diff --git a/.script/tests/KqlvalidationsTests/CustomTables/NetworkAccessAlerts.json b/.script/tests/KqlvalidationsTests/CustomTables/NetworkAccessAlerts.json new file mode 100644 index 00000000000..8ad31260523 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/NetworkAccessAlerts.json @@ -0,0 +1,93 @@ +{ + "Name": "NetworkAccessAlerts", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Id", + "Type": "string" + }, + { + "Name": "DisplayName", + "Type": "string" + }, + { + "Name": "Severity", + "Type": "string" + }, + { + "Name": "ComponentName", + "Type": "string" + }, + { + "Name": "DetectionTechnology", + "Type": "string" + }, + { + "Name": "AlertType", + "Type": "string" + }, + { + "Name": "Description", + "Type": "string" + }, + { + "Name": "ProductName", + "Type": "string" + }, + { + "Name": "PolicyId", + "Type": "string" + }, + { + "Name": "LastActivityDateTime", + "Type": "datetime" + }, + { + "Name": "FirstActivityDateTime", + "Type": "datetime" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "Techniques", + "Type": "string" + }, + { + "Name": "SubTechniques", + "Type": "string" + }, + { + "Name": "ExtendedProperties", + "Type": "dynamic" + }, + { + "Name": "RelatedResources", + "Type": "dynamic" + }, + { + "Name": "IsPreview", + "Type": "bool" + }, + { + "Name": "CreationDateTime", + "Type": "datetime" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "VendorName", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml b/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml index 41d20c1937d..f228301f879 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml @@ -1,12 +1,13 @@ id: 4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa name: GSA - Detect Connections Outside Operational Hours -description: This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations. +description: | + This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations. severity: High status: Available requiredDataConnectors: - connectorId: AzureActiveDirectory dataTypes: - - EnrichedMicrosoft365AuditLogs + - NetworkAccessTrafficLogs queryFrequency: 1h queryPeriod: 24h triggerOperator: gt @@ -22,7 +23,7 @@ query: | let operational_start_hour = 8; // Start of operational hours (8 AM) let operational_end_hour = 18; // End of operational hours (6 PM) NetworkAccessTraffic - | where TimeGenerated between(starttime .. endtime) + | where TimeGenerated between (starttime .. endtime) | extend HourOfDay = datetime_part('hour', TimeGenerated) | where HourOfDay < operational_start_hour or HourOfDay >= operational_end_hour | project TimeGenerated, UserPrincipalName, SourceIp, DestinationIp, DestinationPort, Action, DeviceId, DeviceOperatingSystem, ConnectionId @@ -36,5 +37,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.1 -kind: Scheduled +version: 1.0.2 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml b/Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml deleted file mode 100644 index b518991bcb6..00000000000 --- a/Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml +++ /dev/null @@ -1,62 +0,0 @@ -id: 57abf863-1c1e-46c6-85b2-35370b712c1e -name: GSA - Detect IP Address Changes and Overlapping Sessions -description: | - This query identifies network sessions based on DeviceId and UserPrincipalName, then checks for changed IP addresses and overlapping session times. -severity: High -status: Available -requiredDataConnectors: - - connectorId: AzureActiveDirectory - dataTypes: - - EnrichedMicrosoft365AuditLogs -queryFrequency: 1h -queryPeriod: 24h -triggerOperator: gt -triggerThreshold: 0 -tactics: - - InitialAccess -relevantTechniques: - - T1078 - - T1133 -query: | - // Identify sessions - let sessions = - NetworkAccessTraffic - | summarize - StartTime = min(TimeGenerated), - EndTime = max(TimeGenerated), - SourceIps = make_set(SourceIp) - by DeviceId, UserPrincipalName, SessionId - | sort by StartTime asc; - // Check for changed IP addresses and overlapping session times - sessions - | extend PreviousSourceIps = prev(SourceIps, 1) - | extend PreviousEndTime = prev(EndTime, 1) - | extend PreviousDeviceId = prev(DeviceId, 1) - | extend PreviousUserPrincipalName = prev(UserPrincipalName, 1) - | where DeviceId == PreviousDeviceId - and UserPrincipalName == PreviousUserPrincipalName - | where array_length(set_difference(SourceIps, PreviousSourceIps)) > 0 // Check if the current and previous IP sets differ - | where PreviousEndTime > StartTime // Check for overlapping session times - | project - DeviceId, - UserPrincipalName, - SourceIps, - PreviousSourceIps, - StartTime, - EndTime, - PreviousEndTime - | extend - IPCustomEntity = tostring(array_slice(SourceIps, 0, 1)[0]), - PreviousIPCustomEntity = tostring(array_slice(PreviousSourceIps, 0, 1)[0]), - AccountCustomEntity = UserPrincipalName -entityMappings: - - entityType: Account - fieldMappings: - - identifier: Name - columnName: AccountCustomEntity - - entityType: IP - fieldMappings: - - identifier: Address - columnName: IPCustomEntity -version: 1.0.2 -kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml index 8cae3de7ca2..63a64ea79cb 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml @@ -2,12 +2,13 @@ id: e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b name: GSA - Detect Abnormal Deny Rate for Source to Destination IP description: | Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules. -configurableParameters: - - minimumOfStdsThreshold: The number of stds to use in the threshold calculation. Default is set to 3. - - learningPeriodTime: Learning period for threshold calculation in days. Default is set to 5. - - binTime: Learning buckets time in hours. Default is set to 1 hour. - - minimumThreshold: Minimum threshold for alert. Default is set to 5. - - minimumBucketThreshold: Minimum learning buckets threshold for alert. Default is set to 5. + + Configurable Parameters: + - minimumOfStdsThreshold: The number of stds to use in the threshold calculation. Default is set to 3. + - learningPeriodTime: Learning period for threshold calculation in days. Default is set to 5. + - binTime: Learning buckets time in hours. Default is set to 1 hour. + - minimumThreshold: Minimum threshold for alert. Default is set to 5. + - minimumBucketThreshold: Minimum learning buckets threshold for alert. Default is set to 5. severity: Medium status: Available requiredDataConnectors: @@ -30,11 +31,11 @@ query: | let MinThreshold = 5.0; let MinLearningBuckets = 5; let TrafficLogs = NetworkAccessTraffic - | where Action == 'Denied' + | where Action == "Denied" | where isnotempty(DestinationIp) and isnotempty(SourceIp); let LearningSrcIpDenyRate = TrafficLogs | where TimeGenerated between (ago(LearningPeriod + 1d) .. ago(1d)) - | summarize count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp + | summarize count_ = count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp | summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, DestinationIp | where LearningTimeBuckets > MinLearningBuckets; let AlertTimeSrcIpDenyRate = TrafficLogs @@ -44,7 +45,7 @@ query: | | join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, DestinationIp | extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold) | where AlertTimeSrcIpDenyRateCount > LearningThreshold - | project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold + | project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold entityMappings: - entityType: IP fieldMappings: @@ -54,5 +55,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: DestinationIp -version: 1.0.1 -kind: Scheduled +version: 1.0.2 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml index a195c01775c..a40a457d7f9 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml @@ -1,17 +1,17 @@ id: f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a name: GSA - Detect Protocol Changes for Destination Ports description: | - Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes. - -Configurable Parameters: - - Learning period - the time range to establish the baseline. Default is set to 7 days. - - Run time - the time range for current analysis. Default is set to 1 day. + Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. + This can indicate potential protocol misuse or configuration changes. + Configurable Parameters: + - Learning period: The time range to establish the baseline. Default is set to 7 days. + - Run time: The time range for current analysis. Default is set to 1 day. severity: Medium status: Available requiredDataConnectors: - connectorId: AzureActiveDirectory dataTypes: - - EnrichedMicrosoft365AuditLogs + - NetworkAccessTrafficLogs queryFrequency: 1h queryPeriod: 8d triggerOperator: gt @@ -50,5 +50,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: FqdnCustomEntity -version: 1.0.1 -kind: Scheduled +version: 1.0.2 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml index 9cb257bc4b7..74f63b52357 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml @@ -2,15 +2,15 @@ id: 82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1 name: GSA - Detect Source IP Scanning Multiple Open Ports description: | Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access. -Configurable Parameters: - - Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds. - - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100. + Configurable Parameters: + - Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds. + - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100. severity: Medium status: Available requiredDataConnectors: - connectorId: AzureActiveDirectory dataTypes: - - EnrichedMicrosoft365AuditLogs + - NetworkAccessTrafficLogs queryFrequency: 1d queryPeriod: 1d triggerOperator: gt @@ -37,5 +37,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: DestinationFqdn -version: 1.0.1 -kind: Scheduled +version: 1.0.2 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Global Secure Access/Data/Solution_GlobalSecureAccess.json b/Solutions/Global Secure Access/Data/Solution_GlobalSecureAccess.json index abe547db913..184af92ad2f 100644 --- a/Solutions/Global Secure Access/Data/Solution_GlobalSecureAccess.json +++ b/Solutions/Global Secure Access/Data/Solution_GlobalSecureAccess.json @@ -12,7 +12,6 @@ ], "Analytic Rules": [ "Analytic Rules/Identity - AfterHoursActivity.yaml", - "Analytic Rules/Identity - SharedSessions.yaml", "Analytic Rules/Office 365 - exchange_auditlogdisabled.yaml", "Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml", "Analytic Rules/Office 365 - ExternalUserAddedRemovedInTeams.yaml", diff --git a/Solutions/Global Secure Access/Package/3.0.0.zip b/Solutions/Global Secure Access/Package/3.0.0.zip index 6145e17ffcd..b522ab0c58b 100644 Binary files a/Solutions/Global Secure Access/Package/3.0.0.zip and b/Solutions/Global Secure Access/Package/3.0.0.zip differ diff --git a/Solutions/Global Secure Access/Package/createUiDefinition.json b/Solutions/Global Secure Access/Package/createUiDefinition.json index f3d85d5a148..c7c7e00ec0d 100644 --- a/Solutions/Global Secure Access/Package/createUiDefinition.json +++ b/Solutions/Global Secure Access/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Global%20Secure%20Access/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Global Secure Access](https://aka.ms/GlobalSecureAccess) is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution requires one of the product solutions below.\n\n**Prerequisite:**\n\nInstall one or more of the listed solutions to unlock the value provided by this solution.\n1. Microsoft Entra ID \n\n**Underlying Microsoft Technologies used:**\n\nThis solution depends on the following technologies, and some of these dependencies may either be in Preview state or might result in additional ingestion or operational costs:\n1. Product solutions as described above\n\n\n**Workbooks:** 2, **Analytic Rules:** 19, **Hunting Queries:** 21\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Global%20Secure%20Access/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Global Secure Access](https://aka.ms/GlobalSecureAccess) is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution requires one of the product solutions below.\n\n**Prerequisite:**\n\nInstall one or more of the listed solutions to unlock the value provided by this solution.\n1. Microsoft Entra ID \n\n**Underlying Microsoft Technologies used:**\n\nThis solution depends on the following technologies, and some of these dependencies may either be in Preview state or might result in additional ingestion or operational costs:\n1. Product solutions as described above\n\n\n**Workbooks:** 2, **Analytic Rules:** 18, **Hunting Queries:** 21\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -150,13 +150,13 @@ { "name": "analytic2", "type": "Microsoft.Common.Section", - "label": "GSA - Detect IP Address Changes and Overlapping Sessions", + "label": "GSA Enriched Office 365 - Exchange AuditLog Disabled", "elements": [ { "name": "analytic2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query identifies network sessions based on DeviceId and UserPrincipalName, then checks for changed IP addresses and overlapping session times." + "text": "Identifies when the Exchange audit logging has been disabled, which may indicate an adversary attempt to evade detection or bypass other defenses." } } ] @@ -164,13 +164,13 @@ { "name": "analytic3", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - Exchange AuditLog Disabled", + "label": "GSA Enriched Office 365 - Accessed files shared by temporary external user", "elements": [ { "name": "analytic3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when the Exchange audit logging has been disabled, which may indicate an adversary attempt to evade detection or bypass other defenses." + "text": "This detection identifies when an external user is added to a Team or Teams chat and shares a file which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity." } } ] @@ -178,13 +178,13 @@ { "name": "analytic4", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - Accessed files shared by temporary external user", + "label": "GSA Enriched Office 365 - External User Added and Removed in Short Timeframe", "elements": [ { "name": "analytic4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This detection identifies when an external user is added to a Team or Teams chat and shares a file which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity." + "text": "This detection flags the occurrences of external user accounts that are added to a Team and then removed within one hour." } } ] @@ -192,13 +192,13 @@ { "name": "analytic5", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - External User Added and Removed in Short Timeframe", + "label": "GSA Enriched Office 365 - Mail Redirect via ExO Transport Rule", "elements": [ { "name": "analytic5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This detection flags the occurrences of external user accounts that are added to a Team and then removed within one hour." + "text": "Identifies when an Exchange Online transport rule is configured to forward emails.\nThis could indicate an adversary mailbox configured to collect mail from multiple user accounts." } } ] @@ -206,13 +206,13 @@ { "name": "analytic6", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - Mail Redirect via ExO Transport Rule", + "label": "GSA Enriched Office 365 - Malicious Inbox Rule", "elements": [ { "name": "analytic6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when an Exchange Online transport rule is configured to forward emails.\nThis could indicate an adversary mailbox configured to collect mail from multiple user accounts." + "text": "Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\nThis is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/" } } ] @@ -220,13 +220,13 @@ { "name": "analytic7", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - Malicious Inbox Rule", + "label": "GSA Enriched Office 365 - Multiple Teams deleted by a single user", "elements": [ { "name": "analytic7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\nThis is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/" + "text": "This detection flags the occurrences of deleting multiple teams within a day.\nThis data is a part of Office 365 Connector in Microsoft Sentinel." } } ] @@ -234,13 +234,13 @@ { "name": "analytic8", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - Multiple Teams deleted by a single user", + "label": "GSA Enriched Office 365 - Multiple Users Email Forwarded to Same Destination", "elements": [ { "name": "analytic8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This detection flags the occurrences of deleting multiple teams within a day.\nThis data is a part of Office 365 Connector in Microsoft Sentinel." + "text": "Identifies when multiple (more than one) users' mailboxes are configured to forward to the same destination. \nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts." } } ] @@ -248,13 +248,13 @@ { "name": "analytic9", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - Multiple Users Email Forwarded to Same Destination", + "label": "GSA Enriched Office 365 - Office Policy Tampering", "elements": [ { "name": "analytic9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when multiple (more than one) users' mailboxes are configured to forward to the same destination. \nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts." + "text": "Identifies if any tampering is done to either audit log, ATP Safelink, SafeAttachment, AntiPhish, or Dlp policy. \nAn adversary may use this technique to evade detection or avoid other policy-based defenses.\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps." } } ] @@ -262,13 +262,13 @@ { "name": "analytic10", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - Office Policy Tampering", + "label": "GSA Enriched Office 365 - New Executable via Office FileUploaded Operation", "elements": [ { "name": "analytic10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies if any tampering is done to either audit log, ATP Safelink, SafeAttachment, AntiPhish, or Dlp policy. \nAn adversary may use this technique to evade detection or avoid other policy-based defenses.\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps." + "text": "Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\nList currently includes exe, inf, gzip, cmd, bat file extensions.\nAdditionally, identifies when a given user is uploading these files to another user's workspace.\nThis may be an indication of a staging location for malware or other malicious activity." } } ] @@ -276,13 +276,13 @@ { "name": "analytic11", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - New Executable via Office FileUploaded Operation", + "label": "GSA Enriched Office 365 - Rare and Potentially High-Risk Office Operations", "elements": [ { "name": "analytic11-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\nList currently includes exe, inf, gzip, cmd, bat file extensions.\nAdditionally, identifies when a given user is uploading these files to another user's workspace.\nThis may be an indication of a staging location for malware or other malicious activity." + "text": "Identifies Office operations that are typically rare and can provide capabilities useful to attackers." } } ] @@ -290,13 +290,13 @@ { "name": "analytic12", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - Rare and Potentially High-Risk Office Operations", + "label": "GSA Enriched Office 365 - SharePoint File Operation via Previously Unseen IPs", "elements": [ { "name": "analytic12-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies Office operations that are typically rare and can provide capabilities useful to attackers." + "text": "Identifies anomalies using user behavior by setting a threshold for significant changes in file upload/download activities from new IP addresses. It establishes a baseline of typical behavior, compares it to recent activity, and flags deviations exceeding a default threshold of 25." } } ] @@ -304,13 +304,13 @@ { "name": "analytic13", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - SharePoint File Operation via Previously Unseen IPs", + "label": "GSA Enriched Office 365 - SharePointFileOperation via devices with previously unseen user agents", "elements": [ { "name": "analytic13-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies anomalies using user behavior by setting a threshold for significant changes in file upload/download activities from new IP addresses. It establishes a baseline of typical behavior, compares it to recent activity, and flags deviations exceeding a default threshold of 25." + "text": "Identifies anomalies if the number of documents uploaded or downloaded from device(s) associated with a previously unseen user agent exceeds a threshold (default is 5) and deviation (default is 25%)." } } ] @@ -318,13 +318,13 @@ { "name": "analytic14", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - SharePointFileOperation via devices with previously unseen user agents", + "label": "GSA Enriched Office 365 - Sharepoint File Transfer Above Threshold", "elements": [ { "name": "analytic14-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies anomalies if the number of documents uploaded or downloaded from device(s) associated with a previously unseen user agent exceeds a threshold (default is 5) and deviation (default is 25%)." + "text": "Identifies Office365 SharePoint file transfers above a certain threshold in a 15-minute time period.\nPlease note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur." } } ] @@ -338,7 +338,7 @@ "name": "analytic15-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies Office365 SharePoint file transfers above a certain threshold in a 15-minute time period.\nPlease note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur." + "text": "Identifies Office365 SharePoint file transfers with a distinct folder count above a certain threshold in a 15-minute time period. Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur." } } ] @@ -346,13 +346,13 @@ { "name": "analytic16", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - Sharepoint File Transfer Above Threshold", + "label": "GSA - Detect Abnormal Deny Rate for Source to Destination IP", "elements": [ { "name": "analytic16-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies Office365 SharePoint file transfers with a distinct folder count above a certain threshold in a 15-minute time period. Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur." + "text": "Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules.\n\nConfigurable Parameters:\n - minimumOfStdsThreshold: The number of stds to use in the threshold calculation. Default is set to 3.\n - learningPeriodTime: Learning period for threshold calculation in days. Default is set to 5.\n - binTime: Learning buckets time in hours. Default is set to 1 hour.\n - minimumThreshold: Minimum threshold for alert. Default is set to 5.\n - minimumBucketThreshold: Minimum learning buckets threshold for alert. Default is set to 5." } } ] @@ -360,13 +360,13 @@ { "name": "analytic17", "type": "Microsoft.Common.Section", - "label": "GSA - Detect Abnormal Deny Rate for Source to Destination IP", + "label": "GSA - Detect Protocol Changes for Destination Ports", "elements": [ { "name": "analytic17-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules." + "text": "Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline.\nThis can indicate potential protocol misuse or configuration changes.\nConfigurable Parameters:\n- Learning period: The time range to establish the baseline. Default is set to 7 days.\n- Run time: The time range for current analysis. Default is set to 1 day." } } ] @@ -374,27 +374,13 @@ { "name": "analytic18", "type": "Microsoft.Common.Section", - "label": "GSA - Detect Protocol Changes for Destination Ports", - "elements": [ - { - "name": "analytic18-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes." - } - } - ] - }, - { - "name": "analytic19", - "type": "Microsoft.Common.Section", "label": "GSA - Detect Source IP Scanning Multiple Open Ports", "elements": [ { - "name": "analytic19-text", + "name": "analytic18-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access." + "text": "Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.\n Configurable Parameters:\n - Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds.\n - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100." } } ] diff --git a/Solutions/Global Secure Access/Package/mainTemplate.json b/Solutions/Global Secure Access/Package/mainTemplate.json index 4f1d323bb5b..f866ea7d3d5 100644 --- a/Solutions/Global Secure Access/Package/mainTemplate.json +++ b/Solutions/Global Secure Access/Package/mainTemplate.json @@ -66,137 +66,130 @@ "_workbookContentId2": "[variables('workbookContentId2')]", "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.1", + "analyticRuleVersion1": "1.0.2", "_analyticRulecontentId1": "4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa','-', '1.0.1')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa','-', '1.0.2')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.2", - "_analyticRulecontentId2": "57abf863-1c1e-46c6-85b2-35370b712c1e", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '57abf863-1c1e-46c6-85b2-35370b712c1e')]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('57abf863-1c1e-46c6-85b2-35370b712c1e')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','57abf863-1c1e-46c6-85b2-35370b712c1e','-', '1.0.2')))]" + "analyticRuleVersion2": "2.0.8", + "_analyticRulecontentId2": "dc451755-8ab3-4059-b805-e454c45d1d44", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dc451755-8ab3-4059-b805-e454c45d1d44')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dc451755-8ab3-4059-b805-e454c45d1d44')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dc451755-8ab3-4059-b805-e454c45d1d44','-', '2.0.8')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "2.0.8", - "_analyticRulecontentId3": "dc451755-8ab3-4059-b805-e454c45d1d44", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dc451755-8ab3-4059-b805-e454c45d1d44')]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dc451755-8ab3-4059-b805-e454c45d1d44')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dc451755-8ab3-4059-b805-e454c45d1d44','-', '2.0.8')))]" + "analyticRuleVersion3": "2.1.4", + "_analyticRulecontentId3": "4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac','-', '2.1.4')))]" }, "analyticRuleObject4": { "analyticRuleVersion4": "2.1.4", - "_analyticRulecontentId4": "4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac')]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac','-', '2.1.4')))]" + "_analyticRulecontentId4": "1a8f1297-23a4-4f09-a20b-90af8fc3641a", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1a8f1297-23a4-4f09-a20b-90af8fc3641a')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1a8f1297-23a4-4f09-a20b-90af8fc3641a')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1a8f1297-23a4-4f09-a20b-90af8fc3641a','-', '2.1.4')))]" }, "analyticRuleObject5": { - "analyticRuleVersion5": "2.1.4", - "_analyticRulecontentId5": "1a8f1297-23a4-4f09-a20b-90af8fc3641a", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1a8f1297-23a4-4f09-a20b-90af8fc3641a')]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1a8f1297-23a4-4f09-a20b-90af8fc3641a')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1a8f1297-23a4-4f09-a20b-90af8fc3641a','-', '2.1.4')))]" + "analyticRuleVersion5": "2.1.5", + "_analyticRulecontentId5": "edcfc2e0-3134-434c-8074-9101c530d419", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'edcfc2e0-3134-434c-8074-9101c530d419')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('edcfc2e0-3134-434c-8074-9101c530d419')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edcfc2e0-3134-434c-8074-9101c530d419','-', '2.1.5')))]" }, "analyticRuleObject6": { - "analyticRuleVersion6": "2.1.5", - "_analyticRulecontentId6": "edcfc2e0-3134-434c-8074-9101c530d419", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'edcfc2e0-3134-434c-8074-9101c530d419')]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('edcfc2e0-3134-434c-8074-9101c530d419')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edcfc2e0-3134-434c-8074-9101c530d419','-', '2.1.5')))]" + "analyticRuleVersion6": "2.0.6", + "_analyticRulecontentId6": "a9c76c8d-f60d-49ec-9b1f-bdfee6db3807", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a9c76c8d-f60d-49ec-9b1f-bdfee6db3807')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a9c76c8d-f60d-49ec-9b1f-bdfee6db3807')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a9c76c8d-f60d-49ec-9b1f-bdfee6db3807','-', '2.0.6')))]" }, "analyticRuleObject7": { "analyticRuleVersion7": "2.0.6", - "_analyticRulecontentId7": "a9c76c8d-f60d-49ec-9b1f-bdfee6db3807", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a9c76c8d-f60d-49ec-9b1f-bdfee6db3807')]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a9c76c8d-f60d-49ec-9b1f-bdfee6db3807')))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a9c76c8d-f60d-49ec-9b1f-bdfee6db3807','-', '2.0.6')))]" + "_analyticRulecontentId7": "db60e4b6-a845-4f28-a18c-94ebbaad6c6c", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'db60e4b6-a845-4f28-a18c-94ebbaad6c6c')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('db60e4b6-a845-4f28-a18c-94ebbaad6c6c')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','db60e4b6-a845-4f28-a18c-94ebbaad6c6c','-', '2.0.6')))]" }, "analyticRuleObject8": { - "analyticRuleVersion8": "2.0.6", - "_analyticRulecontentId8": "db60e4b6-a845-4f28-a18c-94ebbaad6c6c", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'db60e4b6-a845-4f28-a18c-94ebbaad6c6c')]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('db60e4b6-a845-4f28-a18c-94ebbaad6c6c')))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','db60e4b6-a845-4f28-a18c-94ebbaad6c6c','-', '2.0.6')))]" + "analyticRuleVersion8": "2.0.5", + "_analyticRulecontentId8": "d75e8289-d1cb-44d4-bd59-2f44a9172478", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd75e8289-d1cb-44d4-bd59-2f44a9172478')]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d75e8289-d1cb-44d4-bd59-2f44a9172478')))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d75e8289-d1cb-44d4-bd59-2f44a9172478','-', '2.0.5')))]" }, "analyticRuleObject9": { - "analyticRuleVersion9": "2.0.5", - "_analyticRulecontentId9": "d75e8289-d1cb-44d4-bd59-2f44a9172478", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd75e8289-d1cb-44d4-bd59-2f44a9172478')]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d75e8289-d1cb-44d4-bd59-2f44a9172478')))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d75e8289-d1cb-44d4-bd59-2f44a9172478','-', '2.0.5')))]" + "analyticRuleVersion9": "2.0.6", + "_analyticRulecontentId9": "0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb','-', '2.0.6')))]" }, "analyticRuleObject10": { - "analyticRuleVersion10": "2.0.6", - "_analyticRulecontentId10": "0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb')]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb')))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb','-', '2.0.6')))]" + "analyticRuleVersion10": "2.0.7", + "_analyticRulecontentId10": "178c62b4-d5e5-40f5-8eab-7fccd0051e7a", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '178c62b4-d5e5-40f5-8eab-7fccd0051e7a')]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('178c62b4-d5e5-40f5-8eab-7fccd0051e7a')))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','178c62b4-d5e5-40f5-8eab-7fccd0051e7a','-', '2.0.7')))]" }, "analyticRuleObject11": { "analyticRuleVersion11": "2.0.7", - "_analyticRulecontentId11": "178c62b4-d5e5-40f5-8eab-7fccd0051e7a", - "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '178c62b4-d5e5-40f5-8eab-7fccd0051e7a')]", - "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('178c62b4-d5e5-40f5-8eab-7fccd0051e7a')))]", - "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','178c62b4-d5e5-40f5-8eab-7fccd0051e7a','-', '2.0.7')))]" + "_analyticRulecontentId11": "433c254d-4b84-46f7-99ec-9dfefb5f6a7b", + "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '433c254d-4b84-46f7-99ec-9dfefb5f6a7b')]", + "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('433c254d-4b84-46f7-99ec-9dfefb5f6a7b')))]", + "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','433c254d-4b84-46f7-99ec-9dfefb5f6a7b','-', '2.0.7')))]" }, "analyticRuleObject12": { - "analyticRuleVersion12": "2.0.7", - "_analyticRulecontentId12": "433c254d-4b84-46f7-99ec-9dfefb5f6a7b", - "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '433c254d-4b84-46f7-99ec-9dfefb5f6a7b')]", - "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('433c254d-4b84-46f7-99ec-9dfefb5f6a7b')))]", - "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','433c254d-4b84-46f7-99ec-9dfefb5f6a7b','-', '2.0.7')))]" + "analyticRuleVersion12": "2.0.6", + "_analyticRulecontentId12": "7460e34e-4c99-47b2-b7c0-c42e339fc586", + "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7460e34e-4c99-47b2-b7c0-c42e339fc586')]", + "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7460e34e-4c99-47b2-b7c0-c42e339fc586')))]", + "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7460e34e-4c99-47b2-b7c0-c42e339fc586','-', '2.0.6')))]" }, "analyticRuleObject13": { - "analyticRuleVersion13": "2.0.6", - "_analyticRulecontentId13": "7460e34e-4c99-47b2-b7c0-c42e339fc586", - "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7460e34e-4c99-47b2-b7c0-c42e339fc586')]", - "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7460e34e-4c99-47b2-b7c0-c42e339fc586')))]", - "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7460e34e-4c99-47b2-b7c0-c42e339fc586','-', '2.0.6')))]" + "analyticRuleVersion13": "2.2.6", + "_analyticRulecontentId13": "efd17c5f-5167-40f8-a1e9-0818940785d9", + "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'efd17c5f-5167-40f8-a1e9-0818940785d9')]", + "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('efd17c5f-5167-40f8-a1e9-0818940785d9')))]", + "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','efd17c5f-5167-40f8-a1e9-0818940785d9','-', '2.2.6')))]" }, "analyticRuleObject14": { - "analyticRuleVersion14": "2.2.6", - "_analyticRulecontentId14": "efd17c5f-5167-40f8-a1e9-0818940785d9", - "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'efd17c5f-5167-40f8-a1e9-0818940785d9')]", - "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('efd17c5f-5167-40f8-a1e9-0818940785d9')))]", - "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','efd17c5f-5167-40f8-a1e9-0818940785d9','-', '2.2.6')))]" + "analyticRuleVersion14": "1.0.6", + "_analyticRulecontentId14": "30375d00-68cc-4f95-b89a-68064d566358", + "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '30375d00-68cc-4f95-b89a-68064d566358')]", + "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('30375d00-68cc-4f95-b89a-68064d566358')))]", + "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','30375d00-68cc-4f95-b89a-68064d566358','-', '1.0.6')))]" }, "analyticRuleObject15": { - "analyticRuleVersion15": "1.0.6", - "_analyticRulecontentId15": "30375d00-68cc-4f95-b89a-68064d566358", - "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '30375d00-68cc-4f95-b89a-68064d566358')]", - "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('30375d00-68cc-4f95-b89a-68064d566358')))]", - "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','30375d00-68cc-4f95-b89a-68064d566358','-', '1.0.6')))]" + "analyticRuleVersion15": "2.0.8", + "_analyticRulecontentId15": "abd6976d-8f71-4851-98c4-4d086201319c", + "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'abd6976d-8f71-4851-98c4-4d086201319c')]", + "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('abd6976d-8f71-4851-98c4-4d086201319c')))]", + "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','abd6976d-8f71-4851-98c4-4d086201319c','-', '2.0.8')))]" }, "analyticRuleObject16": { - "analyticRuleVersion16": "2.0.8", - "_analyticRulecontentId16": "abd6976d-8f71-4851-98c4-4d086201319c", - "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'abd6976d-8f71-4851-98c4-4d086201319c')]", - "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('abd6976d-8f71-4851-98c4-4d086201319c')))]", - "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','abd6976d-8f71-4851-98c4-4d086201319c','-', '2.0.8')))]" + "analyticRuleVersion16": "1.0.2", + "_analyticRulecontentId16": "e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b", + "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b')]", + "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b')))]", + "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b','-', '1.0.2')))]" }, "analyticRuleObject17": { - "analyticRuleVersion17": "1.0.1", - "_analyticRulecontentId17": "e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b", - "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b')]", - "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b')))]", - "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b','-', '1.0.1')))]" + "analyticRuleVersion17": "1.0.2", + "_analyticRulecontentId17": "f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a", + "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a')]", + "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a')))]", + "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a','-', '1.0.2')))]" }, "analyticRuleObject18": { - "analyticRuleVersion18": "1.0.1", - "_analyticRulecontentId18": "f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a", - "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a')]", - "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a')))]", - "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a','-', '1.0.1')))]" - }, - "analyticRuleObject19": { - "analyticRuleVersion19": "1.0.1", - "_analyticRulecontentId19": "82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1", - "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1')]", - "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1')))]", - "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1','-', '1.0.1')))]" + "analyticRuleVersion18": "1.0.2", + "_analyticRulecontentId18": "82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1", + "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1')]", + "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1')))]", + "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1','-', '1.0.2')))]" }, "huntingQueryObject1": { "huntingQueryVersion1": "2.0.3", @@ -500,7 +493,7 @@ "description": "This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations.", "displayName": "GSA - Detect Connections Outside Operational Hours", "enabled": false, - "query": "let starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet operational_start_hour = 8; // Start of operational hours (8 AM)\nlet operational_end_hour = 18; // End of operational hours (6 PM)\nNetworkAccessTraffic\n| where TimeGenerated between(starttime .. endtime)\n| extend HourOfDay = datetime_part('hour', TimeGenerated)\n| where HourOfDay < operational_start_hour or HourOfDay >= operational_end_hour\n| project TimeGenerated, UserPrincipalName, SourceIp, DestinationIp, DestinationPort, Action, DeviceId, DeviceOperatingSystem, ConnectionId\n| extend IPCustomEntity = SourceIp, AccountCustomEntity = UserPrincipalName\n", + "query": "let starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet operational_start_hour = 8; // Start of operational hours (8 AM)\nlet operational_end_hour = 18; // End of operational hours (6 PM)\nNetworkAccessTraffic\n| where TimeGenerated between (starttime .. endtime)\n| extend HourOfDay = datetime_part('hour', TimeGenerated)\n| where HourOfDay < operational_start_hour or HourOfDay >= operational_end_hour\n| project TimeGenerated, UserPrincipalName, SourceIp, DestinationIp, DestinationPort, Action, DeviceId, DeviceOperatingSystem, ConnectionId\n| extend IPCustomEntity = SourceIp, AccountCustomEntity = UserPrincipalName\n", "queryFrequency": "PT1H", "queryPeriod": "PT24H", "severity": "High", @@ -513,7 +506,7 @@ { "connectorId": "AzureActiveDirectory", "dataTypes": [ - "EnrichedMicrosoft365AuditLogs" + "NetworkAccessTrafficLogs" ] } ], @@ -526,22 +519,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -597,7 +590,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Identity - SharedSessions_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "Office 365 - exchange_auditlogdisabled_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -610,120 +603,6 @@ "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query identifies network sessions based on DeviceId and UserPrincipalName, then checks for changed IP addresses and overlapping session times.", - "displayName": "GSA - Detect IP Address Changes and Overlapping Sessions", - "enabled": false, - "query": "// Identify sessions\nlet sessions = \n NetworkAccessTraffic\n | summarize \n StartTime = min(TimeGenerated), \n EndTime = max(TimeGenerated), \n SourceIps = make_set(SourceIp) \n by DeviceId, UserPrincipalName, SessionId\n | sort by StartTime asc;\n// Check for changed IP addresses and overlapping session times\nsessions\n | extend PreviousSourceIps = prev(SourceIps, 1)\n | extend PreviousEndTime = prev(EndTime, 1)\n | extend PreviousDeviceId = prev(DeviceId, 1)\n | extend PreviousUserPrincipalName = prev(UserPrincipalName, 1)\n | where DeviceId == PreviousDeviceId \n and UserPrincipalName == PreviousUserPrincipalName\n | where array_length(set_difference(SourceIps, PreviousSourceIps)) > 0 // Check if the current and previous IP sets differ\n | where PreviousEndTime > StartTime // Check for overlapping session times\n | project \n DeviceId, \n UserPrincipalName, \n SourceIps, \n PreviousSourceIps, \n StartTime, \n EndTime, \n PreviousEndTime\n | extend \n IPCustomEntity = tostring(array_slice(SourceIps, 0, 1)[0]), \n PreviousIPCustomEntity = tostring(array_slice(PreviousSourceIps, 0, 1)[0]), \n AccountCustomEntity = UserPrincipalName\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT24H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "EnrichedMicrosoft365AuditLogs" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078", - "T1133" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "AccountCustomEntity" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ] - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", - "properties": { - "description": "Global Secure Access Analytics Rule 2", - "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", - "source": { - "kind": "Solution", - "name": "Global Secure Access", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Partner", - "name": "Microsoft Corporation", - "email": "GSASentinelSupport@microsoft.com", - "link": "https://learn.microsoft.com/en-us/entra/global-secure-access/overview-what-is-global-secure-access" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "contentKind": "AnalyticsRule", - "displayName": "GSA - Detect IP Address Changes and Overlapping Sessions", - "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Office 365 - exchange_auditlogdisabled_AnalyticalRules Analytics Rule with template version 3.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", "properties": { "description": "Identifies when the Exchange audit logging has been disabled, which may indicate an adversary attempt to evade detection or bypass other defenses.", "displayName": "GSA Enriched Office 365 - Exchange AuditLog Disabled", @@ -759,30 +638,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -790,13 +669,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 3", - "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "description": "Global Secure Access Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -821,18 +700,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Exchange AuditLog Disabled", - "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -841,13 +720,13 @@ "description": "Office 365 - External User added to Team and immediately uploads file_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -886,55 +765,55 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "MemberAdded" + "columnName": "MemberAdded", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "MemberAddedAccountName" + "columnName": "MemberAddedAccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "MemberAddedAccountUPNSuffix" + "columnName": "MemberAddedAccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserWhoAdded" + "columnName": "UserWhoAdded", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "UserWhoAddedAccountName" + "columnName": "UserWhoAddedAccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UserWhoAddedAccountUPNSuffix" + "columnName": "UserWhoAddedAccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserWhoDeleted" + "columnName": "UserWhoDeleted", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "UserWhoDeletedAccountName" + "columnName": "UserWhoDeletedAccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UserWhoDeletedAccountUPNSuffix" + "columnName": "UserWhoDeletedAccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -942,13 +821,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 4", - "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "description": "Global Secure Access Analytics Rule 3", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -973,18 +852,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Accessed files shared by temporary external user", - "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", - "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -993,13 +872,13 @@ "description": "Office 365 - ExternalUserAddedRemovedInTeams_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1038,64 +917,64 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "MemberAdded_Removed" + "columnName": "MemberAdded_Removed", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "MemberAdded_RemovedAccountName" + "columnName": "MemberAdded_RemovedAccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "MemberAdded_RemovedAccountUPNSuffix" + "columnName": "MemberAdded_RemovedAccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserWhoAdded" + "columnName": "UserWhoAdded", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "UserWhoAddedAccountName" + "columnName": "UserWhoAddedAccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UserWhoAddedAccountUPNSuffix" + "columnName": "UserWhoAddedAccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserWhoDeleted" + "columnName": "UserWhoDeleted", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "UserWhoDeletedAccountName" + "columnName": "UserWhoDeletedAccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UserWhoDeletedAccountUPNSuffix" + "columnName": "UserWhoDeletedAccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1103,13 +982,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 5", - "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "description": "Global Secure Access Analytics Rule 4", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -1134,18 +1013,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - External User Added and Removed in Short Timeframe", - "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", - "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1154,13 +1033,13 @@ "description": "Office 365 - Mail_redirect_via_ExO_transport_rule_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1201,30 +1080,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1232,13 +1111,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 6", - "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "description": "Global Secure Access Analytics Rule 5", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -1263,18 +1142,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Mail Redirect via ExO Transport Rule", - "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", - "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1283,13 +1162,13 @@ "description": "Office 365 - Malicious_Inbox_Rule_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1330,30 +1209,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIPAddress" + "columnName": "ClientIPAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1361,13 +1240,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 7", - "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "description": "Global Secure Access Analytics Rule 6", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -1392,18 +1271,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Malicious Inbox Rule", - "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", - "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1412,13 +1291,13 @@ "description": "Office 365 - MultipleTeamsDeletes_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1458,21 +1337,21 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -1480,13 +1359,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 8", - "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "description": "Global Secure Access Analytics Rule 7", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -1511,18 +1390,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Multiple Teams deleted by a single user", - "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", - "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" + "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", + "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1531,13 +1410,13 @@ "description": "Office 365 - Office_MailForwarding_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1578,30 +1457,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1609,13 +1488,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 9", - "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "description": "Global Secure Access Analytics Rule 8", + "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -1640,18 +1519,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Multiple Users Email Forwarded to Same Destination", - "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", - "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", + "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1660,13 +1539,13 @@ "description": "Office 365 - office_policytampering_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1707,30 +1586,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1738,13 +1617,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 10", - "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "description": "Global Secure Access Analytics Rule 9", + "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -1769,18 +1648,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Office Policy Tampering", - "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", - "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" + "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject11').analyticRuleTemplateSpecName11]", + "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1789,13 +1668,13 @@ "description": "Office 365 - Office_Uploaded_Executables_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", + "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1836,48 +1715,48 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Site_Url" + "columnName": "Site_Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "File", "fieldMappings": [ { - "identifier": "Name", - "columnName": "FileNames" + "columnName": "FileNames", + "identifier": "Name" } - ] + ], + "entityType": "File" } ] } @@ -1885,13 +1764,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject11').analyticRuleId11,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 11", - "parentId": "[variables('analyticRuleObject11').analyticRuleId11]", - "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "description": "Global Secure Access Analytics Rule 10", + "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject11').analyticRuleVersion11]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -1916,18 +1795,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - New Executable via Office FileUploaded Operation", - "contentProductId": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", - "id": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", - "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" + "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject12').analyticRuleTemplateSpecName12]", + "name": "[variables('analyticRuleObject11').analyticRuleTemplateSpecName11]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1936,13 +1815,13 @@ "description": "Office 365 - RareOfficeOperations_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", + "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "name": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1983,30 +1862,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIPOnly" + "columnName": "ClientIPOnly", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -2014,13 +1893,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject12').analyticRuleId12,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject11').analyticRuleId11,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 12", - "parentId": "[variables('analyticRuleObject12').analyticRuleId12]", - "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "description": "Global Secure Access Analytics Rule 11", + "parentId": "[variables('analyticRuleObject11').analyticRuleId11]", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject12').analyticRuleVersion12]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -2045,18 +1924,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Rare and Potentially High-Risk Office Operations", - "contentProductId": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", - "id": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", - "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" + "contentProductId": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", + "id": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject13').analyticRuleTemplateSpecName13]", + "name": "[variables('analyticRuleObject12').analyticRuleTemplateSpecName12]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2065,13 +1944,13 @@ "description": "Office 365 - SharePoint_Downloads_byNewIP_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", + "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "name": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2110,39 +1989,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Site_Url" + "columnName": "Site_Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -2150,13 +2029,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject13').analyticRuleId13,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject12').analyticRuleId12,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 13", - "parentId": "[variables('analyticRuleObject13').analyticRuleId13]", - "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "description": "Global Secure Access Analytics Rule 12", + "parentId": "[variables('analyticRuleObject12').analyticRuleId12]", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject13').analyticRuleVersion13]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -2181,18 +2060,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - SharePoint File Operation via Previously Unseen IPs", - "contentProductId": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", - "id": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", - "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" + "contentProductId": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", + "id": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject14').analyticRuleTemplateSpecName14]", + "name": "[variables('analyticRuleObject13').analyticRuleTemplateSpecName13]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2201,13 +2080,13 @@ "description": "Office 365 - SharePoint_Downloads_byNewUserAgent_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", + "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "name": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2246,39 +2125,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "UserIdName" + "columnName": "UserIdName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UserIdUPNSuffix" + "columnName": "UserIdUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Site_Url" + "columnName": "Site_Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -2286,13 +2165,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject14').analyticRuleId14,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject13').analyticRuleId13,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 14", - "parentId": "[variables('analyticRuleObject14').analyticRuleId14]", - "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "description": "Global Secure Access Analytics Rule 13", + "parentId": "[variables('analyticRuleObject13').analyticRuleId13]", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject14').analyticRuleVersion14]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -2317,18 +2196,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - SharePointFileOperation via devices with previously unseen user agents", - "contentProductId": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", - "id": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", - "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" + "contentProductId": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", + "id": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject15').analyticRuleTemplateSpecName15]", + "name": "[variables('analyticRuleObject14').analyticRuleTemplateSpecName14]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2337,13 +2216,13 @@ "description": "Office 365 - sharepoint_file_transfer_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", + "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "name": "[variables('analyticRuleObject14')._analyticRulecontentId14]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2382,39 +2261,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "File", "fieldMappings": [ { - "identifier": "Name", - "columnName": "FileSample" + "columnName": "FileSample", + "identifier": "Name" } - ] + ], + "entityType": "File" } ], "customDetails": { @@ -2424,9 +2303,9 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { + "lookbackDuration": "PT5H", "reopenClosedIncident": false, "matchingMethod": "Selected", - "lookbackDuration": "PT5H", "groupByEntities": [ "Account" ], @@ -2438,13 +2317,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject15').analyticRuleId15,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject14').analyticRuleId14,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 15", - "parentId": "[variables('analyticRuleObject15').analyticRuleId15]", - "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "description": "Global Secure Access Analytics Rule 14", + "parentId": "[variables('analyticRuleObject14').analyticRuleId14]", + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject15').analyticRuleVersion15]", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -2469,18 +2348,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Sharepoint File Transfer Above Threshold", - "contentProductId": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", - "id": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", - "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" + "contentProductId": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", + "id": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject16').analyticRuleTemplateSpecName16]", + "name": "[variables('analyticRuleObject15').analyticRuleTemplateSpecName15]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2489,13 +2368,13 @@ "description": "Office 365 - sharepoint_file_transfer_folders_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", + "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "name": "[variables('analyticRuleObject15')._analyticRulecontentId15]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2534,39 +2413,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "File", "fieldMappings": [ { - "identifier": "Name", - "columnName": "FileSample" + "columnName": "FileSample", + "identifier": "Name" } - ] + ], + "entityType": "File" } ], "customDetails": { @@ -2576,9 +2455,9 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { + "lookbackDuration": "PT5H", "reopenClosedIncident": false, "matchingMethod": "Selected", - "lookbackDuration": "PT5H", "groupByEntities": [ "Account" ], @@ -2590,13 +2469,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject16').analyticRuleId16,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject15').analyticRuleId15,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 16", - "parentId": "[variables('analyticRuleObject16').analyticRuleId16]", - "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "description": "Global Secure Access Analytics Rule 15", + "parentId": "[variables('analyticRuleObject15').analyticRuleId15]", + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject16').analyticRuleVersion16]", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -2621,18 +2500,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Sharepoint File Transfer Above Threshold", - "contentProductId": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", - "id": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", - "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" + "contentProductId": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", + "id": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject17').analyticRuleTemplateSpecName17]", + "name": "[variables('analyticRuleObject16').analyticRuleTemplateSpecName16]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2641,21 +2520,21 @@ "description": "SWG - Abnormal Deny Rate_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", + "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "name": "[variables('analyticRuleObject16')._analyticRulecontentId16]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules.", + "description": "Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules.\n\nConfigurable Parameters:\n - minimumOfStdsThreshold: The number of stds to use in the threshold calculation. Default is set to 3.\n - learningPeriodTime: Learning period for threshold calculation in days. Default is set to 5.\n - binTime: Learning buckets time in hours. Default is set to 1 hour.\n - minimumThreshold: Minimum threshold for alert. Default is set to 5.\n - minimumBucketThreshold: Minimum learning buckets threshold for alert. Default is set to 5.", "displayName": "GSA - Detect Abnormal Deny Rate for Source to Destination IP", "enabled": false, - "query": "let NumOfStdsThreshold = 3;\nlet LearningPeriod = 5d;\nlet BinTime = 1h;\nlet MinThreshold = 5.0;\nlet MinLearningBuckets = 5;\nlet TrafficLogs = NetworkAccessTraffic\n | where Action == 'Denied'\n | where isnotempty(DestinationIp) and isnotempty(SourceIp);\nlet LearningSrcIpDenyRate = TrafficLogs\n | where TimeGenerated between (ago(LearningPeriod + 1d) .. ago(1d))\n | summarize count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp\n | summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, DestinationIp\n | where LearningTimeBuckets > MinLearningBuckets;\nlet AlertTimeSrcIpDenyRate = TrafficLogs\n | where TimeGenerated between (ago(1h) .. now())\n | summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp, DestinationIp;\nAlertTimeSrcIpDenyRate\n | join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, DestinationIp\n | extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)\n | where AlertTimeSrcIpDenyRateCount > LearningThreshold\n | project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold \n", + "query": "let NumOfStdsThreshold = 3;\nlet LearningPeriod = 5d;\nlet BinTime = 1h;\nlet MinThreshold = 5.0;\nlet MinLearningBuckets = 5;\nlet TrafficLogs = NetworkAccessTraffic\n | where Action == \"Denied\"\n | where isnotempty(DestinationIp) and isnotempty(SourceIp);\nlet LearningSrcIpDenyRate = TrafficLogs\n | where TimeGenerated between (ago(LearningPeriod + 1d) .. ago(1d))\n | summarize count_ = count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp\n | summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, DestinationIp\n | where LearningTimeBuckets > MinLearningBuckets;\nlet AlertTimeSrcIpDenyRate = TrafficLogs\n | where TimeGenerated between (ago(1h) .. now())\n | summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp, DestinationIp;\nAlertTimeSrcIpDenyRate\n | join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, DestinationIp\n | extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)\n | where AlertTimeSrcIpDenyRateCount > LearningThreshold\n | project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold\n", "queryFrequency": "PT1H", "queryPeriod": "PT25H", "severity": "Medium", @@ -2679,22 +2558,22 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIp" + "columnName": "SourceIp", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "DestinationIp" + "columnName": "DestinationIp", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -2702,13 +2581,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject17').analyticRuleId17,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject16').analyticRuleId16,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 17", - "parentId": "[variables('analyticRuleObject17').analyticRuleId17]", - "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "description": "Global Secure Access Analytics Rule 16", + "parentId": "[variables('analyticRuleObject16').analyticRuleId16]", + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject17').analyticRuleVersion17]", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -2733,18 +2612,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", "contentKind": "AnalyticsRule", "displayName": "GSA - Detect Abnormal Deny Rate for Source to Destination IP", - "contentProductId": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", - "id": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", - "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" + "contentProductId": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", + "id": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject18').analyticRuleTemplateSpecName18]", + "name": "[variables('analyticRuleObject17').analyticRuleTemplateSpecName17]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2753,18 +2632,18 @@ "description": "SWG - Abnormal Port to Protocol_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", + "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "name": "[variables('analyticRuleObject17')._analyticRulecontentId17]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes.", + "description": "Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline.\nThis can indicate potential protocol misuse or configuration changes.\nConfigurable Parameters:\n- Learning period: The time range to establish the baseline. Default is set to 7 days.\n- Run time: The time range for current analysis. Default is set to 1 day.", "displayName": "GSA - Detect Protocol Changes for Destination Ports", "enabled": false, "query": "let LearningPeriod = 7d;\nlet RunTime = 1d;\nlet StartLearningPeriod = ago(LearningPeriod + RunTime);\nlet EndRunTime = ago(RunTime);\nlet LearningPortToProtocol = \n NetworkAccessTraffic\n | where TimeGenerated between (StartLearningPeriod .. EndRunTime)\n | where isnotempty(DestinationPort)\n | summarize LearningTimeCount = count() by LearningTimeDstPort = DestinationPort, LearningTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;\nlet AlertTimePortToProtocol = \n NetworkAccessTraffic\n | where TimeGenerated between (EndRunTime .. now())\n | where isnotempty(DestinationPort)\n | summarize AlertTimeCount = count() by AlertTimeDstPort = DestinationPort, AlertTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;\nAlertTimePortToProtocol\n | join kind=leftouter (LearningPortToProtocol) on $left.AlertTimeDstPort == $right.LearningTimeDstPort and $left.SourceIp == $right.SourceIp and $left.DestinationFqdn == $right.DestinationFqdn\n | where isnull(LearningTimeProtocol) or LearningTimeProtocol != AlertTimeProtocol\n | project AlertTimeDstPort, AlertTimeProtocol, LearningTimeProtocol, SourceIp, DestinationFqdn\n | extend IPCustomEntity = SourceIp, FqdnCustomEntity = DestinationFqdn\n", @@ -2780,7 +2659,7 @@ { "connectorId": "AzureActiveDirectory", "dataTypes": [ - "EnrichedMicrosoft365AuditLogs" + "NetworkAccessTrafficLogs" ] } ], @@ -2791,22 +2670,22 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "FqdnCustomEntity" + "columnName": "FqdnCustomEntity", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -2814,13 +2693,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject18').analyticRuleId18,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject17').analyticRuleId17,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 18", - "parentId": "[variables('analyticRuleObject18').analyticRuleId18]", - "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "description": "Global Secure Access Analytics Rule 17", + "parentId": "[variables('analyticRuleObject17').analyticRuleId17]", + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject18').analyticRuleVersion18]", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -2845,18 +2724,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", "contentKind": "AnalyticsRule", "displayName": "GSA - Detect Protocol Changes for Destination Ports", - "contentProductId": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", - "id": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", - "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" + "contentProductId": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", + "id": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject19').analyticRuleTemplateSpecName19]", + "name": "[variables('analyticRuleObject18').analyticRuleTemplateSpecName18]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2865,18 +2744,18 @@ "description": "SWG - Source IP Port Scan_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", + "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "name": "[variables('analyticRuleObject18')._analyticRulecontentId18]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.", + "description": "Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.\n Configurable Parameters:\n - Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds.\n - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100.", "displayName": "GSA - Detect Source IP Scanning Multiple Open Ports", "enabled": false, "query": "let port_scan_time = 30s;\nlet min_ports_threshold = 100;\nNetworkAccessTraffic\n| where TimeGenerated > ago(1d)\n| where Action == 'Allowed'\n| summarize PortsScanned = dcount(DestinationPort) by SourceIp, DestinationFqdn, bin(TimeGenerated, port_scan_time)\n| where PortsScanned > min_ports_threshold\n| project SourceIp, PortsScanned, TimeGenerated,DestinationFqdn\n", @@ -2892,7 +2771,7 @@ { "connectorId": "AzureActiveDirectory", "dataTypes": [ - "EnrichedMicrosoft365AuditLogs" + "NetworkAccessTrafficLogs" ] } ], @@ -2904,22 +2783,22 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIp" + "columnName": "SourceIp", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "DestinationFqdn" + "columnName": "DestinationFqdn", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -2927,13 +2806,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject19').analyticRuleId19,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject18').analyticRuleId18,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 19", - "parentId": "[variables('analyticRuleObject19').analyticRuleId19]", - "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "description": "Global Secure Access Analytics Rule 18", + "parentId": "[variables('analyticRuleObject18').analyticRuleId18]", + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject19').analyticRuleVersion19]", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -2958,12 +2837,12 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", "contentKind": "AnalyticsRule", "displayName": "GSA - Detect Source IP Scanning Multiple Open Ports", - "contentProductId": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", - "id": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", - "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" + "contentProductId": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", + "id": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" } }, { @@ -4761,7 +4640,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "Global Secure Access", "publisherDisplayName": "Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Global Secure Access is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below.

\n

Prerequisite:

\n

Install one or more of the listed solutions to unlock the value provided by this solution.

\n
    \n
  1. Microsoft Entra ID
    2. \n
\n

Underlying Microsoft Technologies used:

\n

This solution depends on the following technologies, and some of these dependencies may either be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Product solutions as described above
    2. \n
\n

Workbooks: 2, Analytic Rules: 19, Hunting Queries: 21

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Global Secure Access is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below.

\n

Prerequisite:

\n

Install one or more of the listed solutions to unlock the value provided by this solution.

\n
    \n
  1. Microsoft Entra ID
    2. \n
\n

Underlying Microsoft Technologies used:

\n

This solution depends on the following technologies, and some of these dependencies may either be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Product solutions as described above
    2. \n
\n

Workbooks: 2, Analytic Rules: 18, Hunting Queries: 21

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -4886,11 +4765,6 @@ "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", - "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" - }, { "kind": "HuntingQuery", "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",