Azure · v-visodadasi · Jan 23, 2025 · Jan 23, 2025
@@ -80,9 +80,9 @@ customDetails:
   Product: EventProduct
   UserAgent: HttpUserAgent
 alertDetailsOverride:
-  alertDisplayNameFormat: Suspicious access of {{number_of_files_accessed}} BEC related documents by {{User}}
+  alertDisplayNameFormat: Suspicious access of {{CountOfDocs}} BEC related documents by {{User}}
   alertDescriptionFormat: |
-    This query looks for users (in this case {{User}}) with suspicious spikes in the number of files accessed (in this case {{number_of_files_accessed}} events) that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. 
+    This query looks for users (in this case {{User}}) with suspicious spikes in the number of files accessed (in this case {{CountOfDocs}} events) that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. 
     This query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers
-version: 1.0.4
+version: 1.0.5
 kind: Scheduled
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Business Email Compromise (BEC)](https://www.microsoft.com/en-in/security/business/security-101/what-is-business-email-compromise-bec?rtc=1) attacks often aim to commit financial fraud by locating sensitive payment or invoice details and using these to hijack legitimate transactions. This solution, in combination with other solutions listed below, provide a range of content to help detect and investigate BEC attacks at different stages of the attack cycle, and across multiple data sources including AWS, SAP, Okta, Dynamics 365, Microsoft Entra ID, Microsoft 365 and network logs.\n\nThis content covers all stages of the attack chain from an initial phishing attack vector, establishing persistence to an environment, locating and collecting sensitive financial information from data stores, and then perpetrating and hiding their fraud. This range of content complements the coverage [Microsoft Defender XDR provides across Microsoft Defender products](https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption).\n\nIn order to gain the most comprehensive coverage possible customers should deploy the content included in this solution as well as content from the following solutions:\n\n 1. Microsoft Entra ID solution for Microsoft Sentinel\n\n 2. Microsoft 365 solution for Microsoft Sentinel\n\n 3. Amazon Web Services\n\n 4. Microsoft Defender XDR\n\n 5. Okta Single Sign On\n\n\n\n**Analytic Rules:** 7, **Hunting Queries:** 13\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Business Email Compromise (BEC)](https://www.microsoft.com/en-in/security/business/security-101/what-is-business-email-compromise-bec?rtc=1) attacks often aim to commit financial fraud by locating sensitive payment or invoice details and using these to hijack legitimate transactions. This solution, in combination with other solutions listed below, provide a range of content to help detect and investigate BEC attacks at different stages of the attack cycle, and across multiple data sources including AWS, SAP, Okta, Dynamics 365, Microsoft Entra ID, Microsoft 365 and network logs.\n\nThis content covers all stages of the attack chain from an initial phishing attack vector, establishing persistence to an environment, locating and collecting sensitive financial information from data stores, and then perpetrating and hiding their fraud. This range of content complements the coverage [Microsoft Defender XDR provides across Microsoft Defender products](https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption).\n\nIn order to gain the most comprehensive coverage possible customers should deploy the content included in this solution as well as content from the following solutions:\n\n 1. Microsoft Entra ID solution for Sentinel\n\n 2. Microsoft 365 solution for Sentinel\n\n 3. Amazon Web Services\n\n 4. Microsoft Defender XDR\n\n 5. Okta Single Sign On\n\n\n\n**Analytic Rules:** 7, **Hunting Queries:** 13\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",