diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_Workday.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_Workday.yaml new file mode 100644 index 00000000000..6a7ab357682 --- /dev/null +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_Workday.yaml @@ -0,0 +1,80 @@ +id: a924d317-03d2-4420-a71f-4d347bda4bd8 +name: TI map IP entity to Workday(ASimAuditEventLogs) +description: | + Detects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI). +severity: Medium +requiredDataConnectors: + - connectorId: ThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: ThreatIntelligenceTaxii + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: Workday + dataTypes: + - Workday + - connectorId: MicrosoftDefenderThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator +queryFrequency: 1h +queryPeriod: 14d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - CommandAndControl +relevantTechniques: + - T1071 +query: | + let dtLookBack = 1h; // Define the lookback period for audit events + let ioc_lookBack = 14d; // Define the lookback period for threat intelligence indicators + ThreatIntelligenceIndicator + | where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period + | where isnotempty(NetworkIP) + or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) + or isnotempty(NetworkSourceIP) // Filter for indicators with relevant IP fields + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId // Get the latest indicator time for each IndicatorId + | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress) // Combine IP fields into a single entity + | where Active == true and ExpirationDateTime > now() // Filter for active indicators that have not expired + | join kind=inner ( + ASimAuditEventLogs + | where EventVendor == "Workday" // Filter for Workday events + | where TimeGenerated >= ago(dtLookBack) // Filter events within the lookback period + | where isnotempty(DvcIpAddr) // Filter for events with a device IP address + | extend WD_TimeGenerated = EventStartTime // Rename the event start time column + | project WD_TimeGenerated, ActorUsername, DvcIpAddr, Operation, Object // Select relevant columns + ) + on $left.TI_ipEntity == $right.DvcIpAddr // Join on the IP entity + | project + LatestIndicatorTime, + Description, + ActivityGroupNames, + IndicatorId, + ThreatType, + Url, + ExpirationDateTime, + ConfidenceScore, + WD_TimeGenerated, + ActorUsername, + DvcIpAddr, + Operation, + Object // Select relevant columns after the join + | extend + timestamp = WD_TimeGenerated, + Name = tostring(split(ActorUsername, '@', 0)), + UPNSuffix = tostring(split(ActorUsername, '@', 1)) // Add additional fields for timestamp, name, and UPN suffix +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: ActorUsername + - identifier: Name + columnName: Name + - identifier: UPNSuffix + columnName: UPNSuffix + - entityType: IP + fieldMappings: + - identifier: Address + columnName: DvcIpAddr +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json b/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json index 827bb65a3c0..3487118e055 100644 --- a/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json +++ b/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json @@ -72,7 +72,8 @@ "Analytic Rules/EmailEntity_CloudAppEvents.yaml", "Analytic Rules/FileHashEntity_CloudAppEvents.yaml", "Analytic Rules/IPEntity_CloudAppEvents.yaml", - "Analytic Rules/URLEntity_CloudAppEvents.yaml" + "Analytic Rules/URLEntity_CloudAppEvents.yaml", + "Analytic Rules/IPEntity_Workday.yaml" ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Threat Intelligence\\", diff --git a/Solutions/Threat Intelligence/Package/3.0.9.zip b/Solutions/Threat Intelligence/Package/3.0.9.zip index 63e3129d09d..29848c1cffb 100644 Binary files a/Solutions/Threat Intelligence/Package/3.0.9.zip and b/Solutions/Threat Intelligence/Package/3.0.9.zip differ diff --git a/Solutions/Threat Intelligence/Package/createUiDefinition.json b/Solutions/Threat Intelligence/Package/createUiDefinition.json index 95754d59477..473406a1f37 100644 --- a/Solutions/Threat Intelligence/Package/createUiDefinition.json +++ b/Solutions/Threat Intelligence/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of supported STIX objects into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 5, **Workbooks:** 1, **Analytic Rules:** 52, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of supported STIX objects into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 5, **Workbooks:** 1, **Analytic Rules:** 53, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -954,6 +954,20 @@ } } ] + }, + { + "name": "analytic53", + "type": "Microsoft.Common.Section", + "label": "TI map IP entity to Workday(ASimAuditEventLogs)", + "elements": [ + { + "name": "analytic53-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI)." + } + } + ] } ] }, @@ -1058,4 +1072,4 @@ "workspace": "[basics('workspace')]" } } -} \ No newline at end of file +} diff --git a/Solutions/Threat Intelligence/Package/mainTemplate.json b/Solutions/Threat Intelligence/Package/mainTemplate.json index 5e70fc6b098..98eaa5b1478 100644 --- a/Solutions/Threat Intelligence/Package/mainTemplate.json +++ b/Solutions/Threat Intelligence/Package/mainTemplate.json @@ -485,6 +485,13 @@ "analyticRuleTemplateSpecName52": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e8ae92dd-1d41-4530-8be8-85c5014c7b47')))]", "_analyticRulecontentProductId52": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e8ae92dd-1d41-4530-8be8-85c5014c7b47','-', '1.0.3')))]" }, + "analyticRuleObject53": { + "analyticRuleVersion53": "1.0.0", + "_analyticRulecontentId53": "a924d317-03d2-4420-a71f-4d347bda4bd8", + "analyticRuleId53": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a924d317-03d2-4420-a71f-4d347bda4bd8')]", + "analyticRuleTemplateSpecName53": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a924d317-03d2-4420-a71f-4d347bda4bd8')))]", + "_analyticRulecontentProductId53": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a924d317-03d2-4420-a71f-4d347bda4bd8','-', '1.0.0')))]" + }, "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]", "management": "[concat('https://management','.azure','.com/')]" }, @@ -1078,7 +1085,7 @@ "title": "Premium Microsoft Defender Threat Intelligence", "publisher": "Microsoft", "logo": { - "type": 258, + "type": 258 }, "descriptionMarkdown": "Microsoft Sentinel provides you the capability to import threat intelligence generated by Microsoft to enable monitoring, alerting and hunting. Use this data connector to import Indicators of Compromise (IOCs) from Microsoft Defender Threat Intelligence (MDTI) into Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes, etc. Note: This is a paid connector. To use and ingest data from it, please purchase the \"MDTI API Access\" SKU from the Partner Center.", "graphQueries": [ @@ -1095,7 +1102,7 @@ }, { "description": "Summarize by 1 hour bins", - "query": "ThreatIntelligenceIndicator\n| where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"\n| where TimeGenerated >= ago(1d) | summarize count()​​" + "query": "ThreatIntelligenceIndicator\n| where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"\n| where TimeGenerated >= ago(1d) | summarize count()" } ], "connectivityCriterias": [ @@ -2023,22 +2030,22 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2051,8 +2058,8 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } ], "entityType": "Host" @@ -2060,8 +2067,8 @@ { "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ], "entityType": "IP" @@ -2069,8 +2076,8 @@ { "fieldMappings": [ { - "columnName": "PA_Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "PA_Url" } ], "entityType": "URL" @@ -2157,28 +2164,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2191,12 +2198,12 @@ { "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -2204,8 +2211,8 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" } ], "entityType": "Host" @@ -2213,8 +2220,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -2222,8 +2229,8 @@ { "fieldMappings": [ { - "columnName": "InitiatingProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "InitiatingProcessCommandLine" } ], "entityType": "Process" @@ -2310,28 +2317,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "DNS", "dataTypes": [ "DnsEvents" - ] + ], + "connectorId": "DNS" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2344,16 +2351,16 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -2361,8 +2368,8 @@ { "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ], "entityType": "IP" @@ -2370,8 +2377,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -2458,28 +2465,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "EmailEvents" - ] + ], + "connectorId": "Office365" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2492,16 +2499,16 @@ { "fieldMappings": [ { - "columnName": "RecipientEmailAddress", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "RecipientEmailAddress" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -2588,28 +2595,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "EmailUrlInfo" - ] + ], + "connectorId": "Office365" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2622,16 +2629,16 @@ { "fieldMappings": [ { - "columnName": "RecipientEmailAddress", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "RecipientEmailAddress" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -2639,8 +2646,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -2727,34 +2734,34 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SquidProxy", "dataTypes": [ "SquidProxy_CL" - ] + ], + "connectorId": "SquidProxy" }, { - "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Zscaler" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2767,8 +2774,8 @@ { "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ], "entityType": "IP" @@ -2776,8 +2783,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -2785,12 +2792,12 @@ ], "customDetails": { "IoCExpirationTime": "ExpirationDateTime", - "ActivityGroupNames": "ActivityGroupNames", + "EventTime": "Event_TimeGenerated", "IndicatorId": "IndicatorId", "IoCConfidenceScore": "ConfidenceScore", + "ActivityGroupNames": "ActivityGroupNames", "IoCDescription": "Description", - "ThreatType": "ThreatType", - "EventTime": "Event_TimeGenerated" + "ThreatType": "ThreatType" }, "alertDetailsOverride": { "alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.", @@ -2877,28 +2884,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "PaloAltoNetworks" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2911,8 +2918,8 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } ], "entityType": "Host" @@ -2920,8 +2927,8 @@ { "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ], "entityType": "IP" @@ -2929,8 +2936,8 @@ { "fieldMappings": [ { - "columnName": "PA_Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "PA_Url" } ], "entityType": "URL" @@ -3017,34 +3024,34 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftCloudAppSecurity", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftCloudAppSecurity" }, { - "connectorId": "AzureSecurityCenter", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "AzureSecurityCenter" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -3057,8 +3064,8 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" } ], "entityType": "Host" @@ -3066,8 +3073,8 @@ { "fieldMappings": [ { - "columnName": "IP_addr", - "identifier": "Address" + "identifier": "Address", + "columnName": "IP_addr" } ], "entityType": "IP" @@ -3075,8 +3082,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -3163,28 +3170,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Syslog", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "Syslog" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -3197,16 +3204,16 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -3214,8 +3221,8 @@ { "fieldMappings": [ { - "columnName": "HostIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "HostIP" } ], "entityType": "IP" @@ -3223,8 +3230,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -3311,28 +3318,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActivity", "dataTypes": [ "AzureActivity" - ] + ], + "connectorId": "AzureActivity" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -3345,16 +3352,16 @@ { "fieldMappings": [ { - "columnName": "Caller", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Caller" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -3362,8 +3369,8 @@ { "fieldMappings": [ { - "columnName": "CallerIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "CallerIpAddress" } ], "entityType": "IP" @@ -3371,8 +3378,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -3459,28 +3466,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "EmailEvents" - ] + ], + "connectorId": "Office365" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -3493,16 +3500,16 @@ { "fieldMappings": [ { - "columnName": "RecipientEmailAddress", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "RecipientEmailAddress" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -3589,28 +3596,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity" - ] + ], + "connectorId": "Office365" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -3623,16 +3630,16 @@ { "fieldMappings": [ { - "columnName": "UserId", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserId" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -3640,8 +3647,8 @@ { "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ], "entityType": "IP" @@ -3649,8 +3656,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -3737,28 +3744,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "PaloAltoNetworks" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -3771,8 +3778,8 @@ { "fieldMappings": [ { - "columnName": "DestinationUserID", - "identifier": "Name" + "identifier": "Name", + "columnName": "DestinationUserID" } ], "entityType": "Account" @@ -3780,8 +3787,8 @@ { "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ], "entityType": "IP" @@ -3789,8 +3796,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -3877,28 +3884,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureSecurityCenter", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "AzureSecurityCenter" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -3911,16 +3918,16 @@ { "fieldMappings": [ { - "columnName": "EntityEmail", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "EntityEmail" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -3928,8 +3935,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -4016,40 +4023,40 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvents" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ] + ], + "connectorId": "WindowsForwardedEvents" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -4062,8 +4069,8 @@ { "fieldMappings": [ { - "columnName": "TargetUserName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetUserName" } ], "entityType": "Account" @@ -4071,12 +4078,12 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -4084,8 +4091,8 @@ { "fieldMappings": [ { - "columnName": "IpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IpAddress" } ], "entityType": "IP" @@ -4093,8 +4100,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -4181,34 +4188,34 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -4221,16 +4228,16 @@ { "fieldMappings": [ { - "columnName": "UserPrincipalName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserPrincipalName" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -4238,8 +4245,8 @@ { "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } ], "entityType": "IP" @@ -4247,8 +4254,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -4335,28 +4342,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "PaloAltoNetworks" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -4369,16 +4376,16 @@ { "fieldMappings": [ { - "columnName": "SourceUserName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "SourceUserName" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -4386,16 +4393,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -4403,8 +4410,8 @@ { "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ], "entityType": "IP" @@ -4412,8 +4419,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -4421,12 +4428,12 @@ { "fieldMappings": [ { - "columnName": "FileHashValue", - "identifier": "Value" + "identifier": "Value", + "columnName": "FileHashValue" }, { - "columnName": "FileHashType", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "FileHashType" } ], "entityType": "FileHash" @@ -4513,28 +4520,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceFileEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -4547,16 +4554,16 @@ { "fieldMappings": [ { - "columnName": "RequestAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "RequestAccountName" }, { - "columnName": "RequestAccountSid", - "identifier": "Sid" + "identifier": "Sid", + "columnName": "RequestAccountSid" }, { - "columnName": "RequestAccountDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "RequestAccountDomain" } ], "entityType": "Account" @@ -4564,12 +4571,12 @@ { "fieldMappings": [ { - "columnName": "FileHashValue", - "identifier": "Value" + "identifier": "Value", + "columnName": "FileHashValue" }, { - "columnName": "FileHashType", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "FileHashType" } ], "entityType": "FileHash" @@ -4577,8 +4584,8 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } ], "entityType": "Host" @@ -4665,40 +4672,40 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvents" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ] + ], + "connectorId": "WindowsForwardedEvents" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -4711,16 +4718,16 @@ { "fieldMappings": [ { - "columnName": "Account", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Account" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Account" @@ -4728,16 +4735,16 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -4745,8 +4752,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -4754,12 +4761,12 @@ { "fieldMappings": [ { - "columnName": "FileHashValue", - "identifier": "Value" + "identifier": "Value", + "columnName": "FileHashValue" }, { - "columnName": "FileHashType", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "FileHashType" } ], "entityType": "FileHash" @@ -4846,22 +4853,22 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -4874,12 +4881,12 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -4887,8 +4894,8 @@ { "fieldMappings": [ { - "columnName": "CsUsername", - "identifier": "Name" + "identifier": "Name", + "columnName": "CsUsername" } ], "entityType": "Account" @@ -4896,8 +4903,8 @@ { "fieldMappings": [ { - "columnName": "CIp", - "identifier": "Address" + "identifier": "Address", + "columnName": "CIp" } ], "entityType": "IP" @@ -4905,8 +4912,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -4914,8 +4921,8 @@ { "fieldMappings": [ { - "columnName": "_ResourceId", - "identifier": "ResourceId" + "identifier": "ResourceId", + "columnName": "_ResourceId" } ], "entityType": "AzureResource" @@ -5005,28 +5012,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "AWS", "dataTypes": [ "AWSCloudTrail" - ] + ], + "connectorId": "AWS" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -5039,8 +5046,8 @@ { "fieldMappings": [ { - "columnName": "UserIdentityUserName", - "identifier": "ObjectGuid" + "identifier": "ObjectGuid", + "columnName": "UserIdentityUserName" } ], "entityType": "Account" @@ -5048,8 +5055,8 @@ { "fieldMappings": [ { - "columnName": "SourceIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIpAddress" } ], "entityType": "IP" @@ -5057,8 +5064,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -5145,28 +5152,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "AzureActivity", "dataTypes": [ "AzureActivity" - ] + ], + "connectorId": "AzureActivity" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -5179,16 +5186,16 @@ { "fieldMappings": [ { - "columnName": "Caller", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Caller" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -5196,8 +5203,8 @@ { "fieldMappings": [ { - "columnName": "AadUserId", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "AadUserId" } ], "entityType": "Account" @@ -5205,8 +5212,8 @@ { "fieldMappings": [ { - "columnName": "CallerIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "CallerIpAddress" } ], "entityType": "IP" @@ -5214,8 +5221,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -5223,8 +5230,8 @@ { "fieldMappings": [ { - "columnName": "ResourceId", - "identifier": "ResourceId" + "identifier": "ResourceId", + "columnName": "ResourceId" } ], "entityType": "AzureResource" @@ -5311,28 +5318,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureFirewall" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -5345,8 +5352,8 @@ { "fieldMappings": [ { - "columnName": "TI_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "TI_ipEntity" } ], "entityType": "IP" @@ -5354,8 +5361,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -5442,28 +5449,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "AzureKeyVault", "dataTypes": [ "KeyVaultData" - ] + ], + "connectorId": "AzureKeyVault" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -5476,8 +5483,8 @@ { "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ], "entityType": "IP" @@ -5485,8 +5492,8 @@ { "fieldMappings": [ { - "columnName": "ResourceId", - "identifier": "ResourceId" + "identifier": "ResourceId", + "columnName": "ResourceId" } ], "entityType": "AzureResource" @@ -5573,22 +5580,22 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -5601,16 +5608,16 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -5618,8 +5625,8 @@ { "fieldMappings": [ { - "columnName": "TI_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "TI_ipEntity" } ], "entityType": "IP" @@ -5627,8 +5634,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -5715,28 +5722,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "AzureSql", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureSql" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -5749,8 +5756,8 @@ { "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ], "entityType": "IP" @@ -5837,28 +5844,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "CEF", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CEF" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -5871,8 +5878,8 @@ { "fieldMappings": [ { - "columnName": "CS_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "CS_ipEntity" } ], "entityType": "IP" @@ -5959,28 +5966,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -5993,12 +6000,12 @@ { "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -6006,8 +6013,8 @@ { "fieldMappings": [ { - "columnName": "TI_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "TI_ipEntity" } ], "entityType": "IP" @@ -6015,8 +6022,8 @@ { "fieldMappings": [ { - "columnName": "RemoteUrl", - "identifier": "Url" + "identifier": "Url", + "columnName": "RemoteUrl" } ], "entityType": "URL" @@ -6024,8 +6031,8 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } ], "entityType": "Host" @@ -6112,28 +6119,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "DNS", "dataTypes": [ "DnsEvents" - ] + ], + "connectorId": "DNS" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -6146,16 +6153,16 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -6163,8 +6170,8 @@ { "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ], "entityType": "IP" @@ -6172,8 +6179,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -6260,34 +6267,34 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SquidProxy", "dataTypes": [ "SquidProxy_CL" - ] + ], + "connectorId": "SquidProxy" }, { - "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Zscaler" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -6300,8 +6307,8 @@ { "fieldMappings": [ { - "columnName": "DstIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "DstIpAddr" } ], "entityType": "IP" @@ -6309,12 +6316,12 @@ ], "customDetails": { "IoCExpirationTime": "ExpirationDateTime", - "ActivityGroupNames": "ActivityGroupNames", + "EventTime": "imNWS_TimeGenerated", "IndicatorId": "IndicatorId", "IoCConfidenceScore": "ConfidenceScore", + "ActivityGroupNames": "ActivityGroupNames", "IoCDescription": "Description", - "ThreatType": "ThreatType", - "EventTime": "imNWS_TimeGenerated" + "ThreatType": "ThreatType" }, "alertDetailsOverride": { "alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator.", @@ -6401,28 +6408,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity" - ] + ], + "connectorId": "Office365" } ], "tactics": [ @@ -6435,16 +6442,16 @@ { "fieldMappings": [ { - "columnName": "UserId", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserId" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -6452,8 +6459,8 @@ { "fieldMappings": [ { - "columnName": "TI_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "TI_ipEntity" } ], "entityType": "IP" @@ -6461,8 +6468,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -6549,34 +6556,34 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -6589,16 +6596,16 @@ { "fieldMappings": [ { - "columnName": "UserPrincipalName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserPrincipalName" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -6606,8 +6613,8 @@ { "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } ], "entityType": "IP" @@ -6615,8 +6622,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -6703,28 +6710,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "AzureMonitor(VMInsights)", "dataTypes": [ "VMConnection" - ] + ], + "connectorId": "AzureMonitor(VMInsights)" } ], "tactics": [ @@ -6737,12 +6744,12 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -6750,8 +6757,8 @@ { "fieldMappings": [ { - "columnName": "RemoteIp", - "identifier": "Address" + "identifier": "Address", + "columnName": "RemoteIp" } ], "entityType": "IP" @@ -6759,8 +6766,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -6847,28 +6854,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "AzureMonitor(IIS)", "dataTypes": [ "W3CIISLog" - ] + ], + "connectorId": "AzureMonitor(IIS)" } ], "tactics": [ @@ -6881,8 +6888,8 @@ { "fieldMappings": [ { - "columnName": "csUserName", - "identifier": "Name" + "identifier": "Name", + "columnName": "csUserName" } ], "entityType": "Account" @@ -6890,8 +6897,8 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "Computer" } ], "entityType": "Host" @@ -6899,8 +6906,8 @@ { "fieldMappings": [ { - "columnName": "cIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "cIP" } ], "entityType": "IP" @@ -6908,8 +6915,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -6996,28 +7003,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -7030,16 +7037,16 @@ { "fieldMappings": [ { - "columnName": "userPrincipalName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "userPrincipalName" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } ], "entityType": "Account" @@ -7047,16 +7054,16 @@ { "fieldMappings": [ { - "columnName": "TargetResourceDisplayName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "TargetResourceDisplayName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } ], "entityType": "Host" @@ -7064,8 +7071,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -7152,28 +7159,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -7186,12 +7193,12 @@ { "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -7199,8 +7206,8 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" } ], "entityType": "Host" @@ -7208,8 +7215,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -7217,8 +7224,8 @@ { "fieldMappings": [ { - "columnName": "InitiatingProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "InitiatingProcessCommandLine" } ], "entityType": "Process" @@ -7305,28 +7312,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EmailUrlInfo" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -7339,16 +7346,16 @@ { "fieldMappings": [ { - "columnName": "RecipientEmailAddress", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "RecipientEmailAddress" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -7356,8 +7363,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -7444,28 +7451,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity" - ] + ], + "connectorId": "Office365" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" } ], "tactics": [ @@ -7478,16 +7485,16 @@ { "fieldMappings": [ { - "columnName": "User", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "User" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -7495,8 +7502,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -7583,28 +7590,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "PaloAltoNetworks" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -7617,8 +7624,8 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } ], "entityType": "Host" @@ -7626,8 +7633,8 @@ { "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ], "entityType": "IP" @@ -7635,8 +7642,8 @@ { "fieldMappings": [ { - "columnName": "PA_Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "PA_Url" } ], "entityType": "URL" @@ -7723,34 +7730,34 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftCloudAppSecurity", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftCloudAppSecurity" }, { - "connectorId": "AzureSecurityCenter", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "AzureSecurityCenter" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -7763,8 +7770,8 @@ { "fieldMappings": [ { - "columnName": "Compromised_Host", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "Compromised_Host" } ], "entityType": "Host" @@ -7772,8 +7779,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -7860,28 +7867,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Syslog", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "Syslog" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -7894,8 +7901,8 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "Computer" } ], "entityType": "Host" @@ -7903,8 +7910,8 @@ { "fieldMappings": [ { - "columnName": "HostIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "HostIP" } ], "entityType": "IP" @@ -7912,8 +7919,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -8000,28 +8007,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "UrlClickEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -8034,16 +8041,16 @@ { "fieldMappings": [ { - "columnName": "AccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountUpn" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -8051,8 +8058,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -8139,28 +8146,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "CiscoDuoSecurity", "dataTypes": [ "CiscoDuo" - ] + ], + "connectorId": "CiscoDuoSecurity" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -8173,16 +8180,16 @@ { "fieldMappings": [ { - "columnName": "user_name_s", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "user_name_s" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -8190,8 +8197,8 @@ { "fieldMappings": [ { - "columnName": "access_device_ip_s", - "identifier": "Address" + "identifier": "Address", + "columnName": "access_device_ip_s" } ], "entityType": "IP" @@ -8278,70 +8285,70 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "DNS", "dataTypes": [ "DnsEvents" - ] + ], + "connectorId": "DNS" }, { - "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureFirewall" }, { - "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Zscaler" }, { - "connectorId": "InfobloxNIOS", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "InfobloxNIOS" }, { - "connectorId": "GCPDNSDataConnector", "dataTypes": [ "GCP_DNS_CL" - ] + ], + "connectorId": "GCPDNSDataConnector" }, { - "connectorId": "NXLogDnsLogs", "dataTypes": [ "NXLog_DNS_Server_CL" - ] + ], + "connectorId": "NXLogDnsLogs" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "CiscoUmbrellaDataConnector", "dataTypes": [ "Cisco_Umbrella_dns_CL" - ] + ], + "connectorId": "CiscoUmbrellaDataConnector" }, { - "connectorId": "Corelight", "dataTypes": [ "Corelight_CL" - ] + ], + "connectorId": "Corelight" } ], "tactics": [ @@ -8354,16 +8361,16 @@ { "fieldMappings": [ { - "columnName": "Dvc", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Dvc" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } ], "entityType": "Host" @@ -8371,8 +8378,8 @@ { "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ], "entityType": "IP" @@ -8380,8 +8387,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -8389,25 +8396,25 @@ { "fieldMappings": [ { - "columnName": "Domain", - "identifier": "DomainName" + "identifier": "DomainName", + "columnName": "Domain" } ], "entityType": "DNS" } ], "customDetails": { + "ExpirationDateTime": "ExpirationDateTime", "LatestIndicatorTime": "LatestIndicatorTime", "DnsQuery": "DnsQuery", - "ExpirationDateTime": "ExpirationDateTime", - "Description": "Description", - "SourceIPAddress": "SrcIpAddr", - "ConfidenceScore": "ConfidenceScore", - "ActivityGroupNames": "ActivityGroupNames", - "IndicatorId": "IndicatorId", + "DNSRequestTime": "DNS_TimeGenerated", "QueryType": "DnsQueryType", + "IndicatorId": "IndicatorId", + "ActivityGroupNames": "ActivityGroupNames", + "SourceIPAddress": "SrcIpAddr", "ThreatType": "ThreatType", - "DNSRequestTime": "DNS_TimeGenerated" + "ConfidenceScore": "ConfidenceScore", + "Description": "Description" } } }, @@ -8490,70 +8497,70 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "DNS", "dataTypes": [ "DnsEvents" - ] + ], + "connectorId": "DNS" }, { - "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureFirewall" }, { - "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Zscaler" }, { - "connectorId": "InfobloxNIOS", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "InfobloxNIOS" }, { - "connectorId": "GCPDNSDataConnector", "dataTypes": [ "GCP_DNS_CL" - ] + ], + "connectorId": "GCPDNSDataConnector" }, { - "connectorId": "NXLogDnsLogs", "dataTypes": [ "NXLog_DNS_Server_CL" - ] + ], + "connectorId": "NXLogDnsLogs" }, { - "connectorId": "CiscoUmbrellaDataConnector", "dataTypes": [ "Cisco_Umbrella_dns_CL" - ] + ], + "connectorId": "CiscoUmbrellaDataConnector" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "Corelight", "dataTypes": [ "Corelight_CL" - ] + ], + "connectorId": "Corelight" } ], "tactics": [ @@ -8566,8 +8573,8 @@ { "fieldMappings": [ { - "columnName": "Dvc", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Dvc" } ], "entityType": "Host" @@ -8575,8 +8582,8 @@ { "fieldMappings": [ { - "columnName": "IoC", - "identifier": "Address" + "identifier": "Address", + "columnName": "IoC" } ], "entityType": "IP" @@ -8584,24 +8591,24 @@ { "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ], "entityType": "IP" } ], "customDetails": { + "ExpirationDateTime": "ExpirationDateTime", "LatestIndicatorTime": "LatestIndicatorTime", "DnsQuery": "DnsQuery", - "ExpirationDateTime": "ExpirationDateTime", - "Description": "Description", - "SourceIPAddress": "SrcIpAddr", - "ConfidenceScore": "ConfidenceScore", - "ActivityGroupNames": "ActivityGroupNames", + "DNSRequestTime": "imDns_mintime", "IndicatorId": "IndicatorId", + "ActivityGroupNames": "ActivityGroupNames", + "SourceIPAddress": "SrcIpAddr", "ThreatType": "ThreatType", - "DNSRequestTime": "imDns_mintime" + "ConfidenceScore": "ConfidenceScore", + "Description": "Description" }, "alertDetailsOverride": { "alertDescriptionFormat": "The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.", @@ -8688,113 +8695,113 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AWSS3", "dataTypes": [ "AWSVPCFlow" - ] + ], + "connectorId": "AWSS3" }, { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ] + ], + "connectorId": "WindowsForwardedEvents" }, { - "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Zscaler" }, { - "connectorId": "MicrosoftSysmonForLinux", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "MicrosoftSysmonForLinux" }, { - "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "PaloAltoNetworks" }, { - "connectorId": "AzureMonitor(VMInsights)", "dataTypes": [ "VMConnection" - ] + ], + "connectorId": "AzureMonitor(VMInsights)" }, { - "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureFirewall" }, { - "connectorId": "AzureNSG", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureNSG" }, { - "connectorId": "CiscoASA", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CiscoASA" }, { - "connectorId": "Corelight", "dataTypes": [ "Corelight_CL" - ] + ], + "connectorId": "Corelight" }, { - "connectorId": "AIVectraStream", "dataTypes": [ "VectraStream" - ] + ], + "connectorId": "AIVectraStream" }, { - "connectorId": "CheckPoint", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CheckPoint" }, { - "connectorId": "Fortinet", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Fortinet" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "CiscoMeraki", "dataTypes": [ "Syslog", "CiscoMerakiNativePoller" - ] + ], + "connectorId": "CiscoMeraki" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" } ], "tactics": [ @@ -8807,23 +8814,23 @@ { "fieldMappings": [ { - "columnName": "IoCIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "IoCIP" } ], "entityType": "IP" } ], "customDetails": { - "IoCIPDirection": "IoCDirection", + "EventEndTime": "imNWS_maxtime", "IoCExpirationTime": "ExpirationDateTime", + "EventStartTime": "imNWS_mintime", "IndicatorId": "IndicatorId", + "IoCConfidenceScore": "ConfidenceScore", "ActivityGroupNames": "ActivityGroupNames", - "EventStartTime": "imNWS_mintime", - "EventEndTime": "imNWS_maxtime", "IoCDescription": "Description", "ThreatType": "ThreatType", - "IoCConfidenceScore": "ConfidenceScore" + "IoCIPDirection": "IoCDirection" }, "alertDetailsOverride": { "alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.", @@ -8910,22 +8917,22 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -8938,8 +8945,8 @@ { "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountCustomEntity" } ], "entityType": "Account" @@ -8947,8 +8954,8 @@ { "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ], "entityType": "IP" @@ -9035,16 +9042,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "CloudAppEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -9057,8 +9064,8 @@ { "fieldMappings": [ { - "columnName": "DomainName", - "identifier": "DomainName" + "identifier": "DomainName", + "columnName": "DomainName" } ], "entityType": "DNS" @@ -9066,8 +9073,8 @@ { "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } ], "entityType": "IP" @@ -9154,16 +9161,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "CloudAppEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -9176,16 +9183,16 @@ { "fieldMappings": [ { - "columnName": "Name", - "identifier": "DisplayName" + "identifier": "DisplayName", + "columnName": "Name" }, { - "columnName": "User_Id", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "User_Id" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -9272,22 +9279,22 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "CloudAppEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceFileEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -9300,8 +9307,8 @@ { "fieldMappings": [ { - "columnName": "DestinationIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "DestinationIP" } ], "entityType": "IP" @@ -9309,8 +9316,8 @@ { "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ], "entityType": "IP" @@ -9318,8 +9325,8 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } ], "entityType": "Host" @@ -9327,12 +9334,12 @@ { "fieldMappings": [ { - "columnName": "FileHashValue", - "identifier": "Value" + "identifier": "Value", + "columnName": "FileHashValue" }, { - "columnName": "FileHashType", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "FileHashType" } ], "entityType": "FileHash" @@ -9419,16 +9426,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "CloudAppEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -9441,8 +9448,8 @@ { "fieldMappings": [ { - "columnName": "TI_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "TI_ipEntity" } ], "entityType": "IP" @@ -9450,8 +9457,8 @@ { "fieldMappings": [ { - "columnName": "NetworkDestinationIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "NetworkDestinationIP" } ], "entityType": "IP" @@ -9459,8 +9466,8 @@ { "fieldMappings": [ { - "columnName": "NetworkSourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "NetworkSourceIP" } ], "entityType": "IP" @@ -9468,8 +9475,8 @@ { "fieldMappings": [ { - "columnName": "EmailSourceIPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "EmailSourceIPAddress" } ], "entityType": "IP" @@ -9556,16 +9563,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "CloudAppEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -9578,16 +9585,16 @@ { "fieldMappings": [ { - "columnName": "AccountObjectId", - "identifier": "ObjectGuid" + "identifier": "ObjectGuid", + "columnName": "AccountObjectId" }, { - "columnName": "userPrincipalName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "userPrincipalName" }, { - "columnName": "AccountDisplayName", - "identifier": "DisplayName" + "identifier": "DisplayName", + "columnName": "AccountDisplayName" } ], "entityType": "Account" @@ -9595,8 +9602,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -9604,8 +9611,8 @@ { "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } ], "entityType": "IP" @@ -9613,12 +9620,12 @@ { "fieldMappings": [ { - "columnName": "Application", - "identifier": "Name" + "identifier": "Name", + "columnName": "Application" }, { - "columnName": "ApplicationID", - "identifier": "AppId" + "identifier": "AppId", + "columnName": "ApplicationID" } ], "entityType": "CloudApplication" @@ -9668,6 +9675,145 @@ "version": "[variables('analyticRuleObject52').analyticRuleVersion52]" } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject53').analyticRuleTemplateSpecName53]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "IPEntity_Workday_AnalyticalRules Analytics Rule with template version 3.0.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject53').analyticRuleVersion53]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject53')._analyticRulecontentId53]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI).", + "displayName": "TI map IP entity to Workday(ASimAuditEventLogs)", + "enabled": false, + "query": "let dtLookBack = 1h; // Define the lookback period for audit events\nlet ioc_lookBack = 14d; // Define the lookback period for threat intelligence indicators\nThreatIntelligenceIndicator \n| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period\n| where isnotempty(NetworkIP)\n or isnotempty(EmailSourceIpAddress)\n or isnotempty(NetworkDestinationIP)\n or isnotempty(NetworkSourceIP) // Filter for indicators with relevant IP fields\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId // Get the latest indicator time for each IndicatorId\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress) // Combine IP fields into a single entity\n | where Active == true and ExpirationDateTime > now() // Filter for active indicators that have not expired\n | join kind=inner (\n ASimAuditEventLogs\n | where EventVendor == \"Workday\" // Filter for Workday events\n | where TimeGenerated >= ago(dtLookBack) // Filter events within the lookback period\n | where isnotempty(DvcIpAddr) // Filter for events with a device IP address\n | extend WD_TimeGenerated = EventStartTime // Rename the event start time column\n | project WD_TimeGenerated, ActorUsername, DvcIpAddr, Operation, Object // Select relevant columns\n )\n on $left.TI_ipEntity == $right.DvcIpAddr // Join on the IP entity\n | project\n LatestIndicatorTime,\n Description,\n ActivityGroupNames,\n IndicatorId,\n ThreatType,\n Url,\n ExpirationDateTime,\n ConfidenceScore,\n WD_TimeGenerated,\n ActorUsername,\n DvcIpAddr,\n Operation,\n Object // Select relevant columns after the join\n | extend\n timestamp = WD_TimeGenerated,\n Name = tostring(split(ActorUsername, '@', 0)),\n UPNSuffix = tostring(split(ActorUsername, '@', 1)) // Add additional fields for timestamp, name, and UPN suffix \n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligence" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceTaxii" + }, + { + "dataTypes": [ + "Workday" + ], + "connectorId": "Workday" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" + } + ], + "tactics": [ + "CommandAndControl" + ], + "techniques": [ + "T1071" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "ActorUsername" + }, + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "DvcIpAddr" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject53').analyticRuleId53,'/'))))]", + "properties": { + "description": "Threat Intelligence Analytics Rule 53", + "parentId": "[variables('analyticRuleObject53').analyticRuleId53]", + "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject53').analyticRuleVersion53]", + "source": { + "kind": "Solution", + "name": "Threat Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", + "contentKind": "AnalyticsRule", + "displayName": "TI map IP entity to Workday(ASimAuditEventLogs)", + "contentProductId": "[variables('analyticRuleObject53')._analyticRulecontentProductId53]", + "id": "[variables('analyticRuleObject53')._analyticRulecontentProductId53]", + "version": "[variables('analyticRuleObject53').analyticRuleVersion53]" + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", "apiVersion": "2023-04-01-preview", @@ -9678,7 +9824,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "Threat Intelligence", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Threat Intelligence solution contains data connectors for import of supported STIX objects into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.

\n

Data Connectors: 5, Workbooks: 1, Analytic Rules: 52, Hunting Queries: 5

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Threat Intelligence solution contains data connectors for import of supported STIX objects into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.

\n

Data Connectors: 5, Workbooks: 1, Analytic Rules: 53, Hunting Queries: 5

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -10017,6 +10163,11 @@ "kind": "AnalyticsRule", "contentId": "[variables('analyticRuleObject52')._analyticRulecontentId52]", "version": "[variables('analyticRuleObject52').analyticRuleVersion52]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", + "version": "[variables('analyticRuleObject53').analyticRuleVersion53]" } ] },