":\"Caller\",\"exportParameterName\":\"CallerFilter\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Caller\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70ch\"}},{\"columnMatch\":\"Total\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"125px\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"300px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"300px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_Total_1\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Count\",\"label\":\"Count for the last 30 days\"}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_Total_1\",\"sortOrder\":2}],\"chartSettings\":{\"createOtherGroup\":20}},\"name\":\"query - 4\"},{\"type\":1,\"content\":{\"json\":\"## List of Cmdlets\\r\\n\\r\\nBy default all accounts found in the log are displayed.\\r\\n\\r\\nSelect an caller, to display all Cmdlets launched by this administrator\\r\\n\\r\\n> **Legend** \\r\\n> \\r\\n> 👑 VIP user \\r\\n> 💥 Sensitive action\\r\\n\\r\\nIf needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"008273d1-a013-4d86-9e23-499e5175a85e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CallerFilter\",\"label\":\"Caller\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| distinct Caller\\r\\n| extend Caller = replace_string(Caller, '\\\\\\\\', '\\\\\\\\\\\\\\\\')\\r\\n| sort by Caller asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"21bd4e45-65ca-4b9b-a19c-177d6b37d807\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TargetObjectFilter\",\"label\":\"Target Object\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({CallerFilter})\\r\\n| distinct TargetObject\\r\\n| sort by TargetObject asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9e93d5c3-0fcb-4ece-b2a0-fc3ff44a0b04\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdletFilter\",\"label\":\"Cmdlet Filter\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({CallerFilter})\\r\\n| distinct CmdletName\\r\\n| sort by CmdletName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet: string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\", ignoreFirstRecord=true)\\r\\n | project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| where (Caller in ({CallerFilter}) or Caller == \\\"ALL\\\") and TargetObject contains \\\"{TargetObjectFilter}\\\" and CmdletName contains \\\"{CmdletFilter}\\\"\\r\\n and TargetObject contains \\\"\\\"\\r\\n and CmdletName contains \\\"\\\"\\r\\n| extend TargetObject = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",TargetObject), TargetObject )\\r\\n| extend Cmdlet = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",CmdletName), CmdletName )\\r\\n| extend IsVIP = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",tostring(IsVIP)), tostring(IsVIP ))\\r\\n| project TimeGenerated, Caller, TargetObject, Cmdlet, CmdletParameters\\r\\n| sort by TimeGenerated desc\",\"size\":2,\"showAnalytics\":true,\"title\":\"History\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ActualCmdLet\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"120ch\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Cmdlet\"},\"name\":\"Cmdlet Group\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityAdminActivity-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Admin Activity\\r\\n\\r\\nThis workbook helps you visualize what is happening in your Exchange environment.\\r\\nResults removed :\\r\\n\\t- All Test-* and Set-AdServerSetting Cmdlets\\r\\n\\r\\n**Selection of an environment is unavailable. As this workbook is based on the OfficeActivity Logs (Microsoft 365 Solution) directly linked to the Microsoft Sentinel Environment, we cannot provide a view of another one.**\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3792117c-d924-4ec7-a327-1e8d5e9f291a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"value\":{\"durationMs\":14400000}},{\"id\":\"743317e2-ebcf-4958-861d-4ff97fc7cce1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"query\":\"OfficeActivity | where TimeGenerated {TimeRange}\\r\\n| summarize by OrganizationName\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cmdlet Analysis\",\"subTarget\":\"Cmdlet\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Cmdlet summary\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab parses the events from OfficeActivity logs :\\r\\n\\r\\n- list of cmdlets\\r\\n- filter on a VIP and/or Sensitive objects (based on Watchlist \\\"Exchange VIP\\\" and \\\" Monitored Exchange Cmdlets\\\")\\r\\n- anomalies detections are based on the KQL function series_decompose_anomalies\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"CmdletGroupHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5a942eba-c991-4b84-9a94-c153bca86e12\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"VIPOnly\",\"label\":\"Show VIP Only\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"83befa26-eee0-49ab-9785-72653943bc6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SensitiveOnly\",\"label\":\"Sensitive CmdLet Only\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\\r\\n\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"This section show all the Cmdlets executed in the selected time range. Possible filters are: \\r\\n- **VIP Only selected** Cmdlets used against VIP objects (based on the \\\"Exchange VIP\\\" watchlist)\\r\\n- **Sensitive Cmdlets** Cmdlets considered as Sensitive (based on the \\\"Monitored Exchange Cmdlets\\\" watchlist)\\r\\n\\r\\nThese informations can be useful to detect unexpected behaviors or to determine what are the action performed by the accounts (ie. service accounts).\\r\\n\\r\\nℹ️ It is recommended to delegated only the necessary privileges to an account.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"CmdtListHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize count() by CmdletName\\r\\n| sort by count_\",\"size\":2,\"showAnalytics\":true,\"title\":\"List of all executed cmdlets during the last 90 days (based on Sentinel retention)\",\"exportFieldName\":\"Cmdlet\",\"exportParameterName\":\"CmdletFilter\",\"exportDefaultValue\":\"\\\"\\\"\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Cmdlet\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":20}},\"customWidth\":\"45\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize count() by CmdletName\\r\\n| join kind=leftouter ( MESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n | make-series Count=count() on TimeGenerated from ago(30d) to now() step 1d by CmdletName\\r\\n | extend Anomalies=series_decompose_anomalies(Count)\\r\\n) on CmdletName\\r\\n| project CmdletName, Total=count_, Count, Anomalies\\r\\n| sort by Total\",\"size\":2,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Cmdlet\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"rowLimit\":10000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"Count\",\"label\":\"Count for the last 30 days\"}]}},\"customWidth\":\"55\",\"name\":\"CmdletTrends\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet: string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\", ignoreFirstRecord=true)\\r\\n | project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize Total = count() by Caller\\r\\n| join kind=leftouter ( MESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n | make-series Count=count() on TimeGenerated from ago(30d) to now() step 1d by Caller\\r\\n | extend Anomalies=series_decompose_anomalies(Count)\\r\\n) on Caller\\r\\n| project Caller, Total, Count, Anomalies\\r\\n| sort by Total desc\",\"size\":1,\"showAnalytics\":true,\"exportFieldName\":\"Caller\",\"exportParameterName\":\"CallerFilter\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Caller\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70ch\"}},{\"columnMatch\":\"Total\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"125px\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"300px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"300px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_Total_1\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Count\",\"label\":\"Count for the last 30 days\"}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_Total_1\",\"sortOrder\":2}],\"chartSettings\":{\"createOtherGroup\":20}},\"name\":\"query - 4\"},{\"type\":1,\"content\":{\"json\":\"## List of Cmdlets\\r\\n\\r\\nBy default all accounts found in the log are displayed.\\r\\n\\r\\nSelect an caller, to display all Cmdlets launched by this administrator\\r\\n\\r\\n> **Legend** \\r\\n> \\r\\n> 👑 VIP user \\r\\n> 💥 Sensitive action\\r\\n\\r\\nIf needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"008273d1-a013-4d86-9e23-499e5175a85e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CallerFilter\",\"label\":\"Caller\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| distinct Caller\\r\\n| extend Caller = replace_string(Caller, '\\\\\\\\', '\\\\\\\\\\\\\\\\')\\r\\n| sort by Caller asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"21bd4e45-65ca-4b9b-a19c-177d6b37d807\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TargetObjectFilter\",\"label\":\"Target Object\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({CallerFilter})\\r\\n| distinct TargetObject\\r\\n| sort by TargetObject asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9e93d5c3-0fcb-4ece-b2a0-fc3ff44a0b04\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdletFilter\",\"label\":\"Cmdlet Filter\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({CallerFilter})\\r\\n| distinct CmdletName\\r\\n| sort by CmdletName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet: string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\", ignoreFirstRecord=true)\\r\\n | project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| where (Caller in ({CallerFilter}) or Caller == \\\"ALL\\\") and TargetObject contains \\\"{TargetObjectFilter}\\\" and CmdletName contains \\\"{CmdletFilter}\\\"\\r\\n and TargetObject contains \\\"\\\"\\r\\n and CmdletName contains \\\"\\\"\\r\\n| extend TargetObject = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",TargetObject), TargetObject )\\r\\n| extend Cmdlet = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",CmdletName), CmdletName )\\r\\n| extend IsVIP = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",tostring(IsVIP)), tostring(IsVIP ))\\r\\n| project TimeGenerated, Caller, TargetObject, Cmdlet, CmdletParameters\\r\\n| sort by TimeGenerated desc\",\"size\":2,\"showAnalytics\":true,\"title\":\"History\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ActualCmdLet\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"120ch\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Cmdlet\"},\"name\":\"Cmdlet Group\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityAdminActivity-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -1727,7 +1590,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId3'),'/'))))]", "properties": { - "description": "@{workbookKey=MicrosoftExchangeAdminActivity-Online; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to Online Exchange organizations. It uses Office Activity logs. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. Required Data Connector: Microsoft 365 (Exchange).; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Microsoft Exchange Online Admin Activity; templateRelativePath=Microsoft Exchange Admin Activity - Online.json; subtitle=; provider=Microsoft}.description", + "description": "@{workbookKey=MicrosoftExchangeAdminActivity-Online; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to Online Exchange organizations. It uses Office Activity logs. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. Required Data Connector: Microsoft 365 (Exchange).; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Microsoft Exchange Admin Activity - Online; templateRelativePath=Microsoft Exchange Admin Activity - Online.json; subtitle=; provider=Microsoft}.description", "parentId": "[variables('workbookId3')]", "contentId": "[variables('_workbookContentId3')]", "kind": "Workbook", @@ -1785,7 +1648,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Search AdminAuditLog - Online Workbook with template version 3.1.5", + "description": "Microsoft Exchange Search AdminAuditLog - Online Workbook with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion4')]", @@ -1803,7 +1666,7 @@ }, "properties": { "displayName": "[parameters('workbook4-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Admin Audit Log\\r\\n\\r\\n** This workbook requires Option 1** (upload of the OfficeActivity logs)\\r\\n\\r\\n**Selection of an environment is unavailable. As this workbook is based on the OfficeActivity Logs (Microsoft 365 Solution) directly linked to the Microsoft Sentinel Environment, we cannot provide a view of another one.**\"},\"name\":\"text - 6\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"79f1e435-df12-4c83-9967-501ab5f6ad6a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"59486bcb-db99-43b3-97dc-a63b271a91d1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"query\":\"OfficeActivity | where TimeGenerated {TimeRange}\\r\\n | summarize by OrganizationName\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"079b3cc5-dab3-4d38-b4d0-71101802949d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"9d830b00-95f4-4fd5-8cfb-95c2e63f5d0b\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cmdlets Analysis\",\"subTarget\":\"CmdletAna\",\"style\":\"link\"},{\"id\":\"944a83ef-377f-4374-83e8-46816b6ce570\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Admin Audit Log - All Admins\",\"subTarget\":\"AllAAL\",\"style\":\"link\"},{\"id\":\"cdab541f-8d91-4882-ba46-7c04cdff257b\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Global Admin Audit Log Search\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e100ee8b-d63b-4c49-9004-6555b56051aa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Admin\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Caller = replace_string(Caller, '\\\\\\\\', '\\\\\\\\\\\\\\\\')\\r\\n| extend admin = Caller\\r\\n| distinct admin\\r\\n\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0d7c1223-d108-4d10-bb24-50891a3415fd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdLet\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({Admin})\\r\\n| distinct CmdletName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**How to understand the data**\\r\\n\\r\\nThese information are extracted from the OfficeActivity logs.\\r\\n\\r\\nEach entry is analyzed regarding the following conditions :\\r\\n\\r\\n - Check if the Target Object is a VIP. The VIP list is based on the watchlist \\\"Exchange VIP\\\".\\r\\n\\r\\n - Check if the Cdmlet is a Sensitive Cmdlet. The Sensitive Cmdlet list is based on the watchlist \\\"Monitored Exchange Cmdlets\\\". \\r\\n - This list contains the list of Cmdlet that are considered as Sensitive. \\r\\n - Some Cmdlet will be considered as Sensitive only if some specific parameters defined in the \\\"Monitored Exchange Cmdlets\\\" watchlist are used.\\r\\n\\r\\nColumn explainatations : \\r\\n - Caller : Named of the Administrators that used this cmdlet\\r\\n - TargetObject : Object modified by the cmdlet\\r\\n - IsVIP : If the Target Object part of the \\\"Exchange VIP\\\" watchlist\\r\\n - Cmdlet : Name of the cmdlet that was used\\r\\n - CmdletParameters : Cmdlet parameters used with the command\\r\\n - IsSensitive :\\r\\n - true : This cmdlet is Sensitive because it was part of the list of the \\\"Monitored Exchange Cmdlets\\\" watchlist and Sensitive parameters have been used for cmdlet with specifc sensitive parameters \\r\\n\\r\\n\"},\"showPin\":false,\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where Caller in ({Admin}) and CmdletName in ({CmdLet})\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend TargetObject = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",TargetObject), TargetObject )\\r\\n| extend CmdletName = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",CmdletName), CmdletName )\\r\\n| extend IsVIP = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",tostring(IsVIP)), tostring(IsVIP ))\\r\\n| extend IsSensitive = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",tostring(IsSenstiveCmdlet)), tostring(IsSenstiveCmdlet))\\r\\n| project TimeGenerated, Caller,IsVIP,TargetObject,IsSensitive,CmdletName,CmdletParameters\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"AllAAL\"},\"name\":\"Global Admin Audit Log\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Analysis of Administrators actions\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Total Cmdlets for the Time Range\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Caller\\r\\n| extend CmdletName\\r\\n| summarize Count=count() by CmdletName\",\"size\":2,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Account = Caller\\r\\n| summarize Count=dcount(CmdletName) by Account,CmdletName\",\"size\":2,\"showAnalytics\":true,\"title\":\"Total Unique Cmdlet per Account for the Time Range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Account\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| summarize Count=count() by CmdletName\\r\\n| sort by CmdletName asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Total List of Cmdlets\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Account = Caller\\r\\n| summarize Count=count() by CmdletName, Account\\r\\n| sort by Count asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"List of Cmdlet per Account\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displayed the list of Cmdlet used in your environment for the defined period of time with the number of time they have been used.\"},\"name\":\"text - 0\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section will display the list of Cmdlet launch by Administrators for the defined period of time and the number of time they have been used\"},\"name\":\"text - 0\"}]},\"customWidth\":\"50\",\"name\":\"group - 3\"}]},\"name\":\"Result Analysis\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"CmdletAna\"},\"name\":\"Analysis of actions performed\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\nThe goals of this workbook is to allow search in the Exchange Admin Audit log.\\r\\n\\r\\nThe source of this workbook is not an export of the Admin Audit log mailbox but an export of the MSExchange Management for each Exchange servers.\\r\\n\\r\\nIf the Admin Audit Log is bypassed, the information won't be displayed in this workbook as there is no method to track this data.\\r\\n\\r\\n## Tabs\\r\\n\\r\\nLet quicly review the content of each tab\\r\\n\\r\\n### Cmdlets Analysis\\r\\n\\r\\nThis tab will show for the defined time range :\\r\\n - A summary of all cmdets used\\r\\n\\r\\n - A summary of all cmdlets used by each Account\\r\\n\\r\\n### Global Admin Audit Log\\r\\n\\r\\nThis tab allow to globally search in the exported Admin Audit log content.\\r\\n\\r\\nWhen Sensitive Cmdlets and/or Sensitive parameters are used, specific informations will be displayed.\\r\\n\\r\\nWhen VIP user are manipulated, specific informations will be displayed.\\r\\n\\r\\nFor more informations on how to understand each Column, refer to \\\"How to understand the data\\\"\\r\\n\\r\\n\\r\\n### AdminAuditLog for Org Mgmt\\r\\n\\r\\nThis tab allow to globally search in the exported Admin Audit log content for only account members on the Organization Management groups.\\r\\n\\r\\nWhen Sensitive Cmdlets and/or Sensitive parameters are used, specific informations will be displayed.\\r\\n\\r\\nWhen VIP user are manipulated, specific informations will be displayed.\\r\\n\\r\\nFor more informations on how to understand each Column, refer to \\\"How to understand the data\\\"\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"group - 5\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSearchAdminAuditLog-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Admin Audit Log\\r\\n\\r\\n** This workbook requires Option 1** (upload of the OfficeActivity logs)\\r\\n\\r\\n**Selection of an environment is unavailable. As this workbook is based on the OfficeActivity Logs (Microsoft 365 Solution) directly linked to the Microsoft Sentinel Environment, we cannot provide a view of another one.**\"},\"name\":\"text - 6\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"79f1e435-df12-4c83-9967-501ab5f6ad6a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"59486bcb-db99-43b3-97dc-a63b271a91d1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"query\":\"OfficeActivity | where TimeGenerated {TimeRange}\\r\\n | summarize by OrganizationName\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"079b3cc5-dab3-4d38-b4d0-71101802949d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"9d830b00-95f4-4fd5-8cfb-95c2e63f5d0b\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cmdlets Analysis\",\"subTarget\":\"CmdletAna\",\"style\":\"link\"},{\"id\":\"944a83ef-377f-4374-83e8-46816b6ce570\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Admin Audit Log - All Admins\",\"subTarget\":\"AllAAL\",\"style\":\"link\"},{\"id\":\"cdab541f-8d91-4882-ba46-7c04cdff257b\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Global Admin Audit Log Search\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e100ee8b-d63b-4c49-9004-6555b56051aa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Admin\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Caller = replace_string(Caller, '\\\\\\\\', '\\\\\\\\\\\\\\\\')\\r\\n| extend admin = Caller\\r\\n| distinct admin\\r\\n\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0d7c1223-d108-4d10-bb24-50891a3415fd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdLet\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({Admin})\\r\\n| distinct CmdletName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**How to understand the data**\\r\\n\\r\\nThese information are extracted from the OfficeActivity logs.\\r\\n\\r\\nEach entry is analyzed regarding the following conditions :\\r\\n\\r\\n - Check if the Target Object is a VIP. The VIP list is based on the watchlist \\\"Exchange VIP\\\".\\r\\n\\r\\n - Check if the Cdmlet is a Sensitive Cmdlet. The Sensitive Cmdlet list is based on the watchlist \\\"Monitored Exchange Cmdlets\\\". \\r\\n - This list contains the list of Cmdlet that are considered as Sensitive. \\r\\n - Some Cmdlet will be considered as Sensitive only if some specific parameters defined in the \\\"Monitored Exchange Cmdlets\\\" watchlist are used.\\r\\n\\r\\nColumn explainatations : \\r\\n - Caller : Named of the Administrators that used this cmdlet\\r\\n - TargetObject : Object modified by the cmdlet\\r\\n - IsVIP : If the Target Object part of the \\\"Exchange VIP\\\" watchlist\\r\\n - Cmdlet : Name of the cmdlet that was used\\r\\n - CmdletParameters : Cmdlet parameters used with the command\\r\\n - IsSensitive :\\r\\n - true : This cmdlet is Sensitive because it was part of the list of the \\\"Monitored Exchange Cmdlets\\\" watchlist and Sensitive parameters have been used for cmdlet with specifc sensitive parameters \\r\\n\\r\\n\"},\"showPin\":false,\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where Caller in ({Admin}) and CmdletName in ({CmdLet})\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend TargetObject = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",TargetObject), TargetObject )\\r\\n| extend CmdletName = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",CmdletName), CmdletName )\\r\\n| extend IsVIP = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",tostring(IsVIP)), tostring(IsVIP ))\\r\\n| extend IsSensitive = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",tostring(IsSenstiveCmdlet)), tostring(IsSenstiveCmdlet))\\r\\n| project TimeGenerated, Caller,IsVIP,TargetObject,IsSensitive,CmdletName,CmdletParameters\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"AllAAL\"},\"name\":\"Global Admin Audit Log\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Analysis of Administrators actions\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Total Cmdlets for the Time Range\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Caller\\r\\n| extend CmdletName\\r\\n| summarize Count=count() by CmdletName\",\"size\":2,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Account = Caller\\r\\n| summarize Count=dcount(CmdletName) by Account,CmdletName\",\"size\":2,\"showAnalytics\":true,\"title\":\"Total Unique Cmdlet per Account for the Time Range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Account\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| summarize Count=count() by CmdletName\\r\\n| sort by CmdletName asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Total List of Cmdlets\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Account = Caller\\r\\n| summarize Count=count() by CmdletName, Account\\r\\n| sort by Count asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"List of Cmdlet per Account\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displayed the list of Cmdlet used in your environment for the defined period of time with the number of time they have been used.\"},\"name\":\"text - 0\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section will display the list of Cmdlet launch by Administrators for the defined period of time and the number of time they have been used\"},\"name\":\"text - 0\"}]},\"customWidth\":\"50\",\"name\":\"group - 3\"}]},\"name\":\"Result Analysis\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"CmdletAna\"},\"name\":\"Analysis of actions performed\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\nThe goals of this workbook is to allow search in the Exchange Admin Audit log.\\r\\n\\r\\nThe source of this workbook is not an export of the Admin Audit log mailbox but an export of the MSExchange Management for each Exchange servers.\\r\\n\\r\\nIf the Admin Audit Log is bypassed, the information won't be displayed in this workbook as there is no method to track this data.\\r\\n\\r\\n## Tabs\\r\\n\\r\\nLet quicly review the content of each tab\\r\\n\\r\\n### Cmdlets Analysis\\r\\n\\r\\nThis tab will show for the defined time range :\\r\\n - A summary of all cmdets used\\r\\n\\r\\n - A summary of all cmdlets used by each Account\\r\\n\\r\\n### Global Admin Audit Log\\r\\n\\r\\nThis tab allow to globally search in the exported Admin Audit log content.\\r\\n\\r\\nWhen Sensitive Cmdlets and/or Sensitive parameters are used, specific informations will be displayed.\\r\\n\\r\\nWhen VIP user are manipulated, specific informations will be displayed.\\r\\n\\r\\nFor more informations on how to understand each Column, refer to \\\"How to understand the data\\\"\\r\\n\\r\\n\\r\\n### AdminAuditLog for Org Mgmt\\r\\n\\r\\nThis tab allow to globally search in the exported Admin Audit log content for only account members on the Organization Management groups.\\r\\n\\r\\nWhen Sensitive Cmdlets and/or Sensitive parameters are used, specific informations will be displayed.\\r\\n\\r\\nWhen VIP user are manipulated, specific informations will be displayed.\\r\\n\\r\\nFor more informations on how to understand each Column, refer to \\\"How to understand the data\\\"\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"group - 5\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSearchAdminAuditLog-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -1876,7 +1739,7 @@ "defaultDuration": "P1000Y", "contentType": "Text/Csv", "numberOfLinesToSkip": 0, - "itemsSearchKey": "userPrincipalName", + "itemsSearchKey": "sAMAccountName", "rawContent": "displayName,sAMAccountName,userPrincipalName,comment\r\n\"2016DB1 User1\",\"2016DB1-User1\",\"2016DB1-User1@MyCompany.com\",\r\n" }, "apiVersion": "2021-03-01-preview" @@ -1886,12 +1749,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.1.5", + "version": "3.1.6", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Microsoft Exchange Security - Exchange Online", "publisherDisplayName": "Community", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Exchange Security Audit and Configuration Insight solution analyze Exchange Online configuration and logs from a security lens to provide insights and alerts.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Custom logs ingestion via Data Collector REST API
    2. \n
\n

Data Connectors: 1, Parsers: 6, Workbooks: 4, Watchlists: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Exchange Security Audit and Configuration Insight solution analyze Exchange Online configuration and logs from a security lens to provide insights and alerts.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Custom logs ingestion via Data Collector REST API
    2. \n
\n

Data Connectors: 1, Parsers: 5, Workbooks: 4, Watchlists: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -1945,11 +1808,6 @@ "contentId": "[variables('parserObject5').parserContentId5]", "version": "[variables('parserObject5').parserVersion5]" }, - { - "kind": "Parser", - "contentId": "[variables('parserObject6').parserContentId6]", - "version": "[variables('parserObject6').parserVersion6]" - }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", @@ -1973,7 +1831,7 @@ { "kind": "Watchlist", "contentId": "[variables('_Exchange Online VIP')]", - "version": "3.1.5" + "version": "3.1.6" } ] }, diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/testParameters.json b/Solutions/Microsoft Exchange Security - Exchange Online/Package/testParameters.json index 39020c8111b..a1e9f9bdb6e 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Package/testParameters.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Package/testParameters.json @@ -39,7 +39,7 @@ }, "workbook3-name": { "type": "string", - "defaultValue": "Microsoft Exchange Online Admin Activity", + "defaultValue": "Microsoft Exchange Admin Activity - Online", "minLength": 1, "metadata": { "description": "Name for the workbook" diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml index d9907009f04..7aded9f868b 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml @@ -65,123 +65,123 @@ FunctionQuery: | // // Parameters definition let _SectionCompare = SectionCompare; -let _EnvList =EnvList; -let _TypeEnv = TypeEnv; -let _CurrentRole =CurrentRole; -let _ExclusionsAcct = ExclusionsAcct; -let _DateCompare = DateCompare; -let _CurrentDate = CurrentDate; -let _DateCompareB = todatetime(DateCompare); -let _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv) -| summarize TimeMax = max(TimeGenerated) -| extend TimeMax = tostring(split(TimeMax,"T")[0]) -| project TimeMax); -let _CurrentDateB = todatetime(toscalar(_currD)); -let BeforeData = - ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv) - | where CmdletResultValue.Role contains _CurrentRole - and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) - and CmdletResultValue.Name !contains "Deleg" - | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) - | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == "User", "User", "RoleGroup") - | extend CustomRecipientWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope)) - | extend CustomConfigWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope)) - | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope) - | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope) - | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope) - | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) - | extend Status= tostring(CmdletResultValue.Enabled) - | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") - | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) - | extend Role = tostring(CmdletResultValue.Role) - | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType) - ; -let AfterData = - ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv) - | where CmdletResultValue.Role contains _CurrentRole - and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) - and CmdletResultValue.Name !contains "Deleg" - | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) - | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == "User", "User", "RoleGroup") - | extend CustomRecipientWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope.Name)) - | extend CustomConfigWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope)) - | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope) - | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope) - | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope) - | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) - | extend Status= tostring(CmdletResultValue.Enabled) - | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) - | extend Role = tostring(CmdletResultValue.Role) - | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") - | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType) - ; -let i=0; -let allDataRange = - ESIExchangeOnlineConfig_CL - | where TimeGenerated between (_DateCompareB .. _CurrentDateB) - | where ESIEnvironment_s == _EnvList - | where Section_s == "MRA" - | extend CmdletResultValue = parse_json(rawData_s) - | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t - | where CmdletResultValue.Role contains _CurrentRole - and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) - and CmdletResultValue.Name !contains "Deleg" - | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) - | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == "User", "User", "RoleGroup") - | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope) - | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope) - | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope) - | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope) - | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope) - | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) - | extend Status= tostring(CmdletResultValue.Enabled) - | extend Role = tostring(CmdletResultValue.Role) - | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType) - ; -let DiffAddDataP1 = allDataRange - | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated -; -let DiffAddDataP2 = allDataRange - | join kind = innerunique (allDataRange ) on WhenCreated - | where WhenCreated >=_DateCompareB - | where bin(WhenCreated,5m)==bin(WhenChanged,5m) - | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated - ; -let DiffAddData = union DiffAddDataP1,DiffAddDataP2 -| extend Actiontype ="Add"; -let DiffRemoveData = allDataRange - | join kind = leftanti AfterData on RoleAssigneeName - | extend Actiontype ="Remove" - | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated - | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated - ; -let DiffModifData = union AfterData,allDataRange -| sort by ManagementRoleAssignement,WhenChanged asc -| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !="" , strcat("📍 ", Status, " (",prev(Status),"->", Status," )"),Status) -| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !="" , strcat("📍 ", CustomRecipientWriteScope, " (", prev(CustomRecipientWriteScope),"->", CustomRecipientWriteScope, ")"),CustomRecipientWriteScope) -| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !="" , strcat("📍 ", CustomConfigWriteScope, " (", prev(CustomConfigWriteScope),"->", CustomConfigWriteScope, ")"),CustomConfigWriteScope) -| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !="" , strcat("📍 ", RecipientWriteScope, " (", prev(RecipientWriteScope),"->", RecipientWriteScope, ")"),RecipientWriteScope) -| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !="" , strcat("📍 ", ConfigWriteScope, " (", prev(ConfigWriteScope),"->", ConfigWriteScope, ")"),ConfigWriteScope) -| extend ActiontypeR =iff((Status contains "📍" or CustomRecipientWriteScope contains"📍" or CustomConfigWriteScope contains"📍" or RecipientWriteScope contains"📍" or ConfigWriteScope contains"📍" ), i=i + 1, i) -| extend Actiontype =iff(ActiontypeR > 0, "Modif", "NO") -| where ActiontypeR == 1 -| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated -; -union DiffAddData, DiffRemoveData, DiffModifData -| extend RoleAssigneeName = iff(RoleAssigneeType == "User", strcat("🧑‍🦰 ", RoleAssigneeName), strcat("👪 ", RoleAssigneeName)) -| extend WhenChanged = iff (Actiontype == "Modif", WhenChanged, iff(Actiontype == "Add",WhenCreated, WhenChanged)) -| extend Actiontype = case(Actiontype == "Add", strcat("➕ ", Actiontype), Actiontype == "Remove", strcat("➖ ", Actiontype), Actiontype == "Modif", strcat("📍 ", Actiontype), "N/A") -| sort by WhenChanged desc -| project - WhenChanged, - Actiontype, - RoleAssigneeName, - RoleAssigneeType, - Status, - CustomRecipientWriteScope, - CustomConfigWriteScope, - RecipientWriteScope, - ConfigWriteScope, - ManagementRoleAssignement, - RoleAssignmentDelegationType, - WhenCreated \ No newline at end of file + let _EnvList =EnvList; + let _TypeEnv = TypeEnv; + let _CurrentRole =CurrentRole; + let _ExclusionsAcct = ExclusionsAcct; + let _DateCompare = DateCompare; + let _CurrentDate = CurrentDate; + let _DateCompareB = todatetime(DateCompare); + let _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv) + | summarize TimeMax = max(TimeGenerated) + | extend TimeMax = tostring(split(TimeMax,"T")[0]) + | project TimeMax); + let _CurrentDateB = todatetime(toscalar(_currD)); + let BeforeData = + ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv) + | where CmdletResultValue.Role contains _CurrentRole + and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) + and CmdletResultValue.Name !contains "Deleg" + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == "User", "User", "RoleGroup") + | extend CustomRecipientWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope)) + | extend CustomConfigWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope)) + | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope) + | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope) + | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope) + | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) + | extend Status= tostring(CmdletResultValue.Enabled) + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend Role = tostring(CmdletResultValue.Role) + | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType) + ; + let AfterData = + ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv) + | where CmdletResultValue.Role contains _CurrentRole + and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) + and CmdletResultValue.Name !contains "Deleg" + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == "User", "User", "RoleGroup") + | extend CustomRecipientWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope.Name)) + | extend CustomConfigWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope)) + | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope) + | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope) + | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope) + | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) + | extend Status= tostring(CmdletResultValue.Enabled) + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend Role = tostring(CmdletResultValue.Role) + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") + | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType) + ; + let i=0; + let allDataRange = + ESIExchangeOnlineConfig_CL + | where TimeGenerated between (_DateCompareB .. _CurrentDateB) + | where ESIEnvironment_s == _EnvList + | where Section_s == "MRA" + | extend CmdletResultValue = parse_json(rawData_s) + | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t + | where CmdletResultValue.Role contains _CurrentRole + and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) + and CmdletResultValue.Name !contains "Deleg" + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == "User", "User", "RoleGroup") + | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope) + | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope) + | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope) + | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope) + | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope) + | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) + | extend Status= tostring(CmdletResultValue.Enabled) + | extend Role = tostring(CmdletResultValue.Role) + | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType) + ; + let DiffAddDataP1 = allDataRange + | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated + ; + let DiffAddDataP2 = allDataRange + | join kind = innerunique (allDataRange ) on WhenCreated + | where WhenCreated >=_DateCompareB + | where bin(WhenCreated,5m)==bin(WhenChanged,5m) + | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + ; + let DiffAddData = union DiffAddDataP1,DiffAddDataP2 + | extend Actiontype ="Add"; + let DiffRemoveData = allDataRange + | join kind = leftanti AfterData on RoleAssigneeName + | extend Actiontype ="Remove" + | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + ; + let DiffModifData = union AfterData,allDataRange + | sort by ManagementRoleAssignement,WhenChanged asc + | extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !="" , strcat("📍 ", Status, " (",prev(Status),"->", Status," )"),Status) + | extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !="" , strcat("📍 ", CustomRecipientWriteScope, " (", prev(CustomRecipientWriteScope),"->", CustomRecipientWriteScope, ")"),CustomRecipientWriteScope) + | extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !="" , strcat("📍 ", CustomConfigWriteScope, " (", prev(CustomConfigWriteScope),"->", CustomConfigWriteScope, ")"),CustomConfigWriteScope) + | extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !="" , strcat("📍 ", RecipientWriteScope, " (", prev(RecipientWriteScope),"->", RecipientWriteScope, ")"),RecipientWriteScope) + | extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !="" , strcat("📍 ", ConfigWriteScope, " (", prev(ConfigWriteScope),"->", ConfigWriteScope, ")"),ConfigWriteScope) + | extend ActiontypeR =iff((Status contains "📍" or CustomRecipientWriteScope contains"📍" or CustomConfigWriteScope contains"📍" or RecipientWriteScope contains"📍" or ConfigWriteScope contains"📍" ), i=i + 1, i) + | extend Actiontype =iff(ActiontypeR > 0, "Modif", "NO") + | where ActiontypeR == 1 + | project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + ; + union DiffAddData, DiffRemoveData, DiffModifData + | extend RoleAssigneeName = iff(RoleAssigneeType == "User", strcat("🧑‍🦰 ", RoleAssigneeName), strcat("👪 ", RoleAssigneeName)) + | extend WhenChanged = iff (Actiontype == "Modif", WhenChanged, iff(Actiontype == "Add",WhenCreated, WhenChanged)) + | extend Actiontype = case(Actiontype == "Add", strcat("➕ ", Actiontype), Actiontype == "Remove", strcat("➖ ", Actiontype), Actiontype == "Modif", strcat("📍 ", Actiontype), "N/A") + | sort by WhenChanged desc + | project + WhenChanged, + Actiontype, + RoleAssigneeName, + RoleAssigneeType, + Status, + CustomRecipientWriteScope, + CustomConfigWriteScope, + RecipientWriteScope, + ConfigWriteScope, + ManagementRoleAssignement, + RoleAssignmentDelegationType, + WhenCreated \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md b/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md index f3cf58c8d54..d1bb13ca4d1 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md +++ b/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.1.6 | 30-08-2024 | Correct bug on LasdtReceivedData of DataConnector. and change parser | | 3.1.5 | 15-05-2024 | Enhancement in existing **Parser** | | 3.1.4 | 30-04-2024 | Repackaged for parser issue | | 3.1.3 | 25-04-2024 | Repackaged for parser issue with old names | From 223d39c06294f6227f31b77c88c8d61c42342082 Mon Sep 17 00:00:00 2001 From: nlepagnez Date: Fri, 30 Aug 2024 14:18:02 +0200 Subject: [PATCH 11/19] Update Empty String with text in Data Connector --- ...Opt1ExchangeAdminAuditLogsByEventLogs.json | 2 +- .../Package/3.3.0.zip | Bin 99403 -> 99406 bytes .../Package/mainTemplate.json | 4 ++-- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json index 39d36fee99a..fa1ad2c7c2e 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json @@ -94,7 +94,7 @@ "instructions": [ { "parameters": { - "title": "", + "title": "DCR", "instructionSteps": [ { "title": "Data Collection Rules Deployment", diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/3.3.0.zip b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/3.3.0.zip index e0f052452cc7f2913a6f15fec1407b19c04313e9..f1add987ddb4d952f391f29977b87481c0d7b7c4 100644 GIT binary patch delta 95090 zcmZs?RZw0**PsgocbDMq?(XiM;1E0z++`=Y+l#xqySuvucY?b+O!CeDotjfKH+{2f zcU7;|RlWLodX0rZPliBOx1k_WI}&{jNZg;8cLE2?1r4L<0nQJ%x6Ti*yC3hwQ>%~P zX8~BL_d)KBLGjcmke#dRVbb|<^y`Zeri9hv$BQ$%^UGDpTjJ^I#d*i+DUqw|gDZ58 zJFc*C%ZU*O(X-X`8+mA6mrcDa%o~r~c9WsMEczhYecj^vz(>udwCFL)E2i`%$}3pb ztJO2Aa`oXVP%Rt^dStreGhic(-j#jcB!5SOk-#TikFbY@TWAdnp2Ot3QR5=HV9Io_ zt+<(bgAr~;X)ntb&ImZdsAuZz2xl7QX1p0_ai8$y~ls>UOD+{*8-ig$9_A{zh8`HQe{0{u}B%rBq)?3d)iP zVY@HX8D+uld<4$f)(0-rPcvDF&#W3RS(OKG*zU&h`M-p_wK{G|FW(Q;1)h>4-h8LG z`(BBGi#hQn;Ig+L9};wl*4m!dPpj=nWEBU`vLCzt95*1*)?2?x6+?aJM+)}YyVuy_=-ezl!3Od@>IUk3^hZ*^3E|9iwT8up#W1dUw0KN< zLL@t~M?^}8qYZY!eUob5*bf`Hox@Ii7>wM?$3BEcXnrwXSshztP1}By>{Xy%umDTx zYi{UxaW$Tqni+^19z-NgHLtN9kfl{QC`z2--`KCw9k<+|%Z~;6-k{jP@9$gmI}_bl zbYQ-a5TbF^yyr_SqHh<%2YnAFe~`Y?PES3vOjsoMoiKFDuj2A~p_PHyrj-iOF3I=p z892QexN0uBGEk|-@fS;aEexROErF3a%NtoVPWa(w{DEml?Tmv6S(cnHag*8N$%lQc z?M`PVC}nR7bDr21JNN)f**nBvxOYP$grZ4CvZdi42njL= z$b}=SpWv+5K><}plpg?b!p%o)%Ew7`cCKI@4Gl4#-41VwZO|R3er@;0Y!5vc z-eIQu+WwhSlV_yvG2F%M3J06vy*FXtU!<@BGo^9WOT&BHQS9GJV^XTd4X^tjdA*%5uP_=Xt2IJS*iawf4P+ z^5g)G!sAxLxcl4WPhkT?LkJ=v;RMzCy<nO;IE+YZnm50(8!+BS$)V5{g0iiR$3se^TOamzNaFSg^`ZCN{Z<0gXt{5YxQ*KDB_C^LHGMv zj3B9rGd{F$$Tz#pOinnqDjev1_=6RcgN+NU`*t3lC(KQB%5k?6l@9M`N7yjfg=5z8 zMiceP6665SX)Lmgum?sd0pA1#1dqP#d^64m;ddfkh49zG@9?UGN^eSIJrN|vM(=fe zikVuyDVqz<{)q@`Sf+VX>W4|Ne z?|;somXbv--tCFvMSN400;K!Xf9hcWJj@wqvxAp)Su`BJMdZG>=~QQ_UPs+WxxK)= z^(kHCf7Cj;JI-IUudNa~zrFz-J!3f1qSbD>D=_mxrFTaVnjN2^L6|2Fev*!M%ePsA zDkb7yLL1L;qBULXhBK?2!`VPYC(72K8d#U1nrW@meF=UWG`~EIal-2`igr7)Z67am zD#>WCx2?T%gQ}a_Md2fYP62_Vbj0)L3{V>mHT4j68}q}qrH)jurW{a33AcJ{r`#*A z8p=sw!;JugUYWN(nG#U3Z%Sc|hU`6H(k&>-`8Igjwp6W9QS4=?`PBsnbB`tDC2ehU zAoDA&t@5R=Ij{#iS!Eq5sTkCNa~I}A`=ctbHuGGYN_D9*%;_8J0a+m2_`#Xnqn-N9-a{Bkv5s!KySm2I;bM?u8)~6lFBezqn@^J)o}Y7UJ$#A;d# zN8Aw7FBZ_3_GaxuhM!ZzB`Neh^X1P8P3_!rzTJi$oFo&1njV1&ja>2|?Lap9P$iv` zA5M|Olmnr!^e=gqN;hdiNW8D)FGZtRg=ZC>P8vs27iF@N*09z@1^az_z! zDNYRXt=gE9!l8wN&|(jSAyrx6Ub^%wN8_&|X-Hr{aQ3AOnPDjV#A@L=y8>K8@(n&0 zinm@`fE#@_$3z5vxTK7S)P)cuwcCh=>N)LN+2K;5h;lXQ$Qn!Xwck+_!(37O{osvh z9EMmh`QgAwh6g>>O+K3b(`8h`^xIK_vYF>Z4>6Sb?CA>Z(pgab{$ZI zBfo{x1O%wOkDw=C{iMHGwKJ~jK!^39Z;W3E>RbmBZks4D-CxjQoU!|!NVb2w3m~S1 z=*^W7yMJsGZg_HpP4)?f1MAF;(uJYx(vETOt zjcN^*;H><^&)1n~ak2{j)2j@klKk}D+f!vlkV*y>j3_l6gpne@U%f;w|M(!J&Kyi2 zjy6iz8KV!lo62VaGNBbMS7<|FnDU$~(dM;VmF+J7bZ6+Vh37!x5AxchI@ z-uUG{jc)dg&~6A2*(4}0(wiM)MfCeUXtB_-M>ANen0;#nGBSEzrG*KeJM3W*8&yrH zL@Oxn=4jbA4B-5@djG_wq<3DOzZ#<-jvno;4e}&+|H7^KLP>9XS$;;Jx;uHU7Nf5J20c(39Wu3!4Q(%Am7$# zhSx?8>p`f#__&&v%Kv&MzV*X#!8eI2pEfU*QIf%odF( z9UY~7`JTsfJPqyZlU6VIJf#g1S`o>i0zCS@iO^g`lCW6lkWs{&3cJ$i2cp@q^lbwL zzRXYezh9cFE>Fx}X_NH?A^VJV-$7sf!VQh;&*r#sUfrIQA9K86DyTV|uYIt=@WGg1 zzDkwnkFVAGGb62Yf<8HxkPqI`=f_w|+QG&Rqfj5SlWXg8fS)~`^g0~=AfbF>wRNoaKu2Riv zhgl+Mmp=SFwjOKVS{>tV7P-KV3-lJj2vh3&UT^1}1D3~m$Ow1sg!yocZHw5u{l3cW zCk|ZTn?DSEgN%&d9VS{lzB`ZWMvpIdvzfJgP z*;(3Q8?zEWomfk!MnEdUs57B*(ey0mdVD7`jRnfRtE;l>z1sr{KtI7PIm~=XWV3!% zWQp5%q)=J&1G3nicD2&k=KAM1;vH~DtoLaIkzEpg*}alt*anJlNa}g=`FJjLF8jE} zwPCrWn5|>|TPFfE1-=+OC>)bKl8N?FSb`Tu!Of%Weu$z^C$5aE^#e-K)TQoJ7q~j4 zLneoVqWCMt<%WX4ffWn}Lbc^seJphnhWvVxN(qG@q?_u-mF=g+KT2A(nOk<}*6Izt zX0FobrF|W`+)g?=t~t2rB~;i2@R7H3@7AEZH40&3mMvrRIvuR-PF)0!NGzH)v|DQp zvEZ;_#q4!x;n16IQpf^z;z@cuZ(&EbA*L>hOsH`)@F7w;?( z0QFQhyt>L0=wInZ1YT3a8;%cwVuzEhgg|!&_P&t=sLJagp7$E@$mslRyg)W)m$tB; z6(gR5x!alAn1*49{iP4Ksdza_Nky4mg?0y=524w!)|6~x(PG|vU40W7a)GRv9a!4v z4EQSW2!||P1O7V)OSgj=;l?Du#|Sd}wM6)Kl1*Y5xj$Zl@xhSr5D#2&)v`m9o+j0o zucHVV-~^|QQ}n>~ln8=_n168A_0M~aXUU^TP;nAOHBYQW->0&m9Ooc{ly$5UNmQNk ziJ`QOPIiz?7hT7S&*pvi+I0HFLwPXf4#DTM8vZIBfkXna_37B`C2>qbN#j}G_=gV*BMS9LH0syv+wVZXmH9way#7PQ0_&S4T#9k4M{$JGfa z?AD_Adv$$i7!zmB9X-d7XqJMHF1J>W_ob2}vI)l1ye}u(CAg%gLGJPW94F-~bIdxzoqP;&HE)AZ4eEQ51@X~D~ zHpVj{AbDX}pLiN|KLE)JSb23lfna}|*qoB}DyDk)8!tgFM-K2*dOLDB=p`;|7*Kzf zNdDR}p(ojn4>R*y9fGDEUd=gIhTv%_a+ii<5mhqT-@XC2)nWR?9Z7ZO)Tw^@ViO)E zn~-weICzj(g_UUYx0+r#;yuC%&>lrn-%a8-rzWS;A$a}kG0Ke;(^@qY^5hqJG8VF; zEBH$Z2@l?BXe1{_PsEC(E8=;gXRdBGgvu>hxWJxw#L#Y~H31gkt`4%OEpBe^bw=>P zkUNLp${+GuOts)5RouY5Bbh6VE&^y@^kEQ7$%5EJ19nj0e&Iqd+V+SEfVw8C9+Fh0 zq?t{9Q|H$(fP{j{6()th@VoN+x5l*c04XS1u`@y)KYi`Q_%9%Dtni;}Tb5kdts_3N zy4}aj_GK}rorFA556f`#%OTQYk)3F%;j6p`YvLC-ALR3x_qOLv*w3Zt}VkGUps~Sy+8LeDWzGn?z)F-6_lnG573{* zeC97djWUstE+^n#>_j}aHNxDtzn>LV)R-3&>o{7(ESqRxhWdYOAU{BGvGaXvCi)rt zT>Q3o8bp5m1TMYyPBy!A6g2#ta^a5wT(f+}j(bUe|GZSd+IoYv!aHtA?Um-n(d;2_ zz!0t+NN;|PVCxya$z5hqwBOm%V%PX%u~t#{bX>Gl7jd2EaKCeTFTlFTXW(W36Il}S zUPWE=UIpIo3&#Hs;#_0QP?{Rt&TYk;U$no->0G425yOWC_)Yk=Xv@~ zdqRJpT3?3;43ZYYmk+S{6k@<5teAxQ235 z_)ExH7+L(b>N(J@8RH;Nd{M`}K1Sbi`U&CrZSJG|OT|B-r=v!Z1VE0AiOxDszirBa z$yFzSe$rwAE^v0k-=mGWJQGzgPGH$VQ2{Mzu>mQA{@HGVyboN==j}97>fnWXfC&ot ztl5;Ea@5Etmuv@xulQM=PAT^(N^Y$0-mk{8LAopU0#U4_><+xK5x*x4u;G}K@zzf% zn&JNljK?wFl#MtgvWD#p`*+nv+!8_EPD2QYe=-I;O%bK}aD zp<3(W&@dgDV(zz8^a6+d39&rY6r;i`lJY7kPXDqC4-VWR<9Mc#)g-qjp6E@-;0>on z^2)T6;|NSv=~mwg2Q`bqNSD0TLCK8PV)|#YB>srmq|?^PNFzqO8wRTDnEP$7Z^Awz zOuguUyY`?Eh2Jj3b@nSs^G#8obNDVUc1vKBasRng@TN6elx(u(4~~^We2&Tk%yjKh zpM-t6R3&xiTq5@f>2 zP1oI~3O|>&MB5b;3uLmHe`OT65FFDWECO&&|4h-|e7D5ENdz3WHLm`QwCi2tD_K9_!BUuy&aMFTQhJ6vBxfi*v;QlnkrT&Ro>SoPVG@<53alAl!M}CZZl=gzy(*+-HWSYGv@oA*qmtc;khqnu0Kv1W)U>}WQ zaim1J1w~C6G3FZ0tbyfP$8600h zV>yq^F-c%m8nMpf6!LqUOB?0Mn#6D=i|OIz5RdH0XYUgq%Nb=*BqJ(#CMc5;8>l1; zi%G{QN4mCa@C_LT-!Pu<3A?JwKzl1+0DCqs*fKmu$y2~cO>Gx(#<2+R4)!MHnR)wV zTAV0<$gRo&ulDEWbb48Oec1S=1I1XY2=n3_4GPxdqLKsDqp~wT1y=ku+*4^{7UY|K zL}dGC#LHzF2BuCI@8_B?&m5UjRzRZ-u`rgrL65OR>US>E&G=eNWWx4E< z84^jp&mv>HhJ?2|7?fN2Lat`_AB0 zCpuG+=FWz5uS?#-io|M-|chs`NL|_3m>JojoSJJ zgJ^ioOOMVUffxKs$=1o9h_7aaHrf90)127%i45=c^!5@aCH?(mYBxVj-TlppiSuMC z8ya-b9FtDb=GvN`(#}h$@bzUt{Ms7q`1;x(&#smymy5&w{Zyyb7a&=qn^&~qRKo5@ zW81VYf-;2!A#{n~P76}eC4`)>u#Y(WtUrWMvgo|YYcJ=H6keg^XS3u4yLjWdpbeV7 zNVc_q!+3)6^ZSsMRm8&h${EA&@A|T8$&zJ1&dt`dLyK~^+SSg>IJ9S-Q*-Twfu|G$SLb6A~82fOR;qDK}4W|y*#LBH%uD>enI1BJu`3!-TlygEf>0jQUW$M zZdro8cFIT~cPEgDq@aywqh)KnGC|T;MGSIVfbZie1eWX)C)2zk6D;7z)?l-C56kb;jK{pLgv^k-BcY!mS=a zUB#}-Z=}T*?`6El%I_5!yKSBo0-_;<_A zU!J$;&#(BXvWthz0|G2xZKw?{f5j-NME4f`rhY0?UB}TxNf}piT-4u9xkGg`6Jxf8PR8vs-ASenzzJ-kavSnwd_Z@RZj6@MX#OzOx zZ>)mOWAWr944`dj)@WnC)KRdAq9*j=CkzV+qi2R0(WRxzpeUtaL~uqa#K@gsGo?Sb z*T2|dx(QP|_iLJf)%c3D^VMV}&3fHi$A-*tQODthEAoY(Z_&ZUJ)iG~J2Ak+duf=c`UZ`$s$tXfA&20LNIr|-A^gqL)XK`p zGhD5KJq)_#$Cn(B?XRgcpTrVr51xc91&=_Bv6~x`8Dp|6@StwZjt!Z@Z|!#F1U$qO zRsx?D$q(C1{#e1H&($&z#n&)w;$Db)W!?`bP_rJ)ez-Q{Zo+{~kA=jiK~)?$Ku=ae z6b=6@l9`1-C~+V7^nH|39)uXztHWcN*n8UxOvZZO&)|7}~PLcpcY zccWgKi3)jWj;wxiLuUFzi}475XXj{~;z9$h)HV4idgiN@-S2BP#Qjn=tw}QKJ0wRs z8WIq~SvdHlOy6~@tX4QtWZp6*UlcB`V0HdVUfiqdrLZ3wbw>9tfsMArnM_yUEO2H zt&@(?4YQG1+w5765hu&@7Ji?=La!VB;QQ6a6tir9>(ym7)wFrSo{?~RRw%e$pET7O z9Ny8QfjKEl_7%-8Xa+&esjAK^J1Lbt`w<|2_St2YXYW1*IlA)HdKB^19h|w{Jx-fRQ z+cuG(dKZv6&F0W`n!RUYsvIs}wf4&(%?d(=Hx;^lA$-^~|Dmukd?5@LNc}3sikqF% z+`m!o?yHE=o~@<}kd^4Q-bU3j=aqhnOCmHAQI2?F4jR_e>+<)6cF;3W~ zj}j&zZGbYs72H`r5hTT10Kf6M@l+LBB)R z^nTT=QtMscooM2BE+`WujwWHrRTvhCY0gFRD%J_QjtKy22ewx_gMM?61*~38R`G5A z;m5#qfU2H4O4UyXOXV*K=-t8{$|9ZMlrZhEkN3Jup;i47R-Gv67W8gkSkqkg**NVC zCnKXAc~<|hSW}qhnoFwlUB376x8F^gEFF@KbHylKQrX1GkTrZ2HAq&llT_zb(}JOl zp4fSHwTA~Jjf3bv-yoQc2SRFcVN7?@Rp*Wn(1Xx==(Or+9-FMFa^6!qhDo@g4j;`Z z_nJ4vWi{EEd1P~R-ZB-}`-i)^(kM+zGt3+wZ;okY{Z+q@`Mbs)SwfD^ZGJ*G+VMf~ zT0fXjC?82YWK_t-rHh)QRwDzDYz>TszRO-Bv*Q2>T3j}QDf|ketKFl8c?E94%ZJBP zUTj#egTITUV;+l0?nV19E8LaWe5s1`GV+}0Cf{a=mHbW8{xl6Z?BI9va15Xs1of~+ z-d@Lhh|GBJU5Fe+a7V-FXjicn>g>QWxSNFLvCiH4L4%0p&!sxT&@A2S{KGP$tNiLP z1lfRu(>OrKGS)LpdVBzcsZ4^0$Xng=aTqM#g@ZgJq}trElzk!JjpEhfU>5)S!7GbIPgk0FrkGoH3(gPfN z=iW#BN7va9S~bA`)pbM2w>eY!I#Rz1hIPTNo_wgDZD^@qNH4nUMJL#FHnj*t_Xet{ zT(2;wrjPz2kzT5x%-wn6_{^}71iG+1WZSL9CfT%uxzyX4`%j#^GqA)HqH-SOu)Q8< zR`1)VL&ydGF@wpk+Q$!Zc7`1QAn&JWI{ z^FmxJul}X=7e_>xv1=O zmfb?$)ROsE;rn8{cN!mdF>RawBj9+&%;PD^wQ9$vbAC|iUTY^3&+tDOr+U-TRQ^gG z;c)=I&`j^r#88>X9hZjVF(9Dx#~}5THqa?F|8M{H<)44EINvW0rEm~t+ke|)9mUZi zHD-NG8x0vwYMe|AUX-18%w#?v;1Fp3VkM8X9viX<>1OGQAN~{e4cZvv)Tl=XU2a80 z#c$mzMvkh-!wfyp#2up6A`A{0BgGSl{1cCI(avH^IX>Y7p%9!R4*PjGWR2}`j{X!g zDc@1TJVL%$1m5pA9nAm~(N`M21a8x`(HMl)+5mwqiSpAbcjV_n>&$X_9P}8Yba+2U zayQxQt!*EI^^H2bOJZ@uA20i?phkovB;2EsSIJ_rnERtTD8sOOl>lpH5BMk{gh6M& zuzbw4>q?Bhm7a~s^O4E-^YCgX=CV8lu}g{It4it2 zJ@5^%QL~_10X|?x+00AfjjTCFZ-Slo=c_~@Ni=BGmQ#YBfe)SMyOlY%9<@ub;nLZ< zr(KmmX@7yOB8w!n-fSW z+Cgq!V|R}-10fdEWsZS?3g=^NM^b*U3d2d62`TMOKA-4^Zk`y7ZhaS>4UGMy zX2bR^t)wU09ve0k_&9)D(Tjk$Tkqd}FyN>&K6-(=P!%9tm<&(=r8g}}$a4D|!4fL! z>>b5C(EtSpj`E5Ple3gf$s_U6*{6k>RQ#!sf6gQ7{XMk%;tRzLL2h^v(mI4+2oi3# z8aY+$h4i)jcQrDoj<^J+MH>$}dgNtMPJjA*A7B0E!<28z2^HS6intmk!GIFntaqb$ zqAQ$X*GRxmW_^wu+8#hgYCsLP9vj~G!$WL~+Zpg3r{h33!F6$t#c!tBl*}~jd>}o$ zG3kYl8EI|ns7QF=aG}Pedcj?1dEan2Y?Oq9eFfra8*zCo zt;)=iTFPr7cfruc@hhl~X9P@V>%+GbmX_Gi^qR}eUtF7-;{>s|J9BYl|Ii*V3AmaW zw4(iW5J<*t1Ut}ge;q{J|K}j2L;uG?G`0W7L11A2a}WvGo~j4`97N7OKkRunZT}cf zljJObvHo>C{s*@*JpO>V(22=nBibAlMb5HgS<~8RAr7TNLgX(gv$=_F-mrz=`u3Wn zGy3B?QBJl{nu268ThlmVPBomt;T3QDCS@&4=+k;O4#kX6l;aF2l=H{LIW0@pOpW^v zHIh^l7k^*0%|8^I%f1ycMq65jpS_4jG*Y<&iYpr7c-*@6beahgj0RT0^Gn8NZkXhj zNkYZTdf|A+L3JU>1VzUjvQ0<4VLkgg<&dW}LO5!*seS`nwn4U%WQo$F%pW@A!~)N% z!XmuN%z6U6WLfmjJFbYa1NGiy@)n)U@({$Bb_^5`Xm6Y;^52{-XzQJlyMEkoU09+5 zYl-dd7+LVz_J43zZn3+f%ib0Y6eAbHn$fJkS55e&V{2IwFnrXsM3Zkh6T68#KC5hu zhOV*<70V~dH-`zqPZb6xe+eQucnbL++raU4R_N^PG`vYlqXG|GFsEuJys9urds2I}1 z@=rY^o3t2XV#1(%2>i!9Ounc0!jsq3sQBD-P@pQD*+|r)PY8?)*Td7L^F}a&oZK98cMxn;4DLkD1aS}X){t!}W;ku${e47Bu7zd|`WcWCDk@g-j&`fP ze6X=UkbyJc?%Y40seHPP+#2D*YL{{<4U-yv-f*?Yn`DJ}#DTLr)JOc&n5O_~Xcrd) zJ&xXHgk-(kL2s>e(YY$th@Rwz1*X<(-E4zvtxU3=a<{bK0{Ckb!aYI>E5_wd{|bdG zG?0OmbG4xOgpW>{oXB2w2L+f{r1fAats_H2{lotY@BX(KjlKvzN zwdtl?7_{uJ^R9+23=EW0L5=_VVfZ~=ayiFa|FG5ptDrJBjA(EVF7FRzTa06#;@GM{ zcxZZ_&*R3DGC&+7|5z7uDo(~jM}k6y?8guADKzm!8OQ3ne-}NKaDJ?yVh;vM zgsT6)_Wr^}y#qLB^H0Z|NkU=et4qcIN(6&=J^$`V780D*$PZJzrD@*4{iw#4JVs1M zUPx^fx2vf8feLN+$_3z#@ArPC>%Nj6WWcYk3YAJsH_=YWZ*8!NZ3}egHVE|hujfD3 z7rypNjcz2aZulk?T8b34QB6S0y4|wSRl<0GyP(`5S4t@&g?5O^j;1=FV^F3TAO|vk zV1gXe>}03={vL?G-mjY2z)X9!0`oQ8i)-K&;&lATApTkdf<|C9&Ww6NUIQ>YxvKrQ z6H?{v>FxXJ#B9-HSlC%*ihm3DKBpuu?w8iKKyvpI3|Bs*r;|k5dMy^Sc&FqK{unUi zXxf>mXug6h{q)~dk>#{t*=Z#GOO;E?_WjlORxCTOzRPc0+Y3qRHK{Mxy*|9^zL#NE z@9==i{=mpzRWNvs{++L(+?z(o^56}%P*}+eDlq6{qlGLIwIhgdwgo)6;X{yPs(3QY zFh7p0QZ_;Xf?Q!zxJWbr#rRZ3Y72gLGT`k~#c^Cl>%|~=0RsT*<>>wqL-o=5(b2pp z(>VVs`G=3`j`~6LI22q>D5o4#${@TP2OY5N3TvA;Z)yUNg=o!*>@XHOJ|W^DHV*p? z8`Ba)3ut;{AKA(9g(okNej;02GFMZri;S)AQ8s=SDMej?I>Qa>ahW$k;em~tB+Hgh z7sXQ7C+>4kMJ(W8!uZ*%`%~!}zJ5GbdBq<&PvXzi){T~-nAv=Un=(8t#v6zq%m%Qt zNV}SZp<#k^Gz{^bv%w>q;R&nb>r)22#3_iOkpL$QTlLx2(090IuxEeO;JhuEd(`Ld z7i=v83WuM}+;+Z}+rs>h7Yk>J$3`$q znR?g*YkV;L>-VB&h*#>?36O^rEkba$RpoMkxB6%<9;ia-Q3jsYyuOPxtZ8SOg6IgNtCMhwP=$~)~X~@Z{>-QC{!|y|y+RJL*7$#nk&=C z=#oc++-_ghMoIP%bH4ejwK5kt6AGTlHm7TawvE6oM(SJ?p($=3Zf-}d^xEhvTN-)N zDw7HKZB5tS60j6iz+Pk)pDDO&Iof?Gxt-ALqiRyCSsWw1FV(S=h={$(3)D*G zZ)xSNP}5IqrD2_#hor3?H%v$aol9c_a5OC~Xvu9YBX_<|Hzyl26BC>Vg%7MHKb`!n zmqRz!Y}|61urql=S`pMf4cOr;%|OM!`aTC?=EHz1BrDDv{DuA-Qp*K@p?}g}=&wH) zv`*6&S-bjg7)#Jk)qbt#*w1gg*C|S!(~ zv3B#Q=Wj~C6AP>UeSb11e8M%uwrA9LhnZ@bLZwrvGCaUr=+_!P!#32k5xuyWL?n|k zr94T>z~#Wk&T&D8i6~$jXkO5a&`XKCDp|b-5|Nc)LrLMYPcNOLST8)F0Z;vzETvwe zX-mkNfY%<~S@<)V>U2*Y-b)nYb4@lUIP(~+`!+hLQI-bi9+_I@$KAJAJ`W1qYHR7~ z>n2fnW~J3S#??bjp}$4o3J)60D&#Lqq^2<1~MbG$WR8#%8eP=!4CX3BbYKlB&4&zTIqED#4HSUqNJ>MFEl zy-GHC9isrEZ&x_t_DNSoMvix=h{3rYu0yOtjBk4ZM2Yac3Z@OEn`_z&U%gKyJ+ ze3L(%buG0^`I{5!=(X35`VLWeT+vn|m-tHxEVl-}jgl=7Ui&klx*PO8ArgA|Ku2a8s&Q$RZFwL8+6w){pQ__s@(h=S^PLJ9W-pNJI0d>(& z4rD91@~=l|!s_x0y5h@Ol<0-|{@y5g`i>MtsBy#S_M2eQaQ7>;JMBNHKJ;cYJY(#k zXG+v=1tV%NanRWuY7)YbRp~Y)p&%%*+xNvTL=^SUHcO_6;T2(nFy=*$4jkIEkZ^bJ z3=0vv6YC(4oSkT`Om~O-#vW1?bb>n=0D1RgI|LKD7t$*)N-EpjQ+O!T=!?MdoV@z} z0zQ?^m|t8yxY}yhL*MXVeGnt@N1@K1XnNk{q6QlRzSa2?eeqFXEmqs z0i&u0m$F;x72}VsKAd?5DFYA5R&r(;w?WV&E5T3uHRJIieSa+WKhOlhK*2Q#7*1G! z^PfC7ws5OrFN`{rQx%}zqn5Z3Nv<4N?SdG9tGIpPk^Bk_d#}piJAzhhLRsD1V{If0 zdpp8wb>{|ye{Ry=jKzlc>`T1YnT3~XtGgrDcn zMD=Yd5eyKsNn4iUx5la!tnot+h=D(t3xF)#w@X+w8E_G zYi8O;h}6R3T&F)*Uul0%iXz|fqIsJoL?d?2%^o@7eAcb4>uP(5Q~MpI@yDHdT{w>C zSzfE~2TMC${8u^Wa)rbN8S<}!H1sH35>Ba`JaASTIXhMofIU3od;s<`GZ+*d2vZ=hOp&>yI7WGt8U)foz1xK4Ify!0j@kkMwZ*J4Arc)R9DLv`2Z=5~pDi%gTC=R&_S@G@o$wNlZrVO!1dM5gtje#5%$^0HlN@E4 z`%JZ%FDxy@E_-J&xXj|A=a8)_YAqlb_OoVG?RV!St}8 z+9oD3G<=F*CE8cS=>zz=;>0}Ss*bJ3vc#HNDpewrBPV2 zM6Ai#(hTkuBNq;dgr(p%5n>eWOx1B-SWYGPcjGFa%b25aF^?WM@fpFhdCg0}( zPU7q#WkVwg;!gOmfaN^4zpvmP31U&> za))2y<5_6L43LgKzo2^X#eC109nf`Hxu7Dq|aiv#NUSG)8VzeMuuZ`Gn9C8~C9<9Hz2LjVQi@(j5M&R19(Fc9a>J#ZYS7C=B`* zeqiQZt3oHHd97HsuNy0)Y8{EB#JUR%9kEYTB^~WIfAh{Ao@FDIxMZc-O@&_2{)p&4 zKC|@AGvLJ?CX@;rXozz)j7~wTg-#C<4R+!3L6rI?smT2~3RZCMK{ulLVuzHDcu*;< z_=VDM+oE#RlBBWH=eRWn6^7Q84^x2Rt+IV?226vcv@lBaM(X6W7VTDk9)FO*`s3Pq zDzD6X54NI9G%fo+2o~0RsnQh0@sm}Gt_5>J6tW)3jsQ)neg-VEaU-qrxg?7gP1KLQ zmAy6ER%uc%A80GLlGoN_B~z&m`$!hQ9W^Iqb_vf#v^Vd<$f}XDC73%d2}h$Ji;s)# z;WEkYBanQVZg3xNvNzmVJ0JAV$Bz~-bQ){>#fV_4fm7VxQZAK$LrD@mOPWv;aBO|* z(&8s_nH1ZQ9t5y^M_OkYeRssKVB;nc6kS)|bijis=RRMo?ltWQ`ZJs6Fd1b@4fH+@m2My?%v(I`_!pA&wln= z>secnKP^Vcl>N!6p~v`$@~;mTpJ)LTBMFB2d5EB2Gpn*_)b-?z`VzJ zZm6%n?qHf*D}WSh9PP6)sL@#Oi_5ob6G&^l(~68iF8}eF{;3D0xC$exvQ$`B3^?ajM+`$oVfB9et3Z~ zfY?gd=kJwZBmy?)8;#qUbAdvPDY^dlM>zTHCbKf!vxTEFHa zyCcIhrz687x8pwwJ{bfOO^6-tStCvImapZJ`wQ(;X=9Qt{dfgEMhDMICpLiN>fc|m zJDCUE);T&jG_M|ao^|th9lyMgw-;5LV8_gsIn=aouG7;F2k z$F60rveyFQUaSpm3qQ{75V^a)heZ68KXF!N6Pm`x-wFEzQsh|toz(IN+K>GodqbKS z%QQ9}{y|U>_Ms36DhGStCoGyLl|@e)rkxUSRoDT#^hxPDS=5}1u9wOv3k^yzM-@u) zh)7FZVTDZe|%%KqTHs#@B@x!LUG@6{p0ZApoxj}aKVgXZ<`c1RQsmn+OUht zo=frrO4YwW^6$9$l;=|G7L%}u{4d?j_7Fd-I*2cIg85Unsz3Ez(p$tiAQQ&LQGgGq z4+r1qks~{FdQCoO;szO&$4(X*?9j`&w?Z3DOIu5n{> zEZ}QJ#%%EBpC}conAMkSr_kk~00lEUQ{2XCT``6uFvmH_HD|x^;DXH;8PBda-JIh} zV_Wv~w)M@gtmpBb<&@6~Hl+4!(wZa*{UlA_A_UqVMM>op$wFu@PKM1ylrc zf$MtTw#~V{B}6&xj+1~u!x(&aRiC6Yg1-A-J?Ck?1#x-YJu}p`64s7Cq03YNotTT8 zBg{?(YKIx-<{r|bG2ARO*kPLgb+~GxAoGnTztD8nPulKseeOkqb`gXe!qiD)U`%gc z1$69K+^V|Qeu|4?GMdy9q?@-Ox0%Pj3^-__sn?2AFi@93$Owu^&Q`EqtFZtn(;!e3 zlxT*yffuc}>(opjXmHSjrVa#J!859~VwWQ!N)e^+??B=vLbZJ09H7v&G-B1mJmVHx z#bYqcriukqL@oh0}AZQ9+z(T@ITdsp=pWX4@Cs>3TK5x|o8XkIU(?=zkMX zGiyoEEhCISkl*f9GYp)%7-6Mw@+)@t_B! z%8}oCEm#wG=pbVCttX5*)*va%i`? zYwII7o+R73?j!<Uq3xs46l&>+1~?<}mM%~?y&`!feIjK2oRFs};t0=8TiUxqT=Toc@cS=jE~ z7;qY%;d4((wVULXM8X71-7w`XyH}8|aE@k$xLv7;eI$)>hXF!(O;IE;gJhmtLx71t zDW0n9Y{CS9aQdQm#$aCGf7_BF`kwRy8o*PV2lU_!16NkqP4 z@^~VVY>ESJAK(}}FRk(2q0ED?Fnc#U*C@!)=8=fon;wjJ9|1KnwM4g4er$B07z+IB z=v~<$sm#&BWt2bu#u|`Pr6{(*sUHcQ+UUJ!z?OO9tqXnh$Fu5y8UWAd+~Dz{V7E!k zoYqDwbYJe3yen_OTCj(zO1kcvU6fUBa-2XO#MQn{1h|srSTJxUMMe%7L+F>gm5Bx? zrj+NkzA5n458+&=qj2gQ+F%8ucWG7*9)vfFxax!Ie}yBfIWa>`w7|IeF7^_z}NBY5gSUVnONSH`64y zsr`3zAK=>#31^43kch&nuF1c+vG?0&0C%i;+fTk5Ap|zZtGvYPb__Ym29aGJZ?8lZ zGtJXNCQCwUKlnBL>Y+1ZuLPlSe;GO5-psf??D6&-Z1D;%s$WF2%ngo- z>Z9|R^&|YqD@pfI8f}5+u=h{7H4vVv-5Fk01u!1pP@=c2FNY|zcP|Yr;C>rzAYnE8dmIJ zZ2BX5!9WMP`8Z#Bk|}0rO2t=Y9FaXoSE9V1g>AN)-QK&5pHbBwoq<7nQndS18rfK4 z0sZy3F2Y%VkZhIGh@NKeCkP+OP5Avut;s-0P; z?5<`vlVYq0%XhStSql7iQ9X4Bry|#nbkZuo`bOaOxEJKAo7#lrLdo^@VhBOR|DA(~ zjDED}KQ*5FG7X&*!I4!Xory4Bp4jHVYs9K3Ck7oCbq!|)J!h6J3}+%-nKZqUgxp;U zL9xu>ZgTbaZVJ_Tss`gEVPAS_`ChjT-DBF#0e@-mAj6y}CJY882IR&)Vo993eYXs= zlFR1dMDLT|-@y|T&%T=1Cit{%8xg$T1WXY;{4zMgYLd(%bU6=9L18Mnlp!(!Ame4* z(OkNu@*8n}TG{3xOa15$Ly3~hwWo@5Dt1fqpFGA53=RxEBa!UCXG=h?WmTFiRrT8kU7S;TC#JFp7k*R_B3qG@~MfVAe9%~vX( zQ5_)I1E+w?xIiL~Z+LRmxAyf4AR#i3q1Nu9&{3Y}XHitcC{Me>r7!LWr^@YOoj-2Xls2mCo?&Y$_a4+2M)CB-RSawTva;uc4nmJO!ttB27yaUK zbyaOHo4@bg1-lEvDd7zyjHA!rb_w_Ro=tW;H=_5pH*iAZxuyW~`$q-~**|+8=XGIfigL9i=TJIYraK)!o^-Z!3 zp@Uq}r8YY1F88639gSwRbVfMwPh^mW8g>L|TMD{8S+JVeT;mdfX@qcsuO6xZ@gfJ$ zE(9A~6E=;Yj1xUwT~xn^Sc|>-w{mpUr{4y&L|Yu{6jmsa7TBPxcV$)K6918gPf0G$ ze{Ah&Tf9XkEa;H|KMImO-H4RzaIUnW0{g;Dr4)C;j3cnn8_{F@|=Pv zlr-~IURo3sOl0F6-j+8uI38DWW~su6Z`X4ADI%ho`637%2`eRiJQ$-7t5WENSPd`wj}K&t*U0K>9Fb?*SE3S?x%{cjH1d%3O7EIad3 z$fHVa%H5?aiqRO`-54xj|H&k+@#e~x&Y81VV}5?hAa7EW2aPnDt=F@46eGzne>+MC z|2i8QYO!wTSswIC&^C@i;`F~e<&i3uTdeK+iB-S6KnJ_OUB2Rh}})C{WiVNU@8ZfnGGO2?hW{H?Dqur>`umB z``35=l7?*~3XO*{uMjp6Gai*i0t&5D#-8HJX%=|qJoc8$%&LUaLBlOdPPXdN;pgF5 zE&LXNip3`J9gRSvfuqrp9Ke(KN~0^u z;y8ekIfchn`@aeXQe!k^p6;GpcVaNuC1wMgV3TSL&EwpKH|dTOeV0QaN8|=w=2vGG zGdE}_I(mwAiTe6Fta->E%{?7~hi-5=oT;yv;Bgsj1R!Egbad)oodE;rzM~?b0W~5B zZUx-?J?=ds>y$5fqwZs`ec3d0D+a(vs%3)|z&e$S$2OJwxzQbC&i89CNeRG@wg&Tb zo5{mxn8}M^8r8NjDhef5qRfhvBi)q~@rpZvYt9}e=}17c5#r_763!a|$@1`olJEVV ztat(G0#zQf9WBp~@QZdaNHo=pF9j(59?gyl6Krfk8m;v2%L>lb$+Gu2fVQ1HVpU(B z*L(00szS9aij?X5O_a{|mOuGeDjM8AM}3SvqKc`PVFONrRJhZ&yu*RLM(}}w0<}r; zEF62YI`Xn%R4TH<^5mNyiYvr-`4blS2&~OMD?@cBar+1p#Jgnv`HB8~JvnKZ5D&!y z(aOlu7cWCoj`3b!3qZ#h@MbeNwCdWx$awpF==tAs`oIcT!IUw5@Qq}Bb7X^Hb=(%@TVliKT@+UJ$&C%9;#{V%CG zsRV&{ibNxtO$}`W=KpAVnokH?0*VpnReyoPq0sjFQz2xQYJZb}cAXI3=AOnV6`RuN zy<9i-`7AY-1#T(>blSS_D#s}3e!+4g* zCgHc9PmC#3*?Ggh0Hmx42HW@b#!2!7H^B^xw*xsM^#rskNmOEm2(=YLRu}c1Hnh#YYUEnh?&gj={hf2X%c6N^r|aEyGo` zIY$C);9tE#XSCU2U5?dwn`Fz$yESe5F%Hg_Xj9F_`6c+La6hDT^8IQg*RjRZb&2yB zlsxPGeGHx4)n{w7bB%g8_25q@OzMUqkqOPF5s?Y)rZJI;na_+s&@3if%|)2%d4HmC z5+|tXt(j-x;a^L@xrW4Q&=FuSp~2{X^@#>3%0lHIe2ErBZ%(qW-f%y|HZI=3uw8TU zG*RI>xnq!BbD;v_H1RmDYcO9ub@myylk7XFh(%>R{r?=a7jU2LS#}1bfRn1R|KX`u zQ?gFg!Nd3iVz!`g$~JYTVs)7|nQnGp8QSb_TC>6Inbfl|K<%+v4N#?e z;0erY=ASP`2zE@Xqe7N7Jo%&KmsvGVf1Ln%LmSAjDvW4AOpN9WE3m z6~DkOdD*pn2CH&ZcVyYnp|9!+`KvAW&!EGbl|UIZ0+!|)2Y3#fKnXMqS7WX?Bx*&p zzDSYe)e~sa0vs8u`#>9bj4DS}GFN4_V4!7sTF6nFQ0?I>sKP`pFqs7ASRK!(gU0Xw zODAw2+>A{iO-8;LPC6ey4^Lu>^U)#8pDwE~9)y~Qh(nSJlGP;npELyxMR*xRj;%LA zPwsCaVUJYMs6IWa)c_Z$S(XO4s!}aR$3$(F@Vucv9y-RE`9SVhPqOie+VQD8{Nn`D7h9jU^A7HJK#QpqyZnVcLWd)fjt^#S3>#IMy)rz9i)ry2M zjTnk&7&ZPIg9noH*Je5d;m2|v!OFSs-wN9;C(=GP6VpGcaB@Wq0*G(@9`HBvdNH{! zp`(}>X}iBH=os_3#+ds}-hJX#P{;d$LRcffqr#2ke4K`!SVb$U3MEJaHcg1bEl1m6 zxCdZiW_%1X)@xFX`o4oRYBtgwO!G{Q)-|5f!La(o8Rcjv5MIR08R7u4%$*WJ#a1Jp zRA4EAw~r$kEkV~}lO0|+D^GP9e{ir)t5vzZPfNARxfZ?y7u_tGbx=mJdny{W*a8Po z+HCCRZy<%Xxl^5-UI`w`%UR6-l|^^XiAmuK;at)_uYs>}e*RtYc6w*QN010C@n96; zc6A~P-1!{s&}{W=Bf(e`jc*atr<;52r!=HFFsyN^Zg8k>vUBNe*i+ytrnwZyZ{&NQ zagNiJrJ@fBy@q8{lxC?o$CI%~ix>ju9_X%^gvj}CQI9J2FE$yk@8G4C#^wLx5+GRt z(kY01G=C?LB?&EU@i{=`{?>Wl9tHyK!Ecvu3+Whn zv@OqF7ZRYsp=1|xyRGj8=rgy~Vy>!(+0nd=h!Qr+A0ODknq`goJZy>7KJ;~;;yk?! zW%Z+r`5f*IM!d;hE?weh;yjTD^cOItTRAM7^(1bmCjJ_CkRH`Ed6ynI=m{Jg8 zNy!IY;je1p&w*j8XHLT_OOifz5T;5J-#m->Oi|UOJD+_&i01niO~rT{ z`HX!Cer70G|CgdxFxtFDRRFsun}xp?bG`z%FA-4zaiC_B6hFTkfT6$rW(8(4P(zSh ziK`A1HXQqx=gOu{W+u$t>Fy_yb}F2T0Mlzz*6J&2r!e{l5vRVzI_*vLz3VP0jpCoC zV6v$bCf@In15ULXI&;`5w?Qq1TH+>>U zl0KfFA34LiaRf#rsS0)c4@)$hYH4X93P-m=*Zff>ZeX*|Lk|nUdV*>Fn`~aAzRuK)$vO7)JZ@*#8(c&W8{#m&^s*32#U{ZgW!Fd|h7Cu0 zh>R}Gj>%WW5;BVXw6{y6rsZPTK(%qrpGPb{o zm8c5wcxSG8;;JLo{RzipZuyuqPVJGT-e}5sSk52W9}%#a^$WzL6#Qo$Ly}ZllaS+? zf$nNoE!xe+^1$;eg0RiW{pXoDF4DDA-4H%V$urZUkfCG~L8!+ZOVm{*gczY$GS+*F z&to%ule`LTnX~BXN~R0-~M7v|6HmVSu{|6_8+Z?uW~EpB^)t!xv3c($wiI0In4dk`@fK##s7vuw{cx96282!hSV6bOjN z9J%d&3)&uk!0U%Mn5dJ4RkTsPlh#=DTn z{U_Zi*%W1Dhzgk)k!edzb5UU_OwG){4Qt1|&PQb$GcY8}?!-(C(;nV*p#W2Lf7H7H zBQNWDcfg19~6f9CV_)AJaLL4k5p8%o(ElDUx1#Qk7M`uHOCC z#%Gh?xPKnGnqq$oFM^ET+pHnC`vR>C|0Ym-)6K0>W3-`DC!*8SYWF55XAbsbU1`>B zjdZn7WZ*t<(Ff`N$~fiI)(RN*F-0Ce2NN#c42dzPCu@U9cr1;W_Ab6#_!u6qvN|Lh zn*U+HmOiT`Uc8d4W$HF`25W5v?lV%x#QNZ?S;5EL*`<1P=e1*-2lHZY%|F4yG>TZ&*4#MIkS@eN|E?rf1V4=1hZyT44nl6w@dp`9 z<8jWQZO|SjVy*8Bq9Iy-zwNp({X!7^IyGl0J<6JU_sqnSO9sid_dqKMCKzr1eXuGn zip^adVy?>hen4LVoI23_yM?sLnvoa0?$^I+alIAPpdD77pO=fxdplI-Z{G$CY;7MN zDKMO5T`r@!Lg?XLxI5eRYaAWCa56iNaI;~aJx#1;I=;kxRnoOn{LRG9L1~$WpP87& znN|u_#B8POi%_)!{ws{i5o+~#DjENIaPj?{u!MZVVRl_BjWRHl*`|@GEL`f@f@xXc z{fx<~n>%$+d~KUoeAy9v&;aF*pB8<3){H^+9%7 z57gmfxuo0U@2+2RL(}?O7#PonU<#39(^rW84^6SZoq5JNek0BFj{F2uvOJT~FV1KP z4-gh!$6K0BQ?GaW6KMZZNl}I74qD;GvtGLyP4zG7qrd+b2=x0^cU-&ldZFvIAz4vIBT~ zxhrb^4@Viyihx_xDPdSQ)ibN5dwGW0j*@9Pcj$k%0*MY>x#bwDU3r?-LY7?(oU0DJ zJcHIMg+)1Yf09~sKfnY7+I#-0{eJ+=dZIQxP2=d@&}&Z|jm^DnRh9bcWi| z=PvmcYTbVFu-lGqj1!Hg`+wR$6Lz=i85y1bOW3>ewkMhe1T)R5XY9XM;o3^(oYy(H zp$EZ6U(#D}bfv(1U}pb4iU9;&G!M*JWXucZ_k&U+gRjWfLd2Zh!u|#zeuvK=vO^Lp z;OAI8G|o9WN|00wM_*Wgr=%CUo^!zhJt+LHg_iHK0FlMQuE0UbO&wG)8e=l_ z=HVFKe?`d;pOErIbJJ3^0}Y91PJ^D!PM*IzvPSUKhsuvq&zgx3#|CwmRxz;s`*?N62Xk>9WG zf`JZm-Ss)R%?;vW4}je1%FBMs`k%X|DFiX149hl&)XFDiQq4w9&sI^xnso{BU&_RG z#()CHG+BA&Z=%2VIF+=B(^Zfpa@3H)j&sN6bi0t54!DNj!YS7`GtYLS&|pdbKCB5! zaZ#8NA5>Cx0+imLCZzM4Mvx0{1oJU=zXYlS_d^;1yVAxUq|DkddB+*j@s`(rHjlMP zt{QNsIBS0gL;CF)IOUHGOdTrV5(tmDibi^??dKkmBq9f=I?Q*>Ok;9B(`s@W{~%9O zv^CD+rmpJmC6rv!lO~$7XWd5}IB=&ZG5vW8;y40G&~u{mI=(Gm{ROf9+2yS`gGlIYkvCYL-P&%k*DH%OQ=J&IY`|*!_ zJ*MRs)Mdt_IH|=EoQuO2(EQ2Iak=*3I%SUwIq)sM=9vs}WP*guEx$axDZL|>%q>p= z9FNeJ6H^V%DoQMin$+?}?+WS0|$UQ7si1U(HdsF-krx7*cx_ zEA2o^u2?j`;)cK1gs$FFf%y)#_r9>IhdFVD(Y@UoJb9BJ)pKYp&;NX=Py!m`lOVs8 z>m+;`nxfw7681i|d0LOD8)`l!xK=9wiZEpEpDAHg`CpF*VvrijzG7Wm^u4nln=cnU z{un5DuB;>fI9ByR=>7%Nek?xQn!bk($yr}|GvGbH<(}(6c?#z?iir!c!Jd-gnO&6( z6VFJDus2+Fm;Wx0V7}CKsuoH zp3CSX%q^lUINzh`$AcuCnjXs9d03zc+ktb<;ZkQk;SF>fwkEt;5~hQVw+!dT$_B$L zhMOC4oMX90$eAsU_Hs<$cp^=G-;<;+hfAwGF)L2UQ~arg(tyD;Q+Od-J5K@0GhCO_ ziPe5+!XpAA6G>rnXF|0*IPg1pD@m2ewqNrp1DNEaO*RbPNaYQ_V!@PjN3K;2L?2ei zkb!PpW!;PKkF?WV^oWy$8`d5nbrp3S+5S5gKXTc5RipgZ1wB=wFR9p1kpaLvp#h zknhg{9we&34-&qLLqPOyk$AR(Wy`G1i?E_RC+3Q|-rH<6XA2&5)v0(`iiTb{n`bF~m6~N?PMd~%!AjqI~C`H>w zo3lcc^xSzTyTKO7y(rDF_9sZt7BTKt!YN+}AD;>pilffo1+H^C1Tq+JWQ5mY2TkpR z>4y}_^Ux4UNgzv}lg7sUUPV{r*}fkC=1=g_f1C^WC{23(xe;_k##JrZ1sT9~oIkLy z6*yg-Xha`P4%}U)(HHSZu8^wI^ex&2J5XNy2SY9kj2KxQG4ONe=2SOYLt1T0&Hlcu z{?Cb$p7uAqlT8Ibr?(Vcs|)||69v+k3?hwX*5-|8=f*{Z?B)KI{h{5*k;%{{Zue0p zP7V$}99%S<3%qXfuR$)M%A896k*^Mvgv1lxePc}<)@-}&yf&184V%ct%4=?+C z!DvhFKhh3K?gtg76T{<)a$Rd|CX@JjN$eY@?^2`afMpCzzY(m6@x&uXzZafKX}W@Q z@XPi1{U1!=ydEv|1m<2f?X*#~6Ki=Sf?^WRwh890k!eng?9xSI#d@6Ic9O?-ltZs! z6y=`<2PV^KM)GCFD9L5IfDht;*)WQ2-Qj)>cm-4Msd(kc>kpw(O>Vja$ylM_2eZUw zUb#_+OI7MNK$Kp@mPb- zk;<sQ>nx&e}*b++pfA|GJxn5;YBOg zB|9!(Lrs76QA$3bNFk8@8S++;8XGRR!A0xGa#`zTu|_K+^Po&Frl--xvhn`s(_Kr_ zEnWseg}Z(}m*!(*w0@m&Kz9}=?a9g2;s={IThDBVI%nBVHZxsLMHrs{(l_^UfaVa_ z3ElyclhHz{h5o?N{w>Moo`cAzx=^o;7-?5nQDlUe?2UGLd2`)UqRc`}l;TRZ4Ir_< zO{uKihx~#%%0ha~Jwkd+z0~Cpca_gMVVfCP*|!g>M#Cky7WQMPPN<9Hf6Hm;PU`-x zj6!ui9LDrJa^-i2L%wkl5KE_+RH~MgaxrvzDg_UBoRhAo4^RWo{Y`-Y*#*-KJNgV`7w+NHSJXxlX)dMaXLn5L}3K<@Xzs;@UK}G_k3ZKHXbKH+{&_Nin6t>?Wa%tHpVKpd6T=3F z`Vzas7CWovg5!TBZMHMVu>XjchM(}L*i|ZhLNkx(RAMY;Hl{MM6doEm!eNHu_Z1Yq z-|`@2sj2f8u%tfS5c7NtMQm^4p95ieu=KW$(7Rp}BXBHeTS3TQiRMYZLoy=;24Z;= zSCUxx_CJ%IK0zt6IxqlF9RHb=$!&dWIMB^G?A(i(`R>)qrV((mJckg|FgTKgkOk~1GK)Ld#nB_734UgBG$RJyDlprd zw?%u&d$lfwEX|n-I5^+ba!;4&&z7g$vIAk6N#>nF@)Qk{N75yv&A zxPtux>rgjK_~oI7Ob0f4+nVP~P=Zk)Ik0A>`a8{vrK&=mkypgA%Zmvm>yxlCuU***`eC;4ju(Lvu`k+jFw49Qj?z zsFLUj7r$q8`35C%Ey+3hH_NTyivd=(KI|ko3+sR+(^a+{8HN)FMDix9lFl%MDnRgE zwVd;fL0Z*2_XSaQz5mMso>9Aeh92h2uQ=@?<%;fSlwu6$7B1^}oYQ`L2AG0Bkfa7$ zZVwpJc;5ifzONy*R6)l?BRH-pe7-sU67;D9#u$9xo&!ck#kZ?ILPEVhKF&HI5s$*SKb1FKxRa9ioyNv$ar*-x_+0;=-f&}zc9*In4>5$#N(itTGzo!s#I zS{oX7kDVK|L23dJH6q5WcZk0RG(32>M7DTPKo_pSf_ z$^Rne3X^8xmqWBRKsX;3M8bm&)oA~BLKn$`xk^787+dsX*cjmY1G z5YnU}nm{Cpu2+!0z+gA`cQQf1(99?6OUy;Bg6|DIxp5a}I7Jc$H_hH06Qx?^?Q*2z z<8}`$Ev?Qt5`b(Wy1wYx^5&gIm8jPZNWIIvY87c9q4_^hO~j83{{@=rX|Cibhv1$m zw>Jd%_G!)R7tgFlU5kt#iey~yV?X-W|8{qXwq;IHdd}$#&kXRHuw%YyW9zYJwTA(0 z5sB~=AxiZ2e;*_3*~?&(GEGK2tQ1s@t3c$8CFy;|c#tc5moeSQo(;}K)FTgE>ev^a zmDs!dL_3#ZS)RAS2mo){rRs_1=ULnh{sR0p?4P$`+`)g1*nPFa0%i|ZeRyxS&}}i8 zVLLVBx#PlGWlK0t&$XIUcO!WObJCSvn6*mZ6h|hE=VFyjnV0>El0G%Y;bHv>8)EB>e2i znDH-HF55H#itI^kvg3x?vM~}9BQArqo#=!~t>jtsB8QYRkyL5rWme}lW+Y~ied~a( zr1{y=Q&T2zFaS18v0>1jX@9>E#qwrVpwF=>bbrOA#oOVruJ93VltAS(HymQgfwo3Vgs#*bc!03%Ml3X8)cGz z3l?Xvxnz*8prX?uSdn(lWoqJ7qM}tU+L%?1QVLYp?C08YiSe*S5`)|ll#BDDCJ*cJ zLmlM=)pEruC5k9&6l46Fl*>ux{uVfeD5nyzrpuhvsCGetjY-!~Y9iMuv3f4YWC}3E zi4U*>EXH$&MdC^;oPtKhiRM?bif9y)jG1=T7780qk0<4Lk&>8_;Y_;sg(>rX{O(cp zLhYNtF;12v#>7O zaYF=4bsP`E;xoB3Awb z0@!ua@Cl^b_AhYH`$~ohEu~+-ZEzBI&mY1HnznQq#QbFfDT-%Pv<#9m4pU8eTgh=k zJGYXJN@T#)0pb)CbNjxuhk;p-f~<;!_iVx9z$>r5V=WEDB9?!qBUMZ8R|SmhRBc7a z_*kMvSVtZCab`{$Z5sB@-Z4ka#t2D+7XYWV@Y}+J(w9?5g1SbCd;->iMqH*i^YO9D zk0*6l4(^yS7MEGRcK~*XGW73HNPPziZv`s7#6H{TwnIgwr;-8Vk$QfLF9-GS2B5lE zOnhlGTDf05YYfAuS@%*Yk&he zW~&iY&Omqey(+n-RUW&$S;|sa%Gfbh`Q+bM7hzRR%gCJr5f6$yvOOV^MsWE9Cs}vTkh*sO(x^P?vKk< zdY=yJEEAkV_aV29EAKZWEu5jWLcmT4r3~Sk3j1>bLu}bjlj8J6g2j^`Nh{hJ{PwqI zqrUiZ;Ry6G0e_7iLC*1&N{K*t_a`lmoH%hpa*;HG7UMe*XVD*Lz`3r43-{Fd3?FqZ zs7i~u9E7Q&Ig+@c<}~~Ww9hU|F7x1I90#qDHKK_ucl^PqLTTj+n{42Nv%F@u@@HSf)tWr2!>xs6TqsJ&%nvhF@89Tqz%(!kA zdip%JIdn%?m$bCDAGA6IZer7+juxe01yo_2W4BqR$F9G>V)7W~`4f-$W1RS2|NLBW zD{57Z(;YTrZQSYZ_^Shy(HStu&_r8Yq{nI+ZNzzeSU)KCbbO#zlt$0+swGMP(e#)( zNLN}XWd)`~%Y>&TCdH?1On8^0N(7#U<3Od=PpvYcVK}q?@LAR@p;F@%Z(TL)+0C`t zNrj}Iwb>=F>sgR$9ksT9jH%k&uKWJnc)frweXc`RJ!tHw(P!wrlf}}L$9QG?$}BEcjUw9${-UCPWkp&+TOG{Yri}Y|!`t^>yi#~C z!?k+42x!IOPa5hR-Szo7xtm?n(wXzLvTvQRZEyKQBfRAWZ7E@dya4u5oA|>c$@Q%` zhVp%cfrDw~N16^^(B`tHo0^Y99{&rM&8HDWdx*jq9U zB{4Wwsd7DHjsBxKr~CE(COJj3ZBNPkeM`xKGhr$nI>Sry7Br`7ptq&H42Lh^byp;+ z>e$TMX~io0sy&iX#ph~bADv!5dy22s^!Zf@XIrYiuvjjS5C!M9ZW}KAOKAPdpO4}He1dJ>0~LMqnrBjq)}?zz*{|l6Czrjh z&we10)@vxLA_E&xET3neegFIR>T8D#0nVyx2Q~Lr&@Z2_#Y|>dZ}I;34V#zjwfFZw zZ}_~F7x39X9{SLm{o;xtS3<9m=J$#@`L^uG44pTl0F{OR6R0+=ua z0cX(>=AWgi^SRBAf;o+?-k@KEhw+-+kV!d7<+i6`S4*#5`C%+~<8BToY>qoU8mdsV zQGIsWJis;iHj3kbuXe_0fZp~v^9(Dz=V)S)s%3Xk(SD%(43S-YcFL&~7C2bjp2wGG zW59n~g^(tr5GnU^C&09mF?Y!^Hc)Us>+FLux>&C?F^T+pA_D_{tNQkDttwg-#xjw8 z^eU_kdu2+L^6p_WjuLpMadhj#d+oWO^COj*;Xv}nEu(?Q>s(J(0xRR-PhHoCFt9p1 z6%>L8&*9sqo8inG0U5!*T2YhM;apK{)&(5e5;qr|sGmd?k+de2 z)Yo)=-k_}YZr^&TAVXkK%w<(UmVfg;Uoh@hTSGrSrZ~1>fpxh-{6^nfsdYo{+=(FA z2m{C&J(XYfucglhT3-xu4urMigO}m@yg6{enI8$E$FPGY~BaU|PSz!Ph6my?TbB-bCkdGy!rvVy?FkP(uz zj3M*dj?f8^SHm%wbkXhbx_weK~|9b}ZmOOXveuji?txV>m;_d=R@!mqinv9`E!3*Cqt%zgqXb7dsyWgRn%S@pJl@j4dZ)e57Ss8t;6Pln; ztTLj@-)Xd_B9gZm)KZt;J)Iwz6UXwGUYdvKCr!Kxz^S(xlXnN@^nbPGpbVUNK^8qX6}b#- z2Msh$9WDEB9@{;J@#~49`!cmp$qiaRwYE^4VNu1dgS3|#xLPjs`u!oW&Y|OtU0PL5 zd3{`f9olp0wIt%psulUzH3pDg7U4{1d zm=uh%{pz!8NU`~tjT+fL%6#mJ`?T+wGvfwH;kZerS$D5<>WTORflg+}p8-Q9PFBRj4tGB=i==EG3k@)9DL7znn4Gq1 z?ZOhE`d7||@O$xx@-^QhDKpPuTyqHTnv7CjC}>ipOmA_AL2~!2N=%b~fe*Hs!zp4r zAkl_QZ6rsGKa`XE%c7e2is`)JKM9di*BoDqe~=KWX5G{?Vt6m>y?Cy zSPrQie;LAIjUmPn=EFv_LfnrD!C(0y+md;EnZOpphhv|NHuEpw8*m_<-*#dkwUWUUAdgwi zjDw&q1c1)q6@0#p8V-)$pFO)>`NNr^pOEc>M?3rF$Vx1+yA1mZXVN0aA}5JsrD8Rq z*jhGE58Dt`SL-C`37|OZ=(HHn=7v($%|yCSU`P0ygml4HB~#x_k%3-KHEtb=9Qh=; zDz_PQKc75aHr7$gSmp_}J{dZmRu|zOHQb77zk|^Zsna{TURj-&YwO12266@3zJzLq zDVC^eQmN6g-$v`cNVT(pwyt!P2{4~snFP0xvLJ+J!SG`+1!T)D*(fHJk<~sY7tWw6 zYiJSV6&|AeIrfOLrVXa1E)83pJhoV-p(~YBWih4KOE5!6MGY?bU66&W_RjltD5k{t)ylQ|?C)ku?wQpk+w|In4DLJR)Ir8Iqeow*EDfu;!6;fA| z*mrJY82n>ue!QXVJSXeSKzIXv!kvi*&ga$nvL_2NnUUR!qd|zjOQp zoeW8)mQe2zJ!bks&pRPY01Q+$m%LDjf(#HUgT;OuAQ={(i|^;6l(`RQIo_9vNd>tP zA-qSJ}c2T;l%BXMz+-UFp!#On;Wd_u|n& z)06oDpbz%7sqFXd@_s{=n!L3Y zfpNJE^ck*?{n(5ADVh}Y+ET5+oN`Y3I!1NwDMh3+s<0=tp*0Nvm;eyNxp^6;s|(3T z*(B^HrOF3wPC+&|xNYCcX4b^@)as8{RiqYH%Dt^^AG@%$j9ry%(GB(p6HLU zH7eoU{G|}z=OYc7r^{V4rmho54F+sYh_`@(PKu=tB?Ks4f^xCP4!K~5hn;q7_h)oY zKLVf83t$$~@6A-zFvkdDJ7EQZW0y5v)U?T;pmed8X30>sw-6Mjcj21Bj~#2l_M<*> z1bKjvB6&YG4N)p2)aQgaBGQn@Im)DGo&g1>fhd<~(M3Y@L`){2r{y587;cBpxMsBD zT>S-smL@i<{>SW?h zr86q4Gw#q#lL1_;A})~vi60^B5_lBaF;Cx(GznnYVIub^9nWQfL))Ns>DjlT36x*c z0Z!p-YNeYPk!Fjc!79Xj9ptdb)1<}9UyN^wC|luEjR>{t#9Yvyt5=G&R|jYQcH#_r zRP0f@Ta$vPB6jN1m#ZNaT{dwh$0}IUr>~>R{S9hi7Ow&Vn-$-1tci}vP`tl z1^&s|J_}u+MPHu$IN}|B)rU*(dZp$d^*2)ZG}s86OZjn`yRW~|a3RHLu^YUxE~TdD z7%=~_1B(rgA0Z>x1n;Ig^Tn~(?&*;seNiS08H+eOsHg%7s@SMk5QN*yaO7X7dL=;e z4SLBTd<9_`g>~SfFN*xzdo~VN93QNuc8qdg%&Mf$>4u!PJu&YLm{aHdj_w1EKRq!% zSTbl7$GhlBp;DpkS6Kq_Vq_gYsVis8t7=bjOAz)w1+}mX@O8wkko<)l1-m6fqWZkV z8PiUFSQ49UA})mGppY4_92&Fk6aYZkr;MBbq)DH~yhnJFh|d%5^SGN6hESSKxpDgh zben&vMu;t7MQox``cn2`-ulNh!NXYF_G+ba-sf=5;$ATfAGHIoDMXh@+HhQj^5w~l z(Jv?h*oEwi+n^zxmhz(T6ITCl!7<`rgOrLL>;!2*$V%Dq*>e=(*9e55=_CMn6A{!q z?eT$y5Ud%5Z+oYe1)D}m+_Cbs$rM=hN5dBDjVNzoyAt_wa)(ia;1OsCKD()|)C=`C z%o_1+ZAWp#4)=-Owk(y8oGHJR%3)Y{fx@Qhk$qYXC(=1IRpL{{3-{0kx^8l-VZCgI z5C!*vT@@;)@}>LA)-sFmpd7Ha;nY{ai!CsEnCuA{<&fU=ZqLA&uuG{Fb zo%B)4_AH&sU%5!3_E938uX>T}TIfmdn93hXCsnFY^(^&2eT@qL+qSCyDEV6|QMK(& zkfx(hXI#;uqmV{i5pnTxjX>kePBz?|r=bvMT>f}j+2akk4bV`aS*k8?MIN+2Ss8vS z8WAkSlPoeoT&*uJT^d-`sjbbNmbRPu@h(|iDH~&bS0X93z1Q{t{RHscv9&3yJrP-% zI2pt{lU*4hF8z?ocUO{m9ON6KMxAGIJDt?@+aV$M2oql!a2m)vW#M!(WXok=^Zd)C?v)hSvJAEd1&DXjBzt!8P3?CaOMTh%`%!%OR@d&AOJ zHO%#RqM=SKJU+ZTsp1~Iai(%?OiLSUSkpWNO*UqiHQP9bMAdO*sD!^Q3QKLTT<8qO_+P7ChS~LUdqxz>}z1*r2yim17cFT2(%StIQQm=)*G;r3eP)j8hf?MO5a1tGZ?_QxaaP$mCHx;7mzXbt6Sz8o5 z+v~jT1KDI1NxEH4u>VG&E|@|zmJ6EGS=J0#Kr^w%|ww4k_8&~=Ja`gf1EcrFrS};H9Yvr~`&m;e*E7!USoLUX&muWN{QAo(?c(GAez-6&a;Y z?s3Sag<8Ohk7nnF!}t|sXidj2inYUj+USt}L{*C$Cw_d%MYf)SMh-?SKx$WSE2#~G zqEo@VU`Z6D+Gsuc-mH-3VyIG>y126S7pb;R@Ld<#5yRT;l@6-wg_T2=jw9v_y&Gh6 zZGjVUvqanB*SvWTm@go10zMV=$^aPz%iCM+)e|wRBGVV`wr@BzN>*G7pJpO$4uu(% zYLiZn#P_!bu@?8tB zE-?bJm1-Kn#Dfwv8+-6JVXl>KJLsJ@d54^*OmKbV>{bF6WYK?HC5X~kimHp4j(o&Q zRdPUo-GavfYE$T1yy7>gdQ&^wu&B+GWR@6Y79Y2dFvORfV4OFv3NVY(syj(DHR^j& zvp3}o70{?zMJ3=q@o&T+!JBN-!-wn$l$%^2MdPWG>^i&fha%bsPfS=Pu{T{ky0!|C zW19=8AX)RYPYI>O3f}Q>0k%UD0+|Uq7@v~ z<$pW8+OzjtEY38DzOOpJ7Lv_+BFO8Z-KT|{`~{M6^#T9~AsPy*=BVca%Ci=jf!Gtb1x+>7XSDJ zN}0Rf7Ux72wOD=hOS1XEet1Jo@QG|fIZ+#M^l|1PzTN{agjr-*3HpCy*cN3lGznEw z3Dgr4DSZGfWgoVX6H_wLW-+Q8igTf^f}6S1f1JQ4vnysUhV*EUQdjcifnfx)<%Q-X zv7NAD%mWp!sjZExz)DK975ba19xaw&f3(N$)&{|il%R8EghltTz~>wSS3V|-C|(yL z7$Z3Vh6efYMIyCv*O%jU|7(1_OdX;wPXO)rKpPP5V+e>>*V#M-!xLXPrTvHR@vYOJ{{YGOo1=sZwCXu-~g_A zQvzTZ>51ZT9a*3gdCWqy8?q!I|L2L!&_4B$+dV^ns*A6U<$1u;d_RH^C)pUs%QfNM zD_R=)4s>lkY_7H=mi$}Ekh_I44=)-bl?V``7oD}g%zCtKOxw%RqB*6F1p%Tox~9dJ z?3JC$j%y)0l<8Sb^l!QYblt|(R6ugXI`X4K1p$PM zUki1-8BC;Z1|OVb*g#w#l(eM_!xsM)CGk4)r~NN|^GF=$o0`tO#>Hm}KR_w(`wo%! z_j;Nm<9m4jCj-C%IMxDIv`^=_kxqleqVcI!H4LpX5CG(pdnhz>O&s&Q2|9Bd5YN{f z!irBbS(8y{yM2~ggpQWh(;Eo5(8_&lW@Pw>Oi{x@Qsz;L>-I5=7S zZ?kGR=3qmn9+yGCDVxr$GPRPs1*Zu;aawH;%^^ulDJJ_EXBx^#6rfzwRQu4|Hd#Jy zDuau)<-u(t#^9^FN_G?U@A<6%duQ+8u)+5cpzvA5rnW5Q>j}V)nUt=J9&Su(jtz@& zLYA(vp!^WrsWK!cm`7KN@a*H5u)s1Y$m~t-D!9G#!lP{h;*Vo4sIIYib*}>k!zN!= zY{`GnMEiKWFNuCM4rrYjP{B%idB6Ji$HD2Rhz4Q+9Lc%&A6tK(W-;ra>g5EFkhiI2?G9sF_jt06C_l~^x~UyhucYX*FY zU>1@*l6n_rPm-RhyXp}X)kPy|C1VL!+O2z7yX^0x6W%^y5&$$+1ZM_$beUm{@>^Bg z0TYWT|1rdmxG>uhVKtCh=PVZ@qo9_A`|HiNXaI9-_+RV-Sr4)UzTfd4pFk7y1d?x8G-gI~OIv-u?K69qj>OXU61kNVse*E2> zV1<*joIJJ60nFT$$vLf+fEvr2SkgrXOB3BWj*DuzOd65X$%M{#kjyI8u<2@6mDMjs zsXif?ygiU=wLe@M67KwyKgP}U$2@>n#a&O%0Xi*L7HvgN&Ze)_{AbbYl^$^ZuW^Ee z@lgDE%YT;Z%J`@A&2Z=Zp89_W^E0@gap4Z_sbzHISWFq)@aNTy%&T=|hNp6b#%E@9 zfI!L^86fPMndp+&)ebaG&Sl2;{m(bi2v{7cSN`|9#jDpm;Cn``?A~LwM>1eJr_YbDG0tugB+ZzFBkr>ZBAauxB)@bG zArnT_;EG!Z+!!pStJJL1y$Jju<{XGNSX||j<>d&h$7Q!m{$US;<`b5yc-GB2X9v9^m!Vy~02G8Q?t!i&&L;9fQz!yAuz`UW z`qIVYC|2oWa1~?M)#2L^gNBq|kgV9p2XB%8#$Vs%s zHfF*89nOE%A`!-fqw6zGbbAfAtqFcQFsB_B`YXcyfbV-QPyimoFac=^Tu6|z$AS2< zLP+{|`a-zLrL=5b%s4#^zZ2Bn{K49UgM7gT3A4M9Z}G7%;?mj2#w-PomRkGXueMgP!W3|2;aP+ODj)LL zs8W{9bZQf$^1(u^ir^cXv^=nvr=5|ePyqQkG95IC&T8HQ(0bR(3s6=6Zq_)P8i3`b zp6-o!6L;CK^tenTp)ITC@Lt+phu$RTtDE`HnofXow4)1bVT&vRReVC1jfbJ%zpta8 zz|>nYt#=j2Rt#i|br7uK{)pnwg)P537#HpOYCn8imJf74V`fV`kAR1?FU7XKxM?czTf=n?Hk!g_{SYa?Y3rJu zf7*-_xLp4FuGq1A=C)}l*n>RE9CgV{a?(2FI%3CVOj)@;b!b59d1LVu1$@s-s$0as zAHUIlzhXW@VgNPVauBjwtV2xm{(I2m{RY)1y|1PtP;SsjC9`o(a~;Yze|{i7+;i?` zM2`hmZ(L-QTBUfG2lmYN4Sma}{8)%2M*}_K`nAEgY{B}-wXf66V!8TIe5CnrN#~JN zUpMw5s!OCUV3(3yniJGC6ObjY40l3lY=dcqw6Xw0NPnQ=9li4xl)BsS5m^uI3Cj{b z9zFCic3u2&II8$FMBpD2!~>KKv>46beu4MXmo-=Si?p)G1W{ZfE@DNln15qru;k!0 zMl*%${B{S~Gzd|#;D#;<53(N66HrMH*E$Zw->_49NzQF2dg4lWngB2|BcOF5G`$#T zKLdIoL%|T!x!gt@$EJb2pc2 z3@eN(zLG7cX!|FM)&Ov6OK|h2efS;z=hoeUm~DPBU^@gLxYR>;pWao&c}uQg_4b>V ztKP7syEZ?IKh#$gX6PyRy^&U)@ROCI(oYEL@P+_VQ`~?+eNWpbQyMm<`Z7HEANaC@-{Y5K#c*ty-EhU6vW~AD6 z2jj~qQ7}cZSOI)7BPf$xAR2Lq>4hFt!s^0U3cREZxR}B2v!j7B;}?{|m489vFf!D3 z5vXPg0x*$Ruo=5}bP&c0E&MR)`wS4gQe;N^nm(TEJ+M9RlG~8&I7bo?+S(r z56?eYegwA#)Z$LIo?td08PTh85q>{9QPQiy;m9Tzc6l1j0yrVwp)&922eqobub51t ze*%%_8l|3DXpHn)OsY#rj2&rIt>9pm4OT!4XK6BlDhc;M>QoTQ7e100VPBpnpS*MmA2PvajJ@pW8Wb7E@89%-TphaRfP zNLc>yKZ7)yuW|s(7DeFVfTcK7HcPESb_mh#2LXV`>sbx!N(zFZN}X7tQ;_AMXt+Xz zw3DGAaFN`3-6vvcP>mb=P=(dDJ*claiT3TT>4~jqtYdTOkF?H17nBJ?lrOnECXfT{ z2%uhNC_9^Y$*pC^zkR#%b+rae2@PTWfG+hYuwn})-U3DJSxlcTlg{s%5eCQ7TqZni zNdSqve?BM_QAw^Sahgj;U5WM3X0a=zjThhE4N?9~IVA|n2RNd*Ky~zV3|T(|0*vsZ zfTs`9695vMOdBOb^=^Y0g7oEvkYHf3hFze7+#=3Ue-X6Ig5nVpBp;U<*H&Q?04X}9 z-z$59)dA@xYV(RB)hN$eV|W*Ph!-y}6aYf-gP&}ObOX4~8!_4Ay(p>UrtasnLI`z0 z)WRtUi060sGI$0)HV$gLmROU({g%*<9rv*Qn8)UqdH8nsX5iA*YIm-9yGnh1sbrd5 zFZm zBiZe@WxVFTcC|VYx>?z-ZHnuClgNSvrdPgk)xK35$l;88W%>P^Z@1&?7E)e%+;Kd8 zZ&LH$*LCO_Vka2E9I!{WvWHq8H_0b#Z;fpeA~tpsNdO)-{)?j3Ml~WjIG~pr#NUDg zmSkT{*duU|S-(F)@E>{q*lw+`++y-zGF#XBGDYV8-g%`m|#}`${I5Nfc4WTqmyD4T3%! z=e6Xa%oDG%2-c=<6IIR3RhJF-)Ex&JF6`Wx%;L~(|HGGfy0KIF#576*Q&ToH6<+m} zKbdHJ%e?5??KN^W!YUiB-fo>V)VyC-vyC|muz%XA_TZs zJA|O&VcHdpKtSxzLw1CtQ-w`(tu*_v^;SU>l-~=6&=1Y`<)PToiRlNPr-p6*AzUi< zhO!p~;@1~SubO5u0YC@a^6YHhK(~pYu~XfoACwLtysLkAE!W~WhI?Vrus3;o3Jqnd zvcrmd>Tgb;33Q6W2!;)$s>?U7?)S=6{ZwqlN<=fFE(%eQ$fSrJ;I$73CIXic1YYa# zdOpDRL^R|$2IUJi*<=_K4g&1yGO+^rEh7T=ijqW@KendzjEOOakeINLoAvDP=Sv*Q6wSu_q ztV;N%tKJ610vH8l{K_@PNvlvbd~I0f^upd1%b7x`p0B&8wxD8Duu2(+RQ%SV&%gf@eU%G`H{usDu z3C3_EaD@cj!-lApujad4!TllvZ;@n(f+<`)-q8@c2b`MKsUjp{qU+W!(HfKnx;^7M zRQaFMeQ5`+*v1m=0kzlCHZ6I;iTSN#wfMy5UA5>518wTppTJ$oHND~1t=&EQ?2HZ= zxZGLX{rTI7Y%k*1F&MgAr{17v1wMrj!Kf-2dRH@y;sx2>`3sD0#cIna@B4~B50D>8 z>`D{<2pFEvlcq|`!0R_OVPs+}!yWP}1o62e5yh&#N<+e`=4%KGBkyK#1y}*vO$vJuT{0m&tCAFz;~uRQ6k%(S z?N5TvLdcvK$zx>03Rwn+M^x!pCx@qej@`stCPp9vzN4-eRO^(|)-EJP`6xvGL!mUw zRPkDyuEH?Dm~mHjo_SRim$X8BKaysnm!v0NbwA&Xa?Gv{4roWbRgK!ea9LJ26eh!i z00enq=nbg$I3HzP>*e#4`q%;tu<4^g20!W2(cA$9GrkcdppT%X?*{*N`dbKCZpf@0 z;BqCi7@Q4q7SqOYCA|j9B&qR)ePIZL?!%@BK&n2+{NV3z~cF5vQ`l@$f8 zdRJ~1S7Se7KVDdO(P$3Qlq5!0QpHE;yauwqd}vOnHkhKnVM1x{OtQ|EJh6= z-XW7Le;~tn&P54g{dQzn%-=Z`e5nS9x5Gk367+`Q`XM*va6na2jUxV7# z;2`4mEL(D39a$YeUcSdG<3Eb+0qa(-St%drmtx4;7F0Elpj!Uq&Qm^QBU?Q^0J!>J z+!i@i{w&Vr-Q~JTY*Mk@8%aohZ5Odw^4(jNJhz6+j@m-=b{=|j@L^Y$iGhcQ&{6Tp zgoYCf)DA1tl!lH0cp`Ds6@R0}L;@E|xr>>a-7ooxasAJTTGy*Fkv>7S&RN_Sl0dAO z>ekDqLX?J{%OGhs&F^S;fkfL`0PMoEXV>ao$;PoQUAfodI2zId}J0JwPDJKJM>g?c+iP5Yp6-#ZFDnB~GcX8ga<^oVTrxh1mH|E10VY`OM zE#CG>&pgFO%?tXVPh8o+8FfT}sB~QuM69zTZ=Zetg1vpBf<5)r-q=`5fX|c@$`}@@ zXeyo3pR3#hI{6*wZXi?3XS9=oO>LBv6;orNtu(X21IGGyLsueMU* zu1pcCHa{uP`|Fhf)+OCGSbEGgE-Y^}uSX0>iLl+z z{q_0uWdMV}z8(bwh}sl8+WiZa2L#8#vr7fqT0$fK%L$D>uJL$@1i zP?zm(^p-Juf5h+C)Vp~Ptz&cAM!ZcOd<@1ss)CSrin77#vBX>0{-H`EG=!M)(6}n9z$pd$8p94!x3)@xQl|1wSA!kD6>BfR zD%fSEazF<2z>cH`+(z#PAe1ZP+3Gt9vgD9q2{%f5;+tKe(sqoKB`aH@|I}_5u03ey z30QOa@7QqN(EnL-=nP!4M}X)Rs$a8jTSY!n)ee=ePAFH?+=6MpmizNGFWOOSRK50^ z>oolvUT3*36hEyf(BfCgx5@)q4idn^{p0X70 z*E@dt)DFJ7Xp*%CPK2)JBP)_t^C#Sr&cEA)Z2=i)L(L~%i2_73*Nx(yhO0}qJQJKd z4f@XaT3cc&fJPRZ_;mXi%_tW_94RJ;m0QI zVGb$g-ExHej9u=t7YE*2^P&2>v%@sh#wRFV0zMVb{BZCOXs zgTQBNGhTsTP`krP7!iMJOg{>1fg9<%|Iugu>z&SOn*nI|5hja%z)Tp8wA~T4)~_chZryYV$LH+TA(DzXx;=IUa11Qe zt|injr#EF9{f(3?lMpw3-1kD9O0F4{EmtR880>d7&KhbA1qNSEmwM>Lc( zo4eF9E)lXiCV29qm4XQ7E&qeRwW1D{j|-7Sj`cPwnpeIl`#4p-$7C2GF9}k+Qe#vA z6B0WgA8vxO+o^~xSi9!PO|YXS`&G+)*l4x-$X|_1P7>|2YL_AJWi%{`#;1f5UYhb~ONy$rD{Cg+8#`w0tv^s8$?|I5g#QVn&J1H~ECtc%G zm-ZAme=Th0mEmP~&Coa6F3Icr=g0?SSoI)G$d)I29qEAA^b)oswHI)48VX`g2cnCgnyW=h@-n#BOX z_zghnQ;)>dHgGYH03V{t^hagVy?7!$?r})VWOOCNUa3GU836qic8u7ciE=M2DflA| zqb2mwy671*Vl>?d*fX;dhW-uNLJGw<-E#olOLgf?al8vBCtI_?n(3je zfu_T@Q4RmckT|{AuSEcBDmp7)W4_5l@19W`+I0!K88(<`@a3hGC_p zS%#~@AmMQafHwdAflg#Om0ICT%Lll)>M2L|qo}h;p58-nWGcoq7?@huBk%zFk#qcz zPssfS|G;BvC@^k4Emr0qXX^$BrlOZ+Fo&dQhYU z685if*z1c8=d`=;+7A$`3pl_(wnDi}bE>nyfMjfU32VB3@QqMO=LW8sIc>}FmeOFw zg47>yJ22x0U-@=Ji=gO5k7+sUM6Ps#I(llw91KU^T>M9iL+VFB(BD5cFu1o;K^Q(} zQc14LIv&xC=n|eIFE7jEIplkdjRKlQJycPe5PT@!mP_9^%LSgrfS7TrThZ#Z(>K_H`C zAVkz(zy6`7@(r4>UZTI!(A-gOBNVGYq+qM|#!y&@t!OB-Gd|EXyU|Sgqo(w}f0k=a zxKWxOo}4{~AWzRAvO)?%Hg=Q@h6_ag2JnZ#yHg>*WLiRMU{LRvG`;Z0q#x7CM8mC2 z1WG98OtC~Sma9v@SYSZxw$ZYtDbPI{6gl?Q$ttVcST?aq=~9K|(irI`tJX^-P5+0%UJJ zNn~3Wp~V`V`Oe*@tIb0A8M=LyGYHToz@ot3$gDZUZkQ)7UeskbF61~9)cWZzqd%X? ztlumF_Zm6|k^3D0yO9B>Ml49tm{bNwa3?^*!CRE+)1zw0X&DLAJgW~0;GGrjvw0L6>Scj*W{`)`#{80dWU+sN;34ERid}Gp@rYGJk zx0HQ<=3C)jA>>d5ZLr8#<&0g;%r|_M+C7Z6nh70zq7kSv9oN6@CS0s}9yjpnyD0Qton@MW#10NO- z)Q+ssw2n5h_4tBPjp50n_YbP@FFqW@orkbuZ->dErs-{mq1G{o$FeL(NHrTxa zI|oShixOZrDZJQUIT^NOY$LP00Bef(H|Guo;lpt}m|xTe>Q&j3O5h4JkXWFWfEaqN zH#Z=h+I})f-)cHMsRom#j%v32YI633Ct}3a{Ph%=Ypr)b$7x_wVGuic>8DgVvLmi? z)d71nJun`RQ8)&08FCZGus?*5pG(1j@LLBg0st6pcUbXgRn8{!nxe<@@NwjRUKa@V zWfPK$04?9g9tm`z!m*R=N@{DXoyYO2<|Ty?SPNIkVzU%_&8&{zW3Z5Hv`i-G?h@ju z_%`G-b~(lXh6hj|+gmI@z21i07`nA+NcJ08wZ?908gw ze6_kmR$;nBoaxzQ`&xgpFtm8Cz9Q|CiRU>|ML!&HImx`crN?BN#X}6IxH1%2RLpvP zV@X$eu6k$8oG?J~U^LKkmM*eQgYyWuQ2_CE@6NE!V#CEIt(MhFQ>fookHhAy1&xri zMzXs+td7BA3h81a#jRwZW#z*f9rw(UX>A?Sg+{y7Uc;~Q*Uqxzph+BPYK&8(Dw;1I zlOf2gj&P`I+KNhf|ERk0mwZ)L%ThwfAak44Q{==X0Ys+i zDCGVNXI5-$JrqorVK<$SM(PSbx z2gzu|+O7?g5f&>%($~JC}2j1z*R@u7hy$_3k@GJ1Jdnn_K5T;T36DPh3 zC3#Nl*^Te;xD!S~G;4chBmCjsu$%-HVT$5ECL;9caSoHZypf|OHH`{sQLMlcM!tB{ zP!g!Jd_jES4v@DCEHl zL9t|wqmuXl@pJ>oV+JkCh+WMp=#mTrWO5tH?tf7d8CeuFzMJXov61^T30KTZvW-qG zmSnwjWmkDmlM0@Z)9eF2P*pCXvm{^SNZ82J*TIXvELw?zoUx-*HC9QIXI0Mv%A9P_ zRxCKv+_keN5Kw%ji*7GZ5IQdD(NmUrT;piZ*n;4I1R`>9WPUne*`6F=k!)Ca&jI>! z(^KXGqOrjqNv@%%zF=pFT`()&uPaCCAF#$lQjN^u!aK^uI39}GfD^cToIaif5R6nB z2y=bOGD8^%#AzU4`R4WcSrpwkN5ISc7WK**Pr#gXiP7~vBMdSBP>>6+DqSV+`v;vK zqA(A*%!WiU+5MH63~$UL;D>njRu;g@=Wip(`IR`UGbvE|@kok1vx<)sj5{x={64xMb6t6*YlM~aNlb0m_>5k5 zvb;4)BkSzO6cfS$@2sX-TgHsald&4F5b`j2bWdz8CjI9qT_sij?lXv)6^N%(>2@Z$ zzFW*9ayy&3&X8>@Nn2`X@O^XX3;f2^j^4^?kDO$x%l=}GmZTk&sG2U+og5R{+Hn@J z8vHczU$y;>o+8t|*%G1}y+cC0>xZcTQ`nxzf$SJdUSBjKp(@qye9$K6qjPKGLj0yF zgNozayCt})3cHlDw*G{^hu^_W6%XsW^+Q3uk!)?-jZKc|^h zJ&&mfh<77wgCy862g-!a5BTz33K@U}CABGGC@H9Qj%kd4l9K}_CBD?R?L(hiQ-ER& z>+Z>uijp);779>3&=6RRxi9dWZHG^EHGjwr1;hR59d)MXzYmXpxZ-mDzlKgx8=2)i ze7n*+@SL%`69}Dz0%C+#WmWj-$D)zAb3*Tm!9kjHKo-Csf?f`o52-u^0-^zsnXn$L z!hB{J5VnG0^e9&3|{(FYd zZrcn!8^jzkS{~@2FgixK)$1LiT}P`GSK*@70U9-YdfKHzmC3DYon{MO})}S{ASixJ|&VUL8aFzWr zD6zkCh8GlF66jN-2dUs1wxFb;JvrIqWAj~0_m{ZG`b!W3 z3)3Fl^(HbXHuk8A_kG5wkUjxE-xU4`Bi3qnvC$m%A3hLnA{#)Q&Koq%4x#8Y?uT3b zR_}rkuYxP0)&($pFpu}^BNyN9=^(E3vgXmDwy<_{o`Ebzr^^1H;{h8EarwPptU2!e zd#+*j-B-^&-dj%+#pdPhQg~=&mw;{#mfSm(Mct3XyHV#k$L2WHRAVw%t z!NgH}*%qBID`c!Zi6zIt&TDYi>uJFVS_HU2h)nOAb0-x#U5MXNnICK28Lpv%B90-f zH>1$D(#hrfUUSrs$K=>AQ13@H(_lbu#^$P&xcGkuDMKW^rZ+hOu8XQb0}Z9AWCeMe zU@zl#v^jt-Sa&a9TPYgRjyXelf(qzk4oN^hf5 zsjzu!ooY7}&@{d_dD(N$U^qoMEYvbGlJu}7&8&rkdk9`DBY_U4IMMo7YOSy_U!l^{ z!NF)wx9I^r0$5s>8s_Q`O>q=L;^RnL1%h&MO;hyry{F))IVTiiuRZ2n|NT>-bmTFG#E4nH-`ARpXw>G%kh8~$iiO~a1r0h#_kx)wshBKskihC!^$Hsxp;nxQ|U>>h;G@xKI$6DAP zjyPZ;)Mz{Pn2p2nF_(_a%tR^&_wiKY1t;cASYf(yp?#5eqRH8yFXRS_Aqg{rna}fK zG{VjHxKe|Tiy67Fe-7#{;n#Z|pK$KYjx!jw1E<%m zcRP)4r(O@%5m68(_BlDTD5IAMAl8leSv*HM*wGQrF~}|ojsoyjcNTd3lkhOejp_Ny z6?s2-P_Pw=*>NMJ8{yfj2^K2dT1CGaLlI4%<-|pfA4GHw<-(=&R}mh<*c@=A3O9WD6YnM zXt9I!lXkA)o={8D7oXC*Xv3S0yNlxO@z4sx(H{GLNZDb4Qn``-?vVC|0Xt(Q?&Y5m zrX+SIwglE3>JuxKSzczyIS|s5d{8t<{`G%IL89JdG@$gC`dO_Yip|#6#=+P!M79LB zf1NCWtzVyP!}ZM8!LZYp##9-py6IkI%k00-1gO{#h6EBXP$ZMUf>Fgc5yWX+l1aHD zTy$DS3c_fbEE#hpgS;+3Q!*7{@yi2VOv0F6g(uk(b6H@%J>Rn2SU}pzcHLM&t;T+b z1_QDUoxO<`?sy~p4E9^u-JpwLs+(rRf85W^B@?iqvpqzOf}JBfmEWJLdbmmtce{ExR1oB9;I^pYsx%*!=3|qZkM`~9HJDqN0)|<)a7*$I?u!RF zpM-3+rA{bXHIRP;k-0vW9n$i1%77MtD8r)!<5a$48Av{ zx+}axeY!=Hg1A{3FcOnpaMS9C&5zTNpsNt=kqa9iXU6e!S9bj(T*=L%Sc;GLiM(@D zHcWK9*r;N`1mpsOzpt!qHorm+A;ha8 zIXNX8665Gh7snx?5HTZB?De;E%E5?t%}?+tLH@EcVBf4ds$y;`(tE?qjV1<=KyeF; z0CXzKh1QI9zgseRj`f4#srStwBTS30C%O1ei@BaEn0A9!1#zfN-K;dAonO4HtDn4Ag$ zTi$YHIZEHtxQGr=j zfIBfO8^CbuYUakM3eXi4AEN2*LXqjy`H%rH$bg_bMtR+k;~!a#5ka)nz+pwCb{n8rX66XNY+9mUfQ zMnsW?bg3g1=UU}fe+JVZU8fWCaJfd~5pEDVFe>GCuHE%VwodJ{A$!k|d$e-So2>JISm7OW=NAWCnrrNiaz|NfF!YY+ND6@?X zCa}xwBd!wIrJ>INs!CvII$x>;c13}z64=pCmB3D}mrLa2I&8Hzo4` C+PpC$KYS z&Ec(=PhgjVvqS>BRNWHiCa?7{641a>!a$2)*V1;D^$=3mr3Zy| z*WE0lfi0)56Zm-J7jw7)ueuF*s&67?gQ!R!4M#k26~&G(gYhg*G#@m$3e%6-R)CUD zl>SCkAPNpaLh>3Jq_X>3(lnGK$246%=>`>?64dkeA;C(E{w6)bDvyQ8SQ06~xams} zf16;YdZn2F2DFKb{jH_GYi%|4oe7ClBAZeRh&8211EL{rV;Tri%%wXc#}~NytP%n- z(KuBS#}?Tk(R=XA<$W$_lB735yl@^d*WiV7hfm`U!fnFwq)j8&^QXf_%> z&+!M%w$l#0p5wNfJ*N@${Z23#H3yA#f5KP^b0&P8WLMKnh}n>;?0nnK&c}5hD>{|q zIrZADR-+d*onYvVoc5s8clzCi@3cpwL2u;sJa4VA_f=-T;+A6aa`atq&4YtA6cf#aU$I2G ziPVj)cB9`Pxg)3N)|*bdJLoxse<8vBraN*6{jNLm>LaT5-ALLzX3CZrf&rk*bmm5S z-bV34qy=1PgQCgw$fM9>Gtd(Koy2URzZtuJaK=e=GU{PaZ+g8}$LTgYb*DY-2IR!< zlO5k2)|;)M*J%fx4UQU_sK7cVI~zFAE9<$emNHDj(Xnx~TTUIw7LVBqf6>V=!)6L| z5;9l(ii4M#n1(CUj7PNCVvewfWY$UiF}34`I{@|OPFaFbU+~!46A`|I(YiVA6R?>0 zWpz}R8i&B;ft$&7ZxJwiLNF9jLW=$Hx6iE6a!QRofuj%Nb3XuciYN}wT_yN)vhrXd zLg|B7#$-dBF9ppt{*ayI(`99#JjvBxG-x1n0|~Q{vPAmI~V7!I1lLoxASIBf8o(4PC)jO z9u5Q8p7JANX2TxG;N;)}{Q*(|dX8z%5%q-n+4ap2NyG{^5f1;a#J9GxUe#hxG zyPejcO%|>@Tw~G1wlyuCEMEX~%e%gW)@`j}Q8vf8k}kPvb;*UwaT{&I`hp1D9W`9X z9kzR;cF^=kqjhc~)N$ooq|Oa(C7BPJv~+N2p{d6yj`B=mfFtJPxr^ofU<{5N=(&Lp z?EHHQou7i2m78@Ne@a5JCQ}f`--o^*przrn$a}XI=5CZ5O^~DQ^#|Q%qv3RVJ=bZs z26boH@3>BPG;qB}f7I+Z+v^|)o-Q(SNO(~BzTI&oF6aA}6@7RkXkU=tZFqy+_LWdF zW==)ZDCk~txi zsQu`XWYR|(b1xtk-2%C;G&2tU0&=C;a1r#dmh_cUF-U!R88LCwT@{VCSd%XxZ}gDM zq(^rOM&4wQqvaSh8kGOHmeb(ljHz0JOZR;UZd%ctmza}n&4lD|O8}^()I#Wl#DkAA z5(0wdl#5AHI+1G^3Xp(>&gs4?e-U1WJ5~ez7Brj5K`e6O@kn}L z=xz<_mhWE4B$k^U5~={0NU*PlAW*-ZZ^K~hzi<`KOdQg*$g9+*mKivyAUmNGnHgOv z@JF$4(E&Ui?gk><#O#K&p;$NCOqCCJBO$|`k9T8(kkFl7sx!Ap7HkpCt~Fa8sTs`I zny*`(e+92lfV8GLKw7(_UV}0s3RI`shEBDj3d-tOTklx=V?-JObE`ujcF__9@q3ne zMc9o23|h>q@-?|AM0>5eUrU!PwJ>tUoW+5nYb}u6N3lhcYh*8!TB^um(Hax?UEoly zf)@0Jod4=Pqq2ohHE{gX=mRMiFM^rX@J$O%f4kr@Y`CW4Fk6YShafNj5rj1EsGAwy z*cJwWqL824bR2flq0UStNkQ{@sas<`s!XbMOvX@to6n?b1LqNei=ce?vqyBmbAq*5 zU}ooB9ppp0M#|NEa3zR}C1|yoU|mAG1j(3NwT5AmARb>Z?nA927Emg!#InT8MvGoH ze^5DX;&?h5$3r{BHQ|!xis?DqDAQB%JlExUXdJ>rh4)dSCO!zhCw~U-1~Vef{3aL? zWg*4pqEYtf$`|B3QfV&WaLZsnjFOf_1DGjgk#wkAm!JrfpmkWBWUSX^J9_o9%uUBWL6itA_0f+%wRT8IkDx!l9o)}u$y0n82=>h*rJ*YX>VTW_?Sw%_kMgP=*i4F*A{(d)SV4y9v-dNCRb z=^O5*?1ZXY!yUXeZ2JPB+h%D@e;>=i#{(m$O;lW;E5*4}c5;sX!Zh5EACp$dg4&rD zExxWolk3?V=kr)MI()JXShF$o+d;eIbUU8ww1Uk%kOwCr#|wA;7%Gif5WC*cSc@o zG-|iq`mo+!W4F=yHlMO|(@5{CeOB$WlKV^&G3)1M0@_yhm};~+3&-Pl(+6s{(PqCA zcCWn!VVLZaKr?4}?%18PfS%CaZ}Ju56ZRnf)N1!*Bi}=jIe?75e3p3;Xh0sZ5_}Ey z@#?v))rQiUnw1&(EzL#Jf4=iFVvED@Q+hgC(iJ*%1)3U|@v^sUC6AsxLp-x?7gCW? zX0dd~PpCiCA8A<%Vmv+K&KY zb%t)GN41F*U#XB0T}=R7Rj$S7_k@H*%**!Hg#K#?_LXUXHm)n)e{VFIe7}ew*enL^ zaA~Yp#!P*kDCcxPrLEQB#A3qQ8+6Ss<$e9d7bvq-A|g|~rGL>`ghq3wQJNs6&mzK< z7Vprx!xYztMS|k8Tqdl2^ho%6gS<1g=<-`lpq{Nqj|#~y3;MM%Aun|&PsMu%;8O1Q z+y{jV@`cw6>{}XIe@BrzQ;!P8izMbDwwMEZyVva4@V5(pTYdQ3t|Osp_qx41<4FN6 zpaud%5P+x6rr6Sx2@oiEx;Q#MN+NX~TK*O3JoNT{!70KS!U=-;v0-lB)+9EMFj1rq zXVsp_@yqs3S*C?ky7IteA=%fW$(#w#d~vKCN5I2=`?tq0f6nF9YjmU1xKk)@+fNFn z4h5+VTVntv_{ogYsAz}Q`F9dWytm88L`v+|lz=#(EkDOXNm96@=Pca{tbMI!u`YOI zH;h@f9_tDT?&!MA1G3e;;GEAN!9p;7u-TET=d|OmclUSgdhM6`+Zuc& ze^i47lQD(0e=DZDxPbD(HM8+Fs!{Wo<tBAqz@*5%c>rPetQorjicw zH^`kk$SBo*X(agtSELaXap5Gs28hQr0`K|f;8=D+e<=>zt>BS17J(4uZTbtL^Y+@TABWhOEdd zym4OQj>}QZoWwdZlwPN}2*oa73#Tk0La2tLHTe%{SfbT>$&!_rYHIkTb;qLQF?WNM z?5BBavL6W2r+{$eBcpT53l91|JsKqxd^{v(_hG&nd9!rg?Lc!_PTU`W` ze?9%cxl%lPL{q1{DHewX$kv$@Pm%VHq21#|;D&>;_RwlGpz5vIng$D45LQ@g0WD{N zWZIfw5I|%RQQ+)gA?{%!X;gX8jtZIP*&Pwx(VZS|HU`Q)z6GsuMR|<#`^gAyb@8~R zi-*~@oXw=n8n(5Aj!{0EB@03&rIJ2ie{G|yjof^uvrYQg+2C1WZ(jP8j0)v5EDhtz zDxNunMuvyXBm^*Ira^@6%w{xTuO)Z&0He`Lk7LU40ya+Xz2stgFi>OUd(9d{N7-_7yb${DsE=L|E-^v#n(2;`h>28%y3oax-P2M%lI0v7W&ge*j6W-+yhj zti2cX-X|`6Oo_ouz>azDdY9oeNcO*@i%oxb>Bh5pz{R@Mxbiufwqf*9uErYI%Tsh< zsoCaO;Z9u@an7piVs%~oOwW0VT?1OAzElZ{`ffEb(K*OtfFBR z4SNtYEcdp;o3yQy*^%!PY82ZVk>lj>eq2>dRIisy_10qbGcx9GhWm%u@)ErubHATH(3YR)xde;%}fBZ1kUv`t1WKdkG zdk47kXRtU7Hm>fk*z@XW`^=9v=mF>im~6J;Ptz6_oH{NZQJ;@P%X8ykPd*%>0qpo6 z{_;QnTLZ}f37lHK&CCCrf03d>>C#PJ`Y-=JO_{=0vfqE+$+ zG&1{i3a)>=rIQO}e;poo@QPp}r4<>i$Y@1ID>9lQqq+ADIvv8WRop)4wTS(^KE=HT z$t-e#U^I~uL#pezB}+&uZZ^uGnK9(e`@$y28C+DY5xJP)^HM&tsEr80KFopyUh@!k zDmfFuK5r3`TaG*TF42xoN&}YMm6*vfwLXJu5t!%cuAd*=fB6*cbd}lqnLcGLELZ~@ zInr309H>=?0*yr6^9>xxbN3^m7Zdm6o>E0M-qEPc1=y=I%4zweIGApp`{8J`M+FOH zJJ4N^L4R%Nq-HTg^-J{q?6{8CZ1vmSW_{2bt`lwU9vc%kZ;}o$q6WL{(QgJWgPop^`@y}kzN7?~SG_^$ zTd@tUkYRF4`}=IaiB~{^AR3PThG5hOYr?H7SejG9 zAuuDrlwqoLn^w#pV8-BFT2SdM+D+i}BvF7MR5CL>NsRuvi@S8ad%~Q( zLi5F*Dz&{<%dw>?P;L#MOI>e7-A zXoZyl-Qp_CQ(kJNX+=4S2`=OlSndLuOa_^mOcW$hrv*AFl+Yvrg+WWRnwYO(LZEag zPn+be%nRsri?Vwe5|c)X0Tk&_ESd9Lkq@Pie_&cV5AOu8W*6||EtP?U`d2iv{44CU z95>&3b~cg(O;W&YE+t8`aEgzWDM?i1Pr;j!iH%O41B02s7z329q0UB9O9mh#;hOH;0?oald#K{Jra!lyoSd9KBP?{qaoyrsyw*9q ze+I`Tmbc=%Dz2;Iy4K;k5(-&yUKQt6ab9b4UUV15729>D*`-vh*KHoiYaPaGuwDk! zql*2y_0_J}uY1mZsg$x}!73K4V!_sC!IaIkVIkP}uLyxzPQmmbj7Q5~f4#yaMws-5 zZp}mN5nZY{*Y^ElF?%(SK3>_@kPK|>e?DR+kI6YH>imudkznWP+0FxrUJMggF@U$o z60F4ztib@1g{|1WitVe|zIE8X)Bz!}enwk3VPf?Cn>Vj4S_O)wYusEqg^G*3-&|zH zFs8Jn`ZnZDlPq8$Od`_JKt(eLM>BH3dPoMG6GjD`p9vKJJJ0xFIF5z~6PM8a z`2lSbNd&yyr*@Q|2>G1u*#Gz+S=xuQ+B=V}9l~K7i%{Bh;zOBV-jn%*#fbNI1sQrB z@FKglx5g$2?7>Aezk(+CH0|i+e?F-XK4}g8rkBU-1GFe6YX4dwx?AwsumJW}8UCx8^Q?|tW@q1E0>f#WsdHMLj$;S_Tz-*R9 zVCuY@2a^y&8;FxNnqRn6=Ft&j@B!d3 z(Hx#7IW*~QjRkP1TB7j%aFU2bzF!)0ZOboNf%gZ@muwv}HJf`95^5XTgQ*U4dWGbg};x&J*x0@o_LCe@A05^?;qE!P56> zn$BO|(qf{EoU&}AolMAz#vHW_me!q%Hjcj4*^a}PLjHx_T~L#qJ)Grka;r`Q?a8nh$t12r0bsZ%1?NS%r@ZK z1=aZ$%sUfIATsKhf7u5;49xUK0^yV}5LweC(bQGj*GZm9q$8ujtYhpvW`NM+D_vJV zh_E$xxwwqxnS)G0p8*s(tHW^$B79l`n0PsZi%l*xnVMqo395YaKq^V!@mR^& ztk_H`AWe_o8W2u@q%)oJPpQ5<3514w@5s^g!wN#i%lu>}rGn zTLqwAFa>9Ljk+byO=9iVQ})>skFt?cbk?|ZyWD6$(_b965cc@IbgNg z%1rD4=gBV=sYOI^9bQDONGX5(a;nnnonKJ62w*2yf6cvl@^!c9ERhRU#@(!DTT&~j z%NbvLy1$^Etj#4Y?%QN!S@$sg{Atl7b<1vTQq|pYI~%uZ7n2i zeBEFSf9j#MBU&=N<9HIMnSdf91qF*x-eS0Bui7kvCZ-34b=Tc3q5*zR#+T%7;TsC1 zc74OC_sP;3iVC?%A!)%zZu25_JX~5Y$y|?dzAb|Fa8=5>tdsv>vZJNcIO;B@z*bn{ z6mnCA5Pm|Wm?AgkIc=L%hEYQDEb>s)2M8t+f4OsqJXNZ7bZns`bxgP0B!EOKa`V$5 zhVi0&Fu9TgqeCw5$fBZyG7r11UHGX)f#3I+Qy}0A00W~w&fRGYfM`SK?|}`+V3BNs z=3)G<(7j$vDMxN)tpo$PpBB-jF(zNaRNz!^n@)An0_dh7s0YZ#5jA&yGrPPCBY|>G zf9oqnM3m}k(qQJqu7!lyYy^&8yVYv+f~FG;y^+%%box%e+wh(CXf)`Jyq@O;>!kJ5 zRFImiUbanuH*92}v z`2%}?!mZ5uE)+n3geXc4%>GPA(yFV72)qkce#a>m2tKYO*Ff6*b0 z@L3J^_PSfqR-4Xhht6ud+xPc7;hx{w?d@&uY`21~?%oWuN*6}-x__jziOkszu4>>P zkeH*)?3%7N=LQpE4g$V*X_<#WM7%nO3>OuOHJfyFOYf{KU=K}=GY;&U5f2`nFQ`-zO zsA?9`%|pU=JKAX2Ul!!gHv!cq;qE5FfJ}u{kFvVC8zA3*|McpLWZN+&J=2=!rUO>h z<#e@T7J|R!p$*pUdFVrjP>x1ejk}@~1A4u*;%;hYauWhjGyZ|l8h6hymf(kM68}R5OQkGQ(E&$pt zYO*0d9GQ_VtClWS1?}~Fn>+2@J-@dd?$YhV&c465+u!!PdwaXlZl}}V-y-L(8>Ckk>2S#|(==bIKez3FK^LO^U(cach81A-q zW|(E*L3}RlErdOXe`x7|Wks$gbeYi^N(NyxVi`br9=AxEHYi(;*<)w|OeO|<&z;m} zlTx4TolV}>FEN`({-QvXV9U5G@F#^3h3QTgaNr;#k1L@%t;?QgmN^( zYTOl_7|`pbm1dLDY*I>ZQuc!0{!Y~0^!M9)U8=rr?)cqae{ahV``fK>ufIh%FxxYz zuQHLYcIPvs6_(HSO-Zr3`7=y}X#ETx(GPG%ZQ%^TM~@!{iMMnsffFG20%r(=?+5V5 zQ~8+f9`LItABv4Zep%RTs7A!ooHlS{f#0S!;VP=_MObOE9}yjRufD>2zEfd{j*D`> zceeLCEtd7&e=})p&&mRim*SoM%Bz_YHJSmo%u|(DNLg(i@iPA!a!Y$O%@3XDre;gi zs_|MoKF4$5ApCRKT(L_6uOc#nVjRNS+Ou1_qH)Q3SOmzN_H6hBw`2TdHVW6tyF~oL za?odwZn%>qjmS^x=E8B3Tnr*ecs)+8P*SSZLw~HTfAI;%&v%K~l8fDXDq*gz&a-${OEBSCqy)@=||C1x*xZUh|J>O(mi9ET*;2mq0^as zLfcOxfAB01|CmAL4gptDFicqv@?a=E`Y(eNTA>fZkam`z`wuBGLDi7ZB?Ci-_8EGH zSt1ama3WnAAn-M%!+lClp@Vw%e!x3BtPSz|6{QD?FIt1NTdn^KItD}>sL?;ExD&Z0r+P_rn^s%2Ff1R?yEv+$1$1HFG9=RSwK^id=8p4(A2}XS8_B+EXDGZ-oeUY!5xRLfZx{Vtm zLV&qa-Uc)T_@=WMe55_Yl}NjWIrYWrV7SxRrhxt{gW0R}`L-*@zQvp~+*#KXUc|!> zhJK)0fSU%Gf+{?e{Uz~_ga0d+lvN+ z-^y@8BLoq^GS>!tC!Ig!%NJ5HdCBhjg(jJO!rm9cKr>hyLuxBZ>=cFW)D?nHjDxkoj!PPf(Be~fmw zx1#MD2QEqQ|5ol-j^RVG!(-<-4MS)v?CtDzTK?wdK6uXr`+gAa?)%&HW3RmvZ1;k0 zjh)8}z}Tvh4q%SXi`%-Ubbfoc-48m!mf!BTBY$fv=+MpwEx*_6cQ@PJ{h-^ev-4Ta zCl$KTrvyMDV%nZV9wu-9rwH4Z`gRr1^0T*w~>dHsHG zs<6rR%V;=xhs^B`uac?gcPEDkQZlvWi4vWM&v_utNb4ge=QolE-mF* zb8?K7oyHJkFB5hRtJ`6fYGhPk-+-}(?iCYbmI_L|BaN(pPQWxAb=O(D#Y(KM zLy&5wmk1G+yf7JZ7gX4gpv=@?_9oC-P}Z5KPsjQoQje<`sBK?S6%I{MH&lZJ|8KB! zfvOmwhpiCA7&$LAjR^#+fBy2<{|U;2+@XWGo}dAM1Zf;nOwdvz=sx^n-6ty$Y-`Mb zdI=+b3;9H@Ae>9{Q@tKRs47IV;`q?}HTswgK&4INVUKC~Od%XasJSrZH=sW+CWBxk zwo{ZCh7m|dx;`v@#G;unqT9S7b4Je_|Ikbtyi^nXfn!0p96K`}b6gUjlhInxJF(>7<)tf8aCSuN^UiHEPacLxDze zzF|yJuhxV(>KHa;agWuTXheBoij<;Y16-EuLRJ{tU9mWI8i^s{49T(l7KV-dhECSU zm@2Dm>v#C#1t@kQrccs+>2Xh((3xki1e~|X57FRpt7BPIlMGAm*I~+5kSxzU@H05W zT`GF@8*D#=e}0d|W4=xALRuia`3?lzC^0s825dST-3SV@*mX9BOqb-UzQD;vbstuW znC5G3qAsYqGG=V7fK*_?70tKFD-*D3k6~|2XGO1yW2X4A=$Ez~4b#bp^XUYV7SKV; zd4GpI4sLK|HHAfCI1y;3BT5r#@BpJjR%gEEVU_2?WxaA`PFl%u48+4D^6&V66G)`ygUFzP25h5As@bmaicx&X=*XIu>5 z8XGIFNqXRb6MTrK^Dp+C^C@Y6jD^T$>RXmee+6lp^kS53s6M$_RT)lYi5kONY1sU* z9k|sv!l*G&&OodQmH|#TFdT|&iE7k%MS)k6If*sM6+gX3fOTXQ?G2|EvD4utq#lQC zN^wxz=BkE)ObqRnn7PGc->=1$?rAjk)K%>{^zT;DN)RLJu&S3vbyO|#4_jh1zyh9UAHix-I$gqwL!q;3@f2tdC zBx%bqUZEby4YSVd=>DD3m(cZ%T{j$%8Qx>tV7NxuP0rqB$Myr@%NK1o#E>w zh2(I;AOlicJ;d!+Fq~kTw8?ddfV%9|c^m~-(!B<47jSfY^uxyK4=5#te=TU8tgIXZ zBg3<$ORA*PqFwDUmKS8|q6ULcE^AgWTNsi^;A`1Z7kyi^ByqNL|1BfRBcQ5!FKVWQ zaP$Mk$N_qK0rw3dR(yr$Hi3RTWuD6(#hv_ms=gu#z3Ltg2F9bKA6|9kgO|adCnF6G zucLu8pRE4w66jPcli)+Je}0v2KxbJwq*o~M9ytFB<0?qxz4Rk`roS zjzUZZzp9+Jv;lfYKX|7UYPC zoAOHQ3~>N?9lKewRy>@c7ETEtK=tYPt#aI2s;S7Ih=Q8{I92l+8Ay!mbP%)xY{aAR z*)4l{o@Si+wN^mW$m;>TlXW#`ZaufV;5S+xcWZPqm%Cby0wxvM<9OH`^I>>KO)tBk z?ao=_lE`qTCueVMe_Uvd(26|}Ei2aiq@eYssF4Do_V#+KgAj?%0Em##-t_8icl90i zczS*1hNxHHbVF^qNbu+f?mC^Jg|EMX@~0DSG7=Dfz>O&wdPWhY6sias${*?w!jcDd z5cUrg8rEjd=p^E=S17hYE2MG?P6KYEvCud$aRqeP?(yj&e|ik97+pS{rOQUz`#hRe zZo13>llF8yWopj*Y+`$9+&KEdr=1+o0S_3k{Pg%W`c-c!g>)YDgA@C4cWipRk1+DV9JRSzb;nNOo>P<=r3$Y?jH2 zsjWa2c6SVIe?s~;bK|-$2grp z{w`)sgzDFEM3=fSlU3vGd^B(3XhC+gVng-}7PH8(jSnbDI{p#(N${f-o>Csn)xeFT z(3QZQtVEx{AWGgwK`5)Flinp9seKoXH{M0*c-638f9d8ZArA&oFdCZXD5C69*U2F6 z-J-N zi)L(t<2d0JBQF<_r|CZ^FP3g}8GMWrb!heDB{&zsxs>iFF5XhY7&vGN9Bl>=fV$x@>(0?G4p4l`$z4#%&Y?W!DBck<@YhL z6HVr=PKQJ%eJ}~#RSmy*Q5`L(c+$N_RtEgYe-WuE5<6mk&lAgM9Tdp_$eum_aHsQ zJ{-Pr8W)qhP7c8VQH4gR$w0@Ioa2X9ZPr-nU2ydB_ysDK=I(*fja2X9QjymqI46rj zfB8^`J*I_9KLhn6Tv#>W8qDlUKLh6J{qa;kw0klS4`0whtyEL*GjS(NrQl12&rE60 zNlLJT17l;aY2G;%1Z;ufqOz+Rg5jbCMna6r-=PFSMVm6WV6m1yultc;NV(W%7AaYOQ^xApbGrrFkifBt_# zwZXXop#}bOT&Iuw-2H7@qdK^M{@a40#VAu8t1S7L+RQYlIg`!{c%6E{ja80pLp=;TBS#*wT{noT0jGY`yJyN7@g?}cEIy5*#0@91f|`$?*@mt ztw0YNuw4y_25>+Qk+;tBBJdW9f0y7tS;<$Hj%=}3t(6>tunJD0ubIK-(3@S1Jb6Eb zV`Y0#M0z%SHwkJsNG|4UhDvpX=SQcITuq;DmTj#NvLslAl-$!0mq>Q5DYFrNOt(Ua zcF}W=p0p|#55~ibeF1di1xyCGo(PBX%ng27j%&{)J9$!zlrep5N)&+>e`K@9f@fC@ z>-}MKQSSU_VHUpZp-x}idn@c>J?pOABF2a?B?R8Xe)i_vDVGXEOYF*9#}N}8tv$Qt zodW~jZ=zdkGi!ASYP{yhMs4OySPKxjv&1<8&o;HMU(m@_vju&KTbOc^q?-I)?ky;k zJg3M)Z~iRW^isgco@4$`e+LTnf-q@EJaq*t{Im8*n?JqM5xblQ3hI^eCqJjfXNV$j zN5l+j`YU71a2d{V9TZIRNmw6LPB|b}fq#!kA{EHylxb&Xg9I%vgHN;|t#A%GJdI3u z9$7OgaH0%E^iq0KT|Zo;=F^32`^zr@Dd{Yu|=OFLZt z#+wyc#Lhb(eRc1?f2*`qa;sc|@MeddM~Fom@hbhOvTZIV&NBPl>16EQ>uNh)r#7~# zXm!?&ZZV<^FB)vB)LvIEvb@c17Auft?g+(XXbN!cMQ%Nwav@ufz2Noq%|oB=CKf8F z>(#^>Io-(VMou?!x|H~uPI$A!Zsc?$r|(cs#|JI#*D+-sf0(hCOYX^#vH~T`J#7Q7 z_dtYP=v@!e9&u2IdIW!31`8QXC;K5 z6IDVc`kSP3K+uG1_s3)?f1 zS^}~_ZXwiZl$e#Q8H%)vI4RTCT5>2fQ>+A%3pv~rinZG-pjeC;_J|wOg&1AbMvzg|u(A;aUQ?e`ANk)VJgS=D_mIkpfGk3St)r z0ZOp>WaQ@OxupxaR=GCpWmv5(i=Ld7!LjWiCVvb^8*wq(7}j(&egi5$KtV-}%_n@m zdX1oUXzVo5n1ch-o=5AFpzIf}Ni8ZP7JmuF$z8ONrIdhLO&#Mpu%Z95M>%>qEl5`M zX*{s!e@w?RF(+A+J`6*xEbEU^G3x=P!C*V10;n1f`sH8$Q3wH9e$^w{%Itm!NBw^) zS6@Rwju6u8BVBJCYJ~0HOu!XOL=?!-w40u%k?a&2EJ>;*$+QHCo|W@Y8k;e80+xye z>8Tqt5acicVtxr>NEfUk-HRHbPm2p|tQ==^f8@9zw^uIY2Ctd@mD5>hGn4F{<#_Z- z3z3>1xL7Vq2U6T&Za#OWJqgQ^psQWBjT06n2F;xEB&-lg1vxG7zF)|nkX*z=m?aUx zg9)M|jJ1;K0JE3rU^JRYo+vDKX~Zt)>p|?G$OAZx#xT3<dIS`Fo7=* zf6|m$hdq|@YZOrh2SBGH%eu^fMkiQaXo8>6fSJ0GJ%?Lua5Qj_$J!cs_u`cHqBpul zuQw6VHsZIEL2oc0U%TB}C+L+0bHH+zicvF54i0%Tm5CIU{i?rF_xJ;juG5z-Rv-H{rt))T_6E2i-5?sw5(Wb|x!Va#h$up*E3K;q(L zq%!SC%L+F|bA1odEnY8A94Q$zBwJ%Mel~ZB0&*WJibOCaxdoQW7;%)9UveKs+|A6_I?F zeY#?o$5HQ+@*OLBc@TF;!RU4)e+c&XciVe=D<3iX_+q`i)m~i>((6xbyW;J z18a66vXUZUQ|4LSQbEaNzFux`sb221ST74YNojNJze%ozd#gJ*`UL0}GVsfwXhi@r zb9j#(l@0`lq61V^B^TU)o#}`-R`bN?xhYQH{xi={OrHqz@f5TvpL}O`Ce=FgSEN7SNqf9C3Up18 zEySzBlxj>HFUfGom9r%Y6vknqfUhl|;qywz@EV>`gN=3I(x?+Gm@Tp2!f0E`U#Fy?ttmB2D?tmGdUY?4<)5+g7>I*kfh43=TX*{8% zVg+~W9?xv;c+Fm%GOu||7R*wRxQmW39~dibO!1dEr9EMwa!l+qjIAXPb#5`0k?O1U zvrY!VVWufnmPNo4NBH^gfBBC}d(4C_PlwYnPMmY}Py~j>fByMzbu|_##U6-5 zSQjHDTfxPEISmNxNO;=2)dO52Z0PVQHm^LZJ=^PyF|8moV>zK@T4%NOL9j=5!Dn!J z(lC5J3^_QXifW-HdpiY3q4zw=&?d?6d|{t?WwmB*l2zFg(_rzOK9s3OvzK z&*+7hopjN>nPU;>e>~uqpjWYAQ66OL+fQ{{1==0(wi9WtSfH`Wn<++5PQ#fUkhhJR zTQ;U|!jsaJ2;K`WE=KbD(x;G{^Qs_R&&UW#e_zIQz@y&ftvRIeC=%#td)ySp0`!d0 zyhn%>S;Cj9DS>VTZw2ZEtGp|tQCyH4zrl>45lc)B z7rQ%^qaF>iUS@M|8b_VTXcUh7P&gJggN?q?=o^i`(dZjx*Y~pO8)d@YlpVyA>Pc}^ zo`D9{aPHy;s@0hW4^Gf|PGD3K;S2JK7Nnp(D-nvICWd*&=zjqR3X&OCVAom2MXxJ1iDHxII(uw{aMqI#VZH|abBd5A|8}L z1YdaB!E+eqfQ`~(kom08WHKcwL9e8ZP_jQ`nCfY{u}a?J9I%9z8MReU8+s|WTz>Sj ziWs_hpp9ESDt|F($y>7{mT=7BS~bL2W$CH%q~d5Zvu!-J$6aa0O?i@oft*=))irQY zH1pYLDaF~PW-U64puzhv%L8-Eaw;i$FY%gNND^CdiDE!Y9s*_RE9Sf0ASg}Hn=h1H zG@m;pfd!E*smw!3VCEaS1|5$@6+_i=#4~9pSWQGznSc88M>J(9&`C%xA}S=H3@x|` zM`zr|Gf6S!+%^{DbWz#Cw%!OK4lNTOR3@6IOwu|a8GaL~tSlnD>Q&Qy*Mic7==A>=y=3?f6^J`Po2&_jp|+S*)}xS*}g+QWi~ zkZUY12!H3kmcSsgxR@Zk*=+>jE`!?z#RrMi#{-1wiw{ynF5bRn;XZ>~kMv4K3F#Pk z@F79-baJn=-KicC#10FJLV`GP%@P;{z!g2IB{#^12I>8{zu2JfGCfJPo;}OI#ePC=e~AMHBmPk#GG3q24tFd)Kcrw znSUvLR8v@C2V~CW1DU-tyP$fP{Ug~88H1^BN0h*6+zlJP(VQ=?Wq^%z2p}a$8BnUxkjr{|H4JI;x%d%oB9s-C58BG{{POizun^6Re;_%obfOg)hB-M)% zMIUWLCu1I6HcqbnLG&>iIIzoFXP?hx02z-J6I08UjGSM9X|FDAe%FnG88kw_b|>)w z4H}3EAZI}?l2#6naZSn2B7aL0VA-cD90VfehE_00#9_!Uey7#m^uy?Sklca;l&^K% zrx2;0H|#~eS^N@00?zV-Mr2Q+G*Q3}s+Yhsx80mAN%R9}N1G-)+Aoqpzxj*78_^TP z`Aqgth>JMH3VW^oetUB(@V7dxzQ48G+xNTe-L~KE1$)tMhmzkW6Mt5vT9IAn#7Jq8 zNjlC+K{bfew>+TlOsWsSQBjeFy1(O-@iVGi3_G!YaJadNcBvBKn{YIQU#U`t#6M*R*Kp2Zv9!P_HTL zWtgd19hH-zRuNoeSW8qASfa%Qqd29TrSO)v8246w2gB74VkobNpj{2iTxjBzj{Gq` z*Ceg>4n9tMm(f*V)W8aYWzuO#p`p`BH@&6bt{i2!jFvEUC4Yy!42Ho)1ngGTd^70| zsA&2&89;cRRRYJs^gn19q^qiV`0DkmpI*NH;gr01{oU(V>cy+)?|yv!_BZ78`P<)~ z96eVrPJcRm_xz>SYueS@WEjb|So2h@eGFnsV93PvA-&ff9%0Ps=p#9(c7!WR>zG=O z;2GVs^(y!foqrE#9mjbb8s<16s*N4AQYZ=RYKaDJ?b)-(+oC|;={IgJzUt|AFToB` zKg!lPNl)ZH#9h&B(=iQ)J<5gBw``}z?H0e=-`m{YZokK2!OmdiXC-exubMDH^>x4n zKElqssbZX-!@gw2U_+}MvRnSl(F$KttE;8Jb6b))@P92hKt2h9OO9`y0ZfNnJ1+*I zb=Ltvn+L*dY6YP5@~7Odz@Pw4Lqb-?EKtlM{mZ}n9hUK`HL&Ux4bD};8su~QCkoXt zr;gLC;vA`en9eptC+y-ux~o{jrUPhro zqnso8!G8_is^+pKaqvtVguBAe%Gvf7W3%&I@j@lSePB#1j^}4)%=%5lw4&ozY<%?n zYaV>lVfkuis3O%jaXEJ9Y|+s^wQ6{%U^o>#rU2Ef;W24Cmx{+mvLGD~pWK&{M~ao5 zL6D9^`lFyMs5VcYwcGp8x1V^Vgh~Tu|5>!UL4Om4R%yC3dTqg68}69-^DO-_)jT^L zGRp^}ku|Mim54N^mLgfHkTlkMyE+S|za?EUn{fKMV z1Hk8lYV2|{;O5)a7%*nt+1NlH?e4}H=;Pku7(=aNmtz2&d#7WP++c7r>?af?L)r>D zO>k=V%1p4MkP|r$)>^pLVkO0POYat8JAW@MrAI3b22|<=KMdo)KnAZ%HyxxN&=U{o z0-3NH@VBB@!k7brAVPE)A>y_-)*j*?cGG?+u<3X%ahZ8(;xO~tB9zSg<5!;D8XHIk zZAL74#n`S&x|psO)S!$_F(9%+jZ|%6n`an zdLt2}Jy<Jg$NP zHhmR*imxVD-;M(0Q^)Z|JcbG#_3o5*7MKl{4f6FSO9Y;A^z)eK;1O8QMse_M91TJf zm(sCNyla~&#VLd2nZ)lUlC2_Y`z#LsT7t61R#-)(MN9)n^6nc#ELR!RXdwW1=$gns!J7#iyFh)&M+*d1Q5p z1EG3e01B`g&3qB4+Wl;?j(Hz&P%YpTLOrGaj3~@qoqzWIWhY2la3vfqxze4Cd2Tv+ zNgU2;8b#UgW?VMip!b0iX-e5RfQK8!s3?m^6N*|o*Ou1 zgen6Cdu84SDAv|k!dO3(9_6^O?>lC=)9etc>c8$Ywe04AfpTvRrUEIsRpC}Qz43RN z?X9?*P?8V0RlGTH)aYOhW*LJ+E1Z+^)!Qw(?SDa?M*eyc4?jeqe70(h^k|ZfldHFM z>aQtU$3KD^b_x=r_{bx-nllKDm1cxhtp&S|6TG|kc@vf`%yO101ilgh4Has4WNlsD zsS0INLV0=n-QkN|8px}^CF`F?gMQW4cUgPzY0WPdstRsT8w{L`jp8nfN|w7s!}gf7 z2Y=ADT_l>No1D3|OIDazchy~4RVT+HY`EcQt5YWrR=6rA;PP652zQp@OgWt?apSuY zwBznn?mE+ZFm0L1vh%DH3y5o(l&|erB&D#gB#y>|QNJlaoduZOH;B;K_LPK=3uEu1xr(dZN;Z1Y zs~ocEQ{7^I%ud+&9rr0&0p|f&_HfGXF_RPD zO{K6K){^7!#+G+cey+SVulH5vyX(A9q2nG%_TU-cq%k4D~l1zGR zRJeZy0~EZ7J_WroPmo6-q;qY}ZEV=e9EwjfPA|kl?mR84**cz3EFoCkG6W`9&E^_| zF*HRzm41D5`i@XijOI0hyUpLz?A&wPtDQ()TO)Y>bz=tdak%*3Mt0Dq16qG(zt zCjcT%3eO?{BqcC7cp@pDNph6yc5lN{T*cU(Nx>-Uz#>t7f#VQ5fJq7`j3Z$|gi{J; zLrleDV+O~ZDS{JFdBl*Yq?M{+un&VZ6{sB=6+IyFcs^q|$CS^UDSS3ZwOGQP1Y=vl zfBBpL4VTZn6=rWHR17}; zb1BT%2*^2U%w=AiH*WYWv_+RQMe7%6u}LaM+zf{4d$L9|{MKrQX0v=>_Gh{BG%!KP z*saSZ9Jwj~g4w(p?t3OWuD#))cbANRCAWYVia&eYZduIa8 zi^wdn0yH-B#%4afc1PB(Vhe0+<|S;E4!UV<=8er9fiyPr#%6xMHuJ{)dReV^UJWMi zxdGH=%bRiU(%8)J%4V)-K`FOX8k>1zGoRmPZkVhWVl1cPCW=2&5wdYgrTt;5^4Jkf zWCuyCLP#JOq<@@hDw@$*0)ieRcaBvfSC5GO=Z)}`0V~F{*Ikg6#@cRZEwE#BN_&Sbym&0gmnSWmgad#AqZa2E!c4u>McYo#M z0T^8`*7sVg>p^<`36;Ys23HNMD#4j;ZY^tcJ!WQS$YF|>$ZI2Inxr<7afJS_#T|^; zeb}j8)g#d`os6_>5_&B@cfb7gf1-7QG^Ly{gk^pc4F;ePjxh-zPRxg4ax(;aV(y$8EE~$7v85g?BCib0cy zJU1}~ObLhbVayQJ*IOZ!FrpEwM;~9!xFAU_D}PeVShF1Ya%6*9t~E(!Ta;3{IlJfM z7Fes!`xd3=a^)conPSpy1^srr`CP+e9BB#1mUI3|zW#=pH=aBnjgrxmr%#?k zcp5A51iNBFaF{an>tDdgilk21g(^R5FID2KDhXTF4JIsAE82Etc|IN1y&Q!!2Y(;( z3E`LLfvH8lBSmY>P`TAguj{bqsAPtiUzWfJMzI} z%KoY&GA99S5AFIt#^IP@Z`;x@B$eUC?(f*VHtfG){|}1&oA+Sdp#(U7mc#$qi|X88 zsoUk4KIMkV2y0$XM%Ua9+DHOZ5`PGCIA^;^8+aoOrU`?0a#kIO6LeKx#BBCE+Z0KS zw8-bEQ|?$?GM3AICAjNivCD|2aa+~Jyl^**(rnuTqj$d;iYn+39!G2_OoX6h;KTFu zetNo{#hN=&{-{K)%KTqRm}v)A!vvas$?U&a_f;a~g>OiTZ1GdhnKr!z3V)02xvb>E z!ggkJbm25>v+Ql;FjlMXYTmeG^^UJg|WcvFurZ^b& zE^jTdH;M$t+8#f@Wd0f20N*1#ioIvI=Ew^@I{xS)8lE$$hhGu)dCTPaXXx1BaZ{Dn zH-+(&FoSMpS0C%orEysqsed(7-;i>i7~)IVnTQsjBhH2E7)BYfl_w9r8^vLs5W5pk zmbt{(((Vcx8TQ4m7ksNP?vSR(<@c>!pmv#8Lm)@%m~hJR`ge^dX*k+@0gZdnSYDho12!!UHYz= z3b=^93_j6fjxL?()1%m;g^evuD9}v~p^V1V^g3ga#=v`qV#~3o{M&p|( zqN2s5i}iK0cdJ=A(0`g*0q1x#y_k}0X-*sG@&fxJ;?S#$7>kUkJplj9G&+ZK)0I(h z1CY+sT-<$xRY=4Y~|=gjeR}=OCT9jeqpOSgksof@{dhie5=v z@QtI?ujT$LaLS}IuQ%2niqWelhUTLlYiQM;@^&(#Quk-m?#_1te{hPVJ{O<=033I;5IbfJrYiuL1+i{42o#H|J_FM_6%1 z7?o#Q6%0ZN(SJ5fsKC)zhav9rKv4B6WlTyujImtg50DwNRfxrSS@qqH|0c4t`y zvG~QGIqM3JXTPu&3HZxVCg9JlP#~zBSw4>YecEqMNq=gN@^ChS?SF=j%(ki`Ei<*u z*+J`?=a^~FNudmYvo#ivtv_MAAl?HbPWG37{YSzcs`9HI$yQeLZPov$a`jD`vHP%* z0|y?x+Q6_u+g_?r?j);ObW`0vCysIo?Q=|F48Unxxfa~JNiG|T=Qe%ys`!cDO@!Wd zEzVGb#(!2ekG80tj4Vo3Yz$?xE6Z#sQwKsN?q9-4(5&7sboIikyETuMr1^Rko`&Qbk}oH)8oQUmMq~Ff zUNv?v2B5Kfk!7)aabemRy~-QCMBY&W{Yu4bUT zKqSBD>AKH?GEcoodclAk8p+AANL(?&luE}g5>2r*E+W~Km1GHXcsbhU3DF_9N)+@i zc@7V@tk~z;8cTs9fQ_O)1pbc`R+XowNoWHj028I-6jD|VBghp^Cu|(kMuEA4v!v{1 zH-A#e#yp4TxYf%mI-)LIIoyMc^eJ>?otXJ|UQ&fcr87Z{qy{!HYl+?w%=wRTbRlKk z5h%x~&rqCtn5imV7kRc$AWaoHJvoNVC@`q$IK@OhH_7nH*cdDcCwRX=AhW4qZWrv) zx;t}PyHoZ8h}V!`L*`?#QsAq+FxGVm1%GsrpK^(P{*+Ak)d2}549xCTk@7GL(uk#E zC6uqn={k9CCD9SkDDESezaH2WZ^?IWUK^b`!4f@wXF-J7W&(0aS+2@=L;1%C=q%p; z5WuwbM$vUJ>|rV#ff!-1RH<=fRvW!3NFX#4DTWvl5bjmNdJn0DoP(FK`|IS}$$toz z4pi~XTsdmKxK>J0rL9q1G#qgQk$5p&Cx?`V2bh(bQr3rvyf}PwN|7Q!rL3P;mVUbuC5kUA=gjn!b~5hCn`9*7 zfR?H(&9$|4Lb(#l)ik7%Hcf-kt%nzTh!vShM#YDXw|s<WPT&P+_Gte%|}reK6wa>!BWgnW$&p} zngXh)Nzsex!(dtIyqev6K!2+cK2bs^4AA-lMQL}(6cA&I+M+YL;;Y1H8S{i`f`F=% zbf-z#KtSapzih#+Ds7h^?z`lgv|D2FGer=U1*L^@!RzG0oKxqeyKQgQ<_mDjM~(w0 zR-S94SBfAl5e87tvY?m4EZ(jQ_bdo==KyB+wwPu3D{W<0&*&t8z93mfQGfK=sUG5L!WNR&)?w z!P1h6S}p`Ni3*wIFn?OdU?-uCRa6->?m%DiydkQJgvxE-*#epYYO7vG@714GMISuC zm^rhGg@DJAM1|=cPQ%y!f^0@dgSdyA)-;N;!b$8H(1i05dL|?q&sm)4x6%OQ=+iZ@ z9&AXcU+kH#kX15By(;Pz=n=e6ZduuCL}eo?8&UaCMP(xgzkhH!n0Ekls2IN{x43Ai zjptMGl8(Ryx*9_jrBAtJLax0qmP!hFs&sl`OU&g3!hL{P?+<{FQK>6=2AH7^3Rnet zfz&03mIiC(L=i<+yQ<8XpNrc*LZ#(SQFDgiku6HcO*BSYBh{ZtM~MUFCb7bn6S|VP z>bq&l=Ja~b7k|F~@vJ1Eqz1c_I-9giu@G_tlbTL?VCwEq25{Rn9P0li zH!$XAFk5b^lfh?B7Rn-V&?+Gfa`Hn?<>>SC=xY3Bnc4C*{=)hU_gI04$CaqnZ+-&eo+>%o@j(8D7tn`v;8If$_zJEU&Ut$?Ljl}O$gwD8eD=k1X z^3!b4vGZZ4qxoxEnMDq{s8WWIW)0W3hMh~f$bBkK=`!fTq4Q13oGOONP@XVN(nz{! zu+#HcocEBGFdk8Ir`ks{VizY09G4_7wv={Gzej<~}Lcc7tDBz+gw*7R=46DRT% zn_?^F8h=eCa6#5MA(J5mgcX=u7R$NGn#UtNyx_Gwu>bt}y=`_i~WlQ0sj0EYoTGn`p$9kL3ThgsMp0a4=K*|Ro$(L}4T&w1| z!6s3H5!JXPi4w9Tp;vN+2m%e0hms*dJA|~1#Iv75Ru!8w3cac_uQnmg6@;S7SftkD zN`KLIkd9xV`*?BtqS&b(qH92Ta|4l8)4{NEZaB|}Osy{j!VB4Tk6#s6JAP%?$VBjJ z)9g8>OPs#y^cAE%_Ii0zN9dzaPt|xltt`@&{y-xYqnwz3`yrc6{VAUw{n7C&ts{4l znxdkd)meTGf_9z&{f1vQ{PK(Bm#`{oPJh->kqgwTZ8uDyVFC>ksK^AG^d(B#8XLb~WcF;5J1ie(omUjszXy8X`>XZ$_4It(|<%$zOu%uIg0h%Nb&VOXw zt0o*J*I{x4q4Fs^EL*CiFPU@i_U;#H;h$UMUf7{r4QFzV!rds`%d2o(*G%fSOlopR zmrP9X=+Z`s7)`7QS)v4pRO3vd)THVke*f?PKf+|HPG_TS6P+|AO2!B~C_8`4?Nj2@7ObuOUwg=g^=L~_dFIVR7XP+zF z<-FyFyc~Bq8z_12nU{MSFVR0P?=oa7xM+rJob9<`X)Sc;m?`%$7k6Q*1JRjubXw58 zqm8Dsq?(TIee}2$ojTNw`IRLD0&bwqjya=@dzDoP&=v&MYl*Y4OSjobdvCc_gzucnLE9 zxRnmp3rCmlPHE5w4y~{>4S(;FYh<8jT3W2BV&B4{lKT1!ZQLcbh169^pHEQEd&}S3?}WkjZadm; zH9p?8YFTBqqxp4>8TG58#+(XPNgr<@ge)_0q!+AFF5<%Bq~6+&`dj^W&)@3xxBRWv zPT$|}cRT)m6m7P`-hcjP&<$rGbv?tP#+m8R7{_vi59#XyvoV4$GK#O&PFSx^oYlXq z1dg67N=8lXeyiQ>@9%E=TOB&9TYEcQf3Fipe!t%ecj%mN?svPhOsz0bS(6LTiF%>W zWR258es91+e)$HR1Hn34{vDe19lASLJ|Ed6*BReQN-5 z0@&Rw=tZXlfOc!IpbML&AnfnvLs03d8LUE36deV_QJ~r_21~9QeTj7XyTML-v+wWi zLNM1>Z{P3kbt8XoYioaJs~b=)Yj1`n@`fuluq3QiB3_|+ovME0yId?z#Lc%@9tNH6 zKL$Fz-;k~5Jb!l<4SZn=cn$iu<2<)ew=Hm!Fo4W%E6quu$H1z%Cl~b0DJ1!t1Q*H5 z&pI#uyb8hbLX$5ChMNwv!<^n9{cu%uM?Npt7XyT&D`odhGwyn-ZhC6lr9F=0a{(oe z`zu<52gnShIUDF8^Hw)iI}5N0gL?o=!9ecFy}3NvAAhn^m4LrN0tQuf)e$CVm-pg6 zZ9_g}9XgY27|cYkAS*1GmM)ln;b{lx^gTY309IEsRHoJ{Me+2dTvYp^PLRo}z9Be8 zpn&C0kzPa15qs*IB&n|sakkQETr^b-j+!gwk+~o*kWz;)>d-@DRMN}Z0%99%svL~C zm?}}SG=CBn<@-AgDRDY5$8q}{ReM#Ei)e<`Oiqzk$=ID%#L|8bnG#aP3!r*OXSp{{ zIzM>!!GuLwrpA6}S-+(g4h}(w$K<=WVrf*$%q{ZLh*N>oNJEqK*_9X9qxfSyh-hor zH_SR`bzt3nKv4RAk$1G&wYB`c#oC(4QO4j^-nH)0zXvLNH2XPVDpRfLxBEKC(q78xe;s zzxbV2d(#i2>p^l0dkLTN47zQ=+mn2}Krb5hBHt_yIh;_0jd9O`t)6!W!SDlo`$i4` z3V#y?n`p3!g#GnK@Qpqc4L|&*C3(jR>;Q#?RL9DFaU-B?mme&zv+Dq1ZjKMXW7r;& zlQ+z9jU2st?eSZwD6HsuEUp8?o6&f!Cuyd|^-OQYwT9SHmQso3-f~&B3(_amaB=4R z>7@h~IoV69ua;uUSV2F=!w``2M$Lb%Yk#O&B-SDURI;}&E_RCZ$+1|Cb_hY};_MwIi7fffVZnO-?v!eeaVUh-0b#L2n4vg9W>GQIjVP@rlU)wek(rRWSnq}s zt8}MPaqyJSK8OLIgcJg$-__ZygOqBPXqeONd^q^8!2V`YyTif$<*nvqMt9BzIDb$d zg{A70CB?=LppThV&bDF^!rsA-9JZ!q0Ba}nyk9(YjSai%mMx!yau%EAlRS+ww3N*g zexwvyR-Xzmy4O>?fZX)p3)>aeo}bkwuAI!_=p8og>Iw!XTe;&+b(y>SJOzH;U*qMsy>=^hSN$4^x1#ZNSW8%&{5cf+%0_R|=h+(o{^T>3@4A_yHXG zv5+vZ-j*l|e0nhm55MJ4V7~a{UpTvH`&xGtb?-){OrC} zm++Duc~eAm0lekg!A?KdEPp3G-klyt;~*YXIRtF>R?Xh3BCqS+(cbE@vo_aW#<7bL z3+b+RF@^nFGA3Du{bf#5Qm!?7WqF~QV}VjSQuvQ=$aj=MFWf(YA0^_gKXmt_=1Vr@ zRrFc-};U` z0vrcO3@Yqa!IDMR2^f{e^(e;S(SP`I0R^S#ZSjpV{GfL=^WscmdE)d+0TvUIGhtJIV010nc zO@02@XXT^g?j#fpdq*HDFz4WvrmQUCV z`NosOW2{(*{+6GUxvBzJE*RjzQc$w16{($4bVWc=JMOW*?O|ks6gmXeH zRc|JIOjA;IprEQ6(^4pF&V+4#x~Rz%EtWKy;%-5cDV8f|aEHQ-X>#FCLyQ(L<5t=A zu!FC9i54bvA!x~(K;;3eO&_~1s9eB=JR=Z)zgqnro@XTe*&)1_G@=emLY7NL9a1O= zt9Ayu%A_b9v42@3=XPQn<5Sx=K*E%qeM44df0blZLC)gAn{YB*3I*M(|MbE3T(5rQ zke!tboQ^m3^dXpxlR~S$)Gb6dSx_#ly#!y^OuGh-xgh=HIVQF-)ecC|!t6wlh1ya$ zgwC%i9V|Hx11?C1J=0@+EA2$yP<1qoRQ6y#%PviA+keDVy_r(FTixAYCkXw`y>{Sl z?S(u3{{H5k-|g@Ax_j+TcWZZx5qFtZWY@owM9X{K@obA(qjfb}*Imy^qjfDp>na<= zij}6DlwG)&$#^6TTLDqPWgwX3KczA+)Tj&S87hLE{q3;7x$n34ceeel-TlB1!dBn! zZiSm+dw*vy2)Kc<8iSQ_mH2q(BrZ*EmgUKL@d$FW@MULYXbE@ryFs|;xAt3G{?^WJ z;P353JASX*+V5;`cUrynQeubxjK|=n zg_dR5nY{i1NB>fER5#%FCZl-FB_Y#)cs$jqv46`TT7F8l4MKZ7+XRAur<))xZ)M7X zFdGWpH;&@&WE>H&ho|H=nGm`Ir$ZmJZB|4ESdaoSGRqsGT@O5WWv4cmY^h5gu;{1R%N`jF`S&YFf)?2i5E!docHy+`wDtu!a}A1CpR$By ztz+CVUrgfkG74X@{;;OMo5aQINWxI%jekj#H~k&p-H>FZqQl!4w5IN2%@~|@>SXGZ zi1%P>zsaMs^wo>$GIa2mEq-^VhdelqVt!r9vYk?W-_tb{y=WT2We(-|&(8?pv(0PD zW;k?ZTx^Aj zM#-_V)Vc1>$thBp?aqDw4t$D)cLX!uRh;OG83~D*l2D&*)){9~LgTVrp6X8FR7-Vd zbB`Te+Ss42=+fRX1$48zN50mGl&cUG}Z zo`fZP=qw0!`e_L)rQ6Y)c&O$!<5$G@T&NAD5Us$dqg2#GJ*M1qx?@4N|9|Y>MYBeo z1NG7O?rn@-5VlT7=;R&o!ar+|v|W^5>1Z;7X@P=zrTi^ePK(cw%Lu8kqQBB@Yv(=M z-tnDT)%4*M>=gy(wJoARv%v>z(5sbK zEfQAMv%E(63nmZW!N=RX34n^W0Om2#a&MSu3Q~$|72SJdz<)I$6*j@)Ynz(GKApLR*#zpf@iZoZrILvi$$N<;X{Cj|>Rdf{ zX%V=KRa1=)D=nJFAkY{D9)m%k-d!Z?d3}q|hFs73GGLXQt(mL&+qUuze$FkOd zdif{Y0PA{_XUG9Vg=@CIcP6x(?eEmFHrwBlsJ`DRYqr0x{eQtiw!gt(0Brj$3R*)F zot~J&==|tKRy>@A_WF5~LQCKhdJhO);GJl5&9iDFHFc2)jXvQpB1d==k z!*NUzscKqi%(QhfWXJCSyqk=%B5Tg<0;^#*XwBb>=A7YdR#Mv`s+izOP0$we7IUJr z1!vwa}KjwCuvVM3OagBSqLq{r%RzCL;bvaBM2U_rz>j# zv%ALt<$rfE(>G>u(t77*QR=zSQ-BT@C!;^%TZPaON%gP)NZ3PFe$^w{$_lqu{eLP~ z-<%)24;yYcXG+wpiUBhXS7SY2e^Ww-#=og5t>Y{}b;mQT{2Ets#ocJ^M&~dlQ#sS3 zZbXLL!l)Y&M_{H`PvN)7Q>AjAp51d?&9sOR=zksU*E0ycz)Ys&=;}8S3&haY)vtKD z*F4sv%`(!?QMFekQ9nod`B5?e1S8CnIs4y@;EOYTZYIoy_=LA~RzBdxOwG%7PAt!? zJ83Tu*2=wz<9==i!Izbi?v}a!d+CU2h|9udqoOkYvu1!K4#|5$he!Ekmm zElhD0D3buKyYA{g?=N=X8FrV2d`WQzySRL&yWaP?8-KUHsxdD_i3V(Yl zWR0KKfGVIYSz7Zv5j=w*i(6&!N*g*V$WJ}C8b;*?ZegLyg-<2npqqU1K$r7hvLEW| zp;guRah&#Gc5aLCspdxr%&X2$MPmC zaMe^Wq^spJpsmoQMFw>GwNX=LmVYgOHd~BT5V^=N;BuH$@C9IvMnxlY9xNV{$D|@T zxvT_CRZt_HO8P%`kbuOYYAoyBI(cW372TNO47PF;>5oi=Dh7qtuJWJbx_MGjAX6XFHNf`HNpKtXQ%9pQLB|2i*XMb}SkkBjc z{Vt$We#?(G`&S8wlPgd(>8|N+Zu*(sgJ8bwMir79l?WRtk!O2)qLL-L{)7RQf7Ne4 z$pBdR^CS!tw}O`ydX6y~z36Ei}bjhtL$SOi@47UbBikNo>x6l1t=@ zcjg(F4P7)&cN(ev61`k?G=CW+c5+4aILf=Y9Awty+|q1QdZtlixhrV2Epx%;GYi}H zHh0D7cf~A1`0$HhKrE-09K!7s)rGhgV%<^r`iJ}^%g}`Dc9=$ZHNvYJfQ1XMT((J7 zb$NqEhIf`q@-uD4G+g$sxvWZ<(}(*_JQv?Z)8X}P#_D${Ibp6rkbli3dLorfc32G%T zH@CxGzq`BF_qW<%$KT)T_Wb@{Z*O-mXm56QS~DyfdE$kST~`^AZ}c^ldxgstMO@4h z%;~sDIMaNBK*DGM#(!aCm-wK{R5aHmEzeCgkKno_V|8tAZf)-D(S;T5wDze;>U8|> zRuuZZFx+l+cXz}6t-HP`spLAFak(^iDmfrL7)pKbojrg%mCO@jb)QmmkJ974N9l2B z)pL5pmru2By412<>p$yK;&Z9I>n0e@v9@Y|46kh79r?UmUw;e`xm_tTE!j$YIV+Bq zDZcz>V=kl3yrBxShAGq$qEJtGLYdHn16;q-`e%8kv$q94?yNwehkF)=2Oq+{9lhJD z(tgE=1T!Fkbx29}jAMJ6^=p@vl~?@9_^-MD&7x=6$%ryLf{7$EPfwG#Vd_U*cx9A)<$-v^l8yb;okkX|syZ-n%N zo3choFIGsqvJ9IW**lRfOJ|s9L`x%Ds_>~sv^=;eYedWaiIyf$k-|k7E^(eBWw{l9 ziWJ~)w(YZ)xyF34Z2RgaH`8Ou&9tcON#)LNF9G1J@?(ka8tWFprJBiR!%5Ujx z1Rq$cl2L+=xDszFy-_f{RcV%Zz_8_nYM3mKB1Gt3Zh%(YK<4av0<9~YmJqGNrLiU$9m9!b%;t)AdD<=zU!%A#b zG%TK3>jV>IjYNJe$n3-jc#=kXk|A_)PDGLy<|U1=B~-aM*|NW{1SvdAIshOKRXtKHl5_xE;o{Z^~D6Lj1Ad%f-8ta|K+T5r79u(oG)oYrs1SuV%v zsh+pO6}gmwC=+D(+?`vU(QrACcB;wj9d1(TLnJS4EMkp{j2`>6AGSKZAnf@4tsc<- zUg+=d?)3fc-d=Zmr@z1rf2j@PV}Dmam3f?nm4E?XAwf zAMQngzt!q>e7Y>!erKz*)7$Oz_B-J$OQcG8;9V}3COFUm;la@9y#@!i%PRY?KZ4ke zZa~AeGaQQDN%}xHHI@e)n`4~I%G^L68YhwONoPSW) zaXMYk$#j`h=?4>5HqT*n6Z3b+lVcw{S3GxaV*Vaj%%4oWCJb_RzP2o92S9qhwrx~r zs$`1WMtynOnTYQ)*1+Neg)cq zGqVzHK&hxm8+GSUrp-RgqfqBUdVlbKgY#(DjjQLqOj+aVY3kpccix$+C)932{mjy0 z$vU1_a!H&g)UT}as4F4Mp*=Q2x)IV;7va)6A3=@rLX+%pE zKGlep2RCJnXt_Vp(uDdcT!dj0>L*?-+rGL9^=m@??jqE0n82jHj8eE}9euN0byA$7DV;Ub&TFa3T5Y>e^?R~sq2f<*QNaG4Av^c8kaWV^K>?7WS75nN*Squj1RH>ig}sw;V>EAUL_MF5KQ@E z93cat3IY5Jo2eRFStYQmfOYK^Y(^LdU58?Ppt?Y98FVATlcUUHs#gkTuk*Z)BT7yq zE;!(u$<}WVKgCG5AZjK+sqe*d!1|eypRWGj*D(kCIU27FiB3yWu>tXgC2ie0=;R}{)8_1D+Y@NERaAHW&0Ggqk(IP_0n zzI)>z_8=D9KOElr@*Z|5ggk#=p>DA&qY6>A?}MlwE{{K)j4xjTo`-RIWwTz~96hHr zIieE>B@?O*(4Md@lufma?-ZMevRql078)fZduOGmac>}L!f1MuLjRGnMYjjHOjU}O zm}WZ}O_!Y$_+;>{Qcb0u z)V>C6EJR~_EXRdDp0vV%z_6CEJx`_^B*7iNNTgvbU+`@l<9@{mhhv{~3x*q0w*BJ0 zj8jwf_RQ=YDcdDt8jNlPDJn22MGC7ix(eb!N|MPqjYF0mBN<)LWzMK|og7CLDVPC- zkHyhaPm#kF#a-7*&vAe9CS51rCpVC6!=t~%+n7b{!45DD`W9qk>^~(F?0xSt>U|(F zOCnN!Cd3@_DYQ1K)*Q*fm=wuy{f3TWbb1*L22aVq{Vp2&Hctn$8azKdRthV9^e5!! zKRREx`r!}a4;6;-`QPd&`8pt%qo|Kk;&ME`PM>aU45DB(Tvva*iEgDr*HB)RbeF-U&|#Q!I-j1Hh8qa44}YVRW=$0$Rv&GYUc7=D0n-y8xEB7qPD z0%)};@av7>8+{0;5hJ*i(}E@=?Y)^c4+^i6Z9s||#)1t~)+o9NMo7AaS0KiKZ??{4k;;ZA?g-`d>i`$5!d`Mqwi+1lA{Z+3$o z>vfq{+w70NPvEujWAHBvH9#bQHxn+zh6MP+9TK5g~s?Qf?iO)(TF z>4(UxN`;Caya|YK>L#WsYcq5tHh{CvBcQ)eoc=O5kc|);Dk=tV$o1)#ivqA9F z0cVy1wEF^y;x8*n!B33rRO*LZ5Z<@YbS|J*iF##ZmVgggm3(H+yypsGsfoYeYzfw# zyG5EKL~?&$T+oHros7p+Drjj7Ku==p17n+ z<`j{FADgS}ppY(l{QK3>s{{EK$1J|#+xO->-gAF>_Im(_@d-Gj5VBIyNp6V^5zK?& zk6>`?Y9vwpV=GD_f9~`&S`rcPP@ht6$O~D&xF)k$N%6f z99LDW-KT#~r++Yn(D`2Z*%C>grx|S8)$QeEW8)jr?x0FM-TV%TCE8n63hz|61GSxo zAYOlesut9CR+C3#sA(O5SCy-(QH;9=Y<3V&OjdqB>B=&=0`Td#Bjnbh@yhN(83(I& zUUYi~x5ZH0WUxvssD^!S3P^`7Pgo1ArGu zt$_%*2YLtS#v6{9*`Co97PKJq@E|Kjlk0znVF*=_0sA*%q7`+k%>dXsXOMB!#MBz)AM*6Z2d%sJ7S?SWl|6+;znHUN z>8?rNaz(&ZdSbhgv%)zc*ty=|lI+aK*QOF%&!_ARdI+`54B@6 z)^Mq_F%5tN$2xxhil8#46k+z5e`DJjKT)iqsT=jZ13m=EAjE} zohsGJpWe=Ocsu*q?Y$q})^c*2cW}#KYUzlz14l@ZA|YO@1i1yRh}x^GziYq8GflGk z)d5?G6fw#K$}B#!LvOtoC#uZe>6`Fpfrlrs2+W%kSi9!Vaa69Zu0DSN49X-h8c|t% zvXD^CvNq9|cPyyGuV7xcg2t<$4zB`jdp*^+pwKSX6Q-z~Sgp{ql%3tPMRj?-6`ETW z8aIWhhp#ibDJ<>X2=(|kRGpI=ogBXOofIRC`gc<l8&7quJ>G~*93aQyQ zT_ZJNhSKSVZ*90r`Q(iMJ@GOmTScQaHzDO!T9y;QToy80nwKFo&m@t&Rqx518TxR9 zVcpVw>vqSgDuU`&3u=%;I-o`pE#9ujx}PuVNF(bSS=Y$AM%I7LCF>UAo9gPDp#KNv zooZU}^#v;^#zl;8Pu}W94azaf3wHn$h5DSEZ*sj>IkA}!xtp{8$RtDaouEncX@)?p z9vReXzS9;J|7sPmmlVaDRYD_q@yJOlFTsnGlM3_8RRrT%39|u+S}gj_g6cYLvy8r! zb26Xj@*hS~^6!6FSuSLXT#%RemFfnRhknE#tEfdAbyGA3*AEvTs|p3w|Qfh(j_xm(TIOJPP4oiVKwy#2I8uPVI=qE{AkJc#(^8_oj^-&U4ffy0jJ7fh(a4nrUsEk zmHFOc46(JwEgvTS!Khq{=NO_;zlA z4A09gX|Da;Vsfd>Sb`!hK8VR5lQ#WQj4OsJ9e3Z57MlcAsMr+2=d0HUT8G9gEe7Hb zNLw$Fi6(--$D-T{;yln6zPp4?|G65jq1hT*Eqj0TSEOplnXcR(u-l2UVPo1<>ytxF z+Q>wx>AO+AqFA3!dRv0Hw?YKuh)umdE(a@a&b65UA7&y7IF~{$!RN1$rCbWxeO`Lb zNZ%@$+3)GU-BtAEp}DIxk$?9R`GJ zFV^YbDvTU(3ZS8AH~B}L`36F8Sb#i~q zF7JV!j*#cluBMajFd7@9#yJ!5f0qo4?A{0wz(KpjZQyS;8_D`>U-{mvF8#D3KCyPK`R zZ*{t@?Y+%jx3{-D10hZe4g9h*`#yih2*5jw{ZrcN{C?8a_+JwOxb*HqHC~psAP=Du zLTfGupxK;%=5hRaY>|J&0$Pi=&wQRfvwQhe^zf7Wlo7^5(@RZq&eUy!w9XpGbsge7>a2eap_)o- zjHsMiYgC!8+7hMPHje9cI<7ZCS~j3Y!Yz%2Yhtq+5!Z;gM#Rl0;=Z`ptO|WmE`E-} zoIvy?D`>_=j!kqH{%OmKf3*tOi>isvYNE56=&bT{+eBx%$Db9e8AN27H8GL{L7*m6 z+a+KOWsfw`S#cAc#k=fM84Q0>Xk*FLAe!i`>|)b{gqrBACOT_j%B}U-q~}~^)=*-b zK&&PZs|m#V5(2R*hY#FslvQ4^)vUfk3yHu|0bp+@gNTQ9r2OcF1k7I-e1NZ#VGL(5 zP`y$V)*+}3S62{+gtxJ=`@DkjIOu%mqA@wH|HVkHz4D#b{ zSWFoP5~*H}G$f+N2R)Nm6wyEf+7@&L2TOl^NTqA_GfL_qkP)Ro{^%{8x)E*kB^#i6 zp%>FXzoi4cO6bt^YrTJX3zaWGyG{mi@7AYUtq)6O5C_Aab}gEZBes86y$kInM1Dba zj=)&E1&wiT?G`lYA;uQ$eMJ%}NdaBXh7rx^lUD7B)aV4t+~x9GFY5uV8T{bN4aa$( zEMchWuSXZ($5cv;dY5!5oLmek+2cS84ub?FcI;NBq~kh=(=mVZ)hjv{gd(<12M;GH zS1G60=86{AJa7de7b{n-jTJl_glFuA^IG2Y|B8WV1>KO!04b`UVY|hkGR56csmeTsY$SO?QF|fz0SM9D)g&F9ah}E%7{a(bNgf)J|b9h=cURF!z zWz{%YHBMGK#Ky_WfT?yoY2#$o_z^dL#1BuxHGag6h-*Y#BjV;0abKJtF~dcPo~ZL_ zN8x9U7jZ2|&Q^iUQFG%(+;|b2&l@k|8OGdr5jS4MjTe7$d9-AEVy*LtI4GLv2x5Z=4S^ zG;6&F3Up$A_A^pBL=!_fN1>cjnF*W!5GNh%=jx0mXO2_+B`nO)hz{D~fUhQl0shd- zST<+_tS~X{@R+5G2$9)$j5?8!H9o_17R8(ndycKCdeo=Nh5YCHWN`$g;M7D zGD?jru2b?6W=$raF)yVSoncc$sdzF7;m&KSBE-=RzcKtW>V2TP1y4UicOp>$uJT%gC3=IBoDi$-f=o?dDDOO z$h_cs6kSXP!Dw*Hdwz47uw*&kLb9Ag23{oAL4|-NJvvNX-DS;DcEA^%D^m^otSMj3 zpR*~6hZow{s#$9ORMsp`P;=)U_o<}mMd4&rJ=2ah1_i|Kd#xkjv+g4$`-9}-0tVxJ zT6HkyBH=(v%nkpPDI(79HIWdXl6!y3AjDgL;Q52Nqke%kSo4mreug02uDLcj=9f(q z$B}^PBw7RtienY|1%bIv1+?>$8KUT9T|U>(Ve#>>u3|Wj3L+jXYvu37*D(mpDb{^n zECWYc)y;^GB6E8=Yrd|ymb%>2l;1s(t1kr3g8AMeMav6RRK5ArQ$&BBf?+~TNwzd62Ug5M4|)w@8Mm1q9W3o#8lA&dX=N1L02e4u?lAG=yB=h9$|u9AE=Y8o=Wgvcb8jGtY?3rGq| zv5>cx(F}s#82B9sdjtNQ0^fjjI2eHXO=O@Z`cykQa}!fu%?kDK;P#lw78 z=w>t+P*xQDFpU2Kmz~aXbXfWsdOW1WK4CTBZ$+=P3VUXO6GC(t;*ft_dkB9;Rz`<^ zy3>&8Lbq8$BHwz>yP83a;rv7OjFnhpW(V>bv~-gd zCC0POniHfS1LIOcWPN{SQ@DPbE8eVT5f+B5Ang@xJ4G&0dJqb0bObJpR2U2NkM?H6 z_FKGr2hU3V%XG|fjGslS=cE?~;Ncwbo6}?WVIv0)JhBh^*$x~D_v>#Yd5X80Gk)h8 zzNKyF}lO#ET$fhO~rXCE=+&A=t>!*E1k_BrX}@kA!?^)u6s_hq7QNE4oi)4o)S@hWGoLr#)>Gf2YcnTW_pw5Zl~GF|V3YB(O#S+z5vygq zycZg4&M-2T;0)t^v4spzEEaUs!Lp8$ZhAh=HzOpMdo31*JbIVx!GkiR2M-v1+&#g3JQ|!`;+epJ z4NlMd%pqy(m~sy?;NxtX_+SJ=7Dzyz%||9SRDe16AxrS6=A|2