diff --git a/Solutions/Amazon Web Services/Data Connectors/AWS_WAF_CCP/AwsS3_WAF_DataConnectorDefination.json b/Solutions/Amazon Web Services/Data Connectors/AWS_WAF_CCP/AwsS3_WAF_DataConnectorDefinition.json similarity index 100% rename from Solutions/Amazon Web Services/Data Connectors/AWS_WAF_CCP/AwsS3_WAF_DataConnectorDefination.json rename to Solutions/Amazon Web Services/Data Connectors/AWS_WAF_CCP/AwsS3_WAF_DataConnectorDefinition.json diff --git a/Solutions/Amazon Web Services/Data Connectors/AWS_WAF_CCP/AwsS3_WAF_PollingConfig.json b/Solutions/Amazon Web Services/Data Connectors/AWS_WAF_CCP/AwsS3_WAF_PollingConfig.json index 0642946194c..2cd6b05bafd 100644 --- a/Solutions/Amazon Web Services/Data Connectors/AWS_WAF_CCP/AwsS3_WAF_PollingConfig.json +++ b/Solutions/Amazon Web Services/Data Connectors/AWS_WAF_CCP/AwsS3_WAF_PollingConfig.json @@ -17,7 +17,7 @@ "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}" }, - "destinationTable": "", + "destinationTable": "AWSWAF", "dataFormat": { "Format": "Json", "IsCompressed": true, diff --git a/Solutions/Amazon Web Services/Data/Solution_AmazonWebServices.json b/Solutions/Amazon Web Services/Data/Solution_AmazonWebServices.json index ca9e0746a88..2e0c3846bd1 100644 --- a/Solutions/Amazon Web Services/Data/Solution_AmazonWebServices.json +++ b/Solutions/Amazon Web Services/Data/Solution_AmazonWebServices.json @@ -6,7 +6,7 @@ "Data Connectors": [ "Data Connectors/template_AWS.JSON", "Data Connectors/template_AwsS3.JSON", - "Data Connectors/AWS_WAF_CCP/AwsS3_WAF_DataConnectorDefination.json" + "Data Connectors/AWS_WAF_CCP/AwsS3_WAF_DataConnectorDefinition.json" ], "Workbooks": [ "Workbooks/AmazonWebServicesNetworkActivities.json", @@ -110,7 +110,7 @@ "Hunting Queries/AWS_STStoLambda.yaml" ], "BasePath": "C:\\One\\Azure\\Azure-Sentinel\\Solutions\\Amazon Web Services", - "Version": "3.0.3", + "Version": "3.0.5", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "StaticDataConnectorIds": [ diff --git a/Solutions/Amazon Web Services/Package/3.0.5.zip b/Solutions/Amazon Web Services/Package/3.0.5.zip new file mode 100644 index 00000000000..d0ce70213e4 Binary files /dev/null and b/Solutions/Amazon Web Services/Package/3.0.5.zip differ diff --git a/Solutions/Amazon Web Services/Package/createUiDefinition.json b/Solutions/Amazon Web Services/Package/createUiDefinition.json index 903cb374749..e84a0630745 100644 --- a/Solutions/Amazon Web Services/Package/createUiDefinition.json +++ b/Solutions/Amazon Web Services/Package/createUiDefinition.json @@ -64,7 +64,7 @@ } }, { - "name": "dataconnectors-link2", + "name": "dataconnectors-link3", "type": "Microsoft.Common.TextBlock", "options": { "link": { diff --git a/Solutions/Amazon Web Services/Package/mainTemplate.json b/Solutions/Amazon Web Services/Package/mainTemplate.json index 853ec2d0ac8..e36f6f45ef1 100644 --- a/Solutions/Amazon Web Services/Package/mainTemplate.json +++ b/Solutions/Amazon Web Services/Package/mainTemplate.json @@ -61,7 +61,7 @@ }, "variables": { "_solutionName": "Amazon Web Services", - "_solutionVersion": "3.0.4", + "_solutionVersion": "3.0.5", "solutionId": "azuresentinel.azure-sentinel-solution-amazonwebservices", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "AWS", @@ -693,7 +693,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Amazon Web Services data connector with template version 3.0.4", + "description": "Amazon Web Services data connector with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -850,7 +850,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Amazon Web Services data connector with template version 3.0.4", + "description": "Amazon Web Services data connector with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -862,13 +862,14 @@ "apiVersion": "2021-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", - "kind": "StaticUI", + "kind": "GenericUI", "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId2')]", "title": "Amazon Web Services S3", "publisher": "Amazon", "descriptionMarkdown": "This connector allows you to ingest AWS service logs, collected in AWS S3 buckets, to Microsoft Sentinel. The currently supported data types are: \n* AWS CloudTrail\n* VPC Flow Logs\n* AWS GuardDuty\n* AWSCloudWatch\n\nFor more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2218883&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", + "logo": "Aws.svg", "graphQueries": [ { "metricName": "Total data received", @@ -930,6 +931,98 @@ "name": "AWSCloudWatch", "lastDataReceivedQuery": "AWSCloudWatch\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } + ], + "availability": { + "status": 2, + "featureFlag": { + "feature": "AWSS3Connector", + "featureStates": { + "Dogfood": "GA", + "MPAC": "GA", + "Prod": "GA", + "Fairfax": "GA", + "Mooncake": "PrivatePreview", + "USSec": "PrivatePreview", + "USNat": "PrivatePreview" + } + }, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "write permission.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Environment", + "description": "you must have the following AWS resources defined and configured: S3, Simple Queue Service (SQS), IAM roles and permissions policies, and the AWS services whose logs you want to collect." + } + ] + }, + "instructionSteps": [ + { + "description": "The​re are two options for setting up your AWS environment to send logs from an S3 bucket to your Log Analytics Workspace:", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Setup with PowerShell script (recommended)", + "instructions": [ + { + "parameters": { + "govScript": "Download and extract the files from the following link: [AWS S3 Setup Script](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScriptsGov.zip).\n\n> 1. Make sure that you have PowerShell on your machine: [Installation instructions for PowerShell](https://docs.microsoft.com/powershell/scripting/install/installing-powershell?view=powershell-7.2).\n\n> 2. Make sure that you have the AWS CLI on your machine: [Installation instructions for the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html).\n\nBefore running the script, run the aws configure command from your PowerShell command line, and enter the relevant information as prompted. See [AWS Command Line Interface | Configuration basics](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html) for details.", + "prodScript": "Download and extract the files from the following link: [AWS S3 Setup Script](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScripts.zip).\n\n> 1. Make sure that you have PowerShell on your machine: [Installation instructions for PowerShell](https://docs.microsoft.com/powershell/scripting/install/installing-powershell?view=powershell-7.2).\n\n> 2. Make sure that you have the AWS CLI on your machine: [Installation instructions for the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html).\n\nBefore running the script, run the aws configure command from your PowerShell command line, and enter the relevant information as prompted. See [AWS Command Line Interface | Configuration basics](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html) for details." + }, + "type": "MarkdownControlEnvBased" + }, + { + "parameters": { + "label": "Run script to set up the environment", + "value": "./ConfigAwsConnector.ps1" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "External ID (Workspace ID)" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Manual Setup", + "description": "Follow the instruction in the following link to set up the environment: [Connect AWS S3 to Microsoft Sentinel](https://aka.ms/AWSS3Connector)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Set up your AWS environment" + }, + { + "instructions": [ + { + "parameters": {}, + "type": "AwsS3" + } + ], + "title": "2. Add connection" + } ] } } @@ -1008,7 +1101,7 @@ "apiVersion": "2021-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", - "kind": "StaticUI", + "kind": "GenericUI", "properties": { "connectorUiConfig": { "title": "Amazon Web Services S3", @@ -1062,6 +1155,112 @@ ] } ], + "sampleQueries": [ + { + "description": "High severity findings summarized by activity type", + "query": "AWSGuardDuty\n | where Severity > 7\n | summarize count() by ActivityType" + }, + { + "description": "Top 10 rejected actions of type IPv4", + "query": "AWSVPCFlow\n | where Action == \"REJECT\"\n | where Type == \"IPv4\"\n | take 10" + }, + { + "description": "User creation events summarized by region", + "query": "AWSCloudTrail\n | where EventName == \"CreateUser\"\n | summarize count() by AWSRegion" + } + ], + "availability": { + "status": 2, + "featureFlag": { + "feature": "AWSS3Connector", + "featureStates": { + "Dogfood": "GA", + "MPAC": "GA", + "Prod": "GA", + "Fairfax": "GA", + "Mooncake": "PrivatePreview", + "USSec": "PrivatePreview", + "USNat": "PrivatePreview" + } + }, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "write permission.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Environment", + "description": "you must have the following AWS resources defined and configured: S3, Simple Queue Service (SQS), IAM roles and permissions policies, and the AWS services whose logs you want to collect." + } + ] + }, + "instructionSteps": [ + { + "description": "The​re are two options for setting up your AWS environment to send logs from an S3 bucket to your Log Analytics Workspace:", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Setup with PowerShell script (recommended)", + "instructions": [ + { + "parameters": { + "govScript": "Download and extract the files from the following link: [AWS S3 Setup Script](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScriptsGov.zip).\n\n> 1. Make sure that you have PowerShell on your machine: [Installation instructions for PowerShell](https://docs.microsoft.com/powershell/scripting/install/installing-powershell?view=powershell-7.2).\n\n> 2. Make sure that you have the AWS CLI on your machine: [Installation instructions for the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html).\n\nBefore running the script, run the aws configure command from your PowerShell command line, and enter the relevant information as prompted. See [AWS Command Line Interface | Configuration basics](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html) for details.", + "prodScript": "Download and extract the files from the following link: [AWS S3 Setup Script](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScripts.zip).\n\n> 1. Make sure that you have PowerShell on your machine: [Installation instructions for PowerShell](https://docs.microsoft.com/powershell/scripting/install/installing-powershell?view=powershell-7.2).\n\n> 2. Make sure that you have the AWS CLI on your machine: [Installation instructions for the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html).\n\nBefore running the script, run the aws configure command from your PowerShell command line, and enter the relevant information as prompted. See [AWS Command Line Interface | Configuration basics](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html) for details." + }, + "type": "MarkdownControlEnvBased" + }, + { + "parameters": { + "label": "Run script to set up the environment", + "value": "./ConfigAwsConnector.ps1" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "External ID (Workspace ID)" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Manual Setup", + "description": "Follow the instruction in the following link to set up the environment: [Connect AWS S3 to Microsoft Sentinel](https://aka.ms/AWSS3Connector)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Set up your AWS environment" + }, + { + "instructions": [ + { + "parameters": {}, + "type": "AwsS3" + } + ], + "title": "2. Add connection" + } + ], "id": "[variables('_uiConfigId2')]" } } @@ -1545,15 +1744,13 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorCCPVersion')]", "parameters": { - "apikey": { - "defaultValue": "-NA-", - "type": "securestring", - "minLength": 1 + "guidValue": { + "defaultValue": "[[newGuid()]", + "type": "string" }, - "baseUrl": { - "defaultValue": "Enter baseUrl value", - "type": "string", - "minLength": 1 + "innerWorkspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" }, "connectorDefinitionName": { "defaultValue": "Amazon Web Services S3 WAF", @@ -1612,7 +1809,7 @@ } }, { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'AwsS3 WAF Pollinf Config')]", + "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'AwsS3 WAF Pollinf Config', parameters('guidValue'))]", "apiVersion": "2023-02-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", @@ -1629,7 +1826,7 @@ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" }, - "destinationTable": "", + "destinationTable": "AWSWAF", "dataFormat": { "Format": "Json", "IsCompressed": true, @@ -1661,7 +1858,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AmazonWebServicesNetworkActivities Workbook with template version 3.0.4", + "description": "AmazonWebServicesNetworkActivities Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1748,7 +1945,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AmazonWebServicesUserActivities Workbook with template version 3.0.4", + "description": "AmazonWebServicesUserActivities Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -1835,7 +2032,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_ChangeToRDSDatabase_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_ChangeToRDSDatabase_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -1961,7 +2158,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_ChangeToVPC_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_ChangeToVPC_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -2089,7 +2286,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_ClearStopChangeTrailLogs_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_ClearStopChangeTrailLogs_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -2215,7 +2412,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_ConfigServiceResourceDeletion_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_ConfigServiceResourceDeletion_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -2345,7 +2542,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_ConsoleLogonWithoutMFA_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_ConsoleLogonWithoutMFA_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -2474,7 +2671,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_CredentialHijack_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_CredentialHijack_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -2600,7 +2797,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_FullAdminPolicyAttachedToRolesUsersGroups_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_FullAdminPolicyAttachedToRolesUsersGroups_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -2727,7 +2924,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_IngressEgressSecurityGroupChange_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_IngressEgressSecurityGroupChange_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -2853,7 +3050,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_LoadBalancerSecGroupChange_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_LoadBalancerSecGroupChange_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -2979,7 +3176,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_AWS_ConsoleLogonWithoutMFA_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "NRT_AWS_ConsoleLogonWithoutMFA_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -3104,7 +3301,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_GuardDuty_template_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_GuardDuty_template_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -3185,17 +3382,17 @@ } ], "customDetails": { - "ThreatFamilyName": "ThreatFamilyName", - "DetectionMechanism": "DetectionMechanism", "ResourceTypeAffected": "ResourceTypeAffected", "ThreatPurpose": "ThreatPurpose", - "Artifact": "Artifact" + "Artifact": "Artifact", + "ThreatFamilyName": "ThreatFamilyName", + "DetectionMechanism": "DetectionMechanism" }, "alertDetailsOverride": { + "alertSeverityColumnName": "Severity", "alertTacticsColumnName": "ThreatPurpose", "alertDisplayNameFormat": "{{Title}}", - "alertDescriptionFormat": "{{Description}}", - "alertSeverityColumnName": "Severity" + "alertDescriptionFormat": "{{Description}}" } } }, @@ -3249,7 +3446,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_ECRContainerHigh_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_ECRContainerHigh_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", @@ -3369,7 +3566,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_SuspiciousCommandEC2_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_SuspiciousCommandEC2_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", @@ -3489,7 +3686,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_APIfromTor_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_APIfromTor_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", @@ -3609,7 +3806,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_GuardDutyDisabled_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_GuardDutyDisabled_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", @@ -3729,7 +3926,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_CreatedCloudFormationPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_CreatedCloudFormationPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", @@ -3849,7 +4046,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_CreatedCRUDDyanmoDBPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_CreatedCRUDDyanmoDBPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", @@ -3969,7 +4166,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_CreatedCRUDIAMtoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_CreatedCRUDIAMtoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", @@ -4089,7 +4286,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_CreatedCRUDKMSPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_CreatedCRUDKMSPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", @@ -4209,7 +4406,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_CreatedCRUDS3PolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_CreatedCRUDS3PolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", @@ -4329,7 +4526,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_CreatedCURDLambdaPolicytoPrivilegEscalation_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_CreatedCURDLambdaPolicytoPrivilegEscalation_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", @@ -4449,7 +4646,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_CreatedDataPipelinePolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_CreatedDataPipelinePolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", @@ -4569,7 +4766,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_CreatedEC2PolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_CreatedEC2PolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", @@ -4689,7 +4886,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_CreatedGluePolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_CreatedGluePolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", @@ -4809,7 +5006,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_CreatedLambdaPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_CreatedLambdaPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", @@ -4929,7 +5126,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_CreatedSSMPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_CreatedSSMPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", @@ -5049,7 +5246,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_CreationofEncryptKeysWithoutMFA_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_CreationofEncryptKeysWithoutMFA_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", @@ -5169,7 +5366,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_ECRImageScanningDisabled_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_ECRImageScanningDisabled_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", @@ -5289,7 +5486,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_LogTampering_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_LogTampering_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", @@ -5409,7 +5606,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_NetworkACLOpenToAllPorts_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_NetworkACLOpenToAllPorts_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", @@ -5529,7 +5726,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_OverlyPermessiveKMS_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_OverlyPermessiveKMS_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", @@ -5649,7 +5846,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_PrivilegeEscalationAdministratorAccessManagedPolicy_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_PrivilegeEscalationAdministratorAccessManagedPolicy_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", @@ -5769,7 +5966,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_PrivilegeEscalationAdminManagedPolicy_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_PrivilegeEscalationAdminManagedPolicy_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", @@ -5889,7 +6086,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_PrivilegeEscalationFullAccessManagedPolicy_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_PrivilegeEscalationFullAccessManagedPolicy_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", @@ -6009,7 +6206,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_PrivilegeEscalationViaCloudFormationPolicy_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_PrivilegeEscalationViaCloudFormationPolicy_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]", @@ -6129,7 +6326,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_PrivilegeEscalationviaCRUDDynamoDB_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_PrivilegeEscalationviaCRUDDynamoDB_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]", @@ -6249,7 +6446,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_PrivilegeEscalationViaCRUDIAMPolicy_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_PrivilegeEscalationViaCRUDIAMPolicy_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]", @@ -6369,7 +6566,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_PrivilegeEscalationViaCRUDKMSPolicy_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_PrivilegeEscalationViaCRUDKMSPolicy_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]", @@ -6489,7 +6686,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_PrivilegeEscalationViaCRUDLambdaPolicy_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_PrivilegeEscalationViaCRUDLambdaPolicy_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]", @@ -6609,7 +6806,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_PrivilegeEscalationViaCRUDS3Policy_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_PrivilegeEscalationViaCRUDS3Policy_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]", @@ -6729,7 +6926,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_PrivilegeEscalationViaDataPipeline_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_PrivilegeEscalationViaDataPipeline_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]", @@ -6849,7 +7046,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_PrivilegeEscalationViaEC2Policy_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_PrivilegeEscalationViaEC2Policy_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]", @@ -6969,7 +7166,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_PrivilegeEscalationViaGluePolicy_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_PrivilegeEscalationViaGluePolicy_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]", @@ -7089,7 +7286,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_PrivilegeEscalationViaLambdaPolicy_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_PrivilegeEscalationViaLambdaPolicy_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]", @@ -7209,7 +7406,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_PrivilegeEscalationViaSSM_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_PrivilegeEscalationViaSSM_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]", @@ -7329,7 +7526,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_RDSInstancePubliclyExposed_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_RDSInstancePubliclyExposed_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]", @@ -7449,7 +7646,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_S3BruteForce_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_S3BruteForce_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]", @@ -7569,7 +7766,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_S3BucketAccessPointExposed_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_S3BucketAccessPointExposed_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject48').analyticRuleVersion48]", @@ -7689,7 +7886,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_S3BucketExposedviaACL_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_S3BucketExposedviaACL_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject49').analyticRuleVersion49]", @@ -7809,7 +8006,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_S3BucketExposedviaPolicy_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_S3BucketExposedviaPolicy_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject50').analyticRuleVersion50]", @@ -7929,7 +8126,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_S3ObjectPubliclyExposed_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_S3ObjectPubliclyExposed_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject51').analyticRuleVersion51]", @@ -8049,7 +8246,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_S3Ransomware_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_S3Ransomware_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject52').analyticRuleVersion52]", @@ -8169,7 +8366,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_SAMLUpdateIdentity_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_SAMLUpdateIdentity_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject53').analyticRuleVersion53]", @@ -8289,7 +8486,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_SetDefaulyPolicyVersion_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_SetDefaulyPolicyVersion_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject54').analyticRuleVersion54]", @@ -8409,7 +8606,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_SSMPubliclyExposed_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "AWS_SSMPubliclyExposed_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject55').analyticRuleVersion55]", @@ -8529,7 +8726,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousAWSCLICommandExecution_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SuspiciousAWSCLICommandExecution_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject56').analyticRuleVersion56]", @@ -8656,7 +8853,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousAWSEC2ComputeResourceDeployments_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SuspiciousAWSEC2ComputeResourceDeployments_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject57').analyticRuleVersion57]", @@ -8725,9 +8922,9 @@ } ], "customDetails": { + "UserAgent": "UserAgent", "SourceIpAddress": "SourceIpAddress", - "AWSUser": "UserIdentityArn", - "UserAgent": "UserAgent" + "AWSUser": "UserIdentityArn" } } }, @@ -8781,7 +8978,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_IAM_PolicyChange_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_IAM_PolicyChange_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -8865,7 +9062,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_IAM_PrivilegeEscalationbyAttachment_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_IAM_PrivilegeEscalationbyAttachment_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -8949,7 +9146,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_PrivilegedRoleAttachedToInstance_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_PrivilegedRoleAttachedToInstance_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -9033,7 +9230,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_SuspiciousCredentialTokenAccessOfValid_IAM_Roles_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_SuspiciousCredentialTokenAccessOfValid_IAM_Roles_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -9117,7 +9314,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_Unused_UnsupportedCloudRegions_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_Unused_UnsupportedCloudRegions_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -9201,7 +9398,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_EC2_WithoutKeyPair_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_EC2_WithoutKeyPair_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -9285,7 +9482,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_AssumeRoleBruteForce_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_AssumeRoleBruteForce_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -9369,7 +9566,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_BucketVersioningSuspended_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_BucketVersioningSuspended_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -9453,7 +9650,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_CreateAccessKey_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_CreateAccessKey_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -9537,7 +9734,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_CreateLoginProfile_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_CreateLoginProfile_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -9621,7 +9818,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_ECRContainerLow_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_ECRContainerLow_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject11').huntingQueryVersion11]", @@ -9705,7 +9902,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_ECRContainerMedium_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_ECRContainerMedium_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject12').huntingQueryVersion12]", @@ -9789,7 +9986,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_ExcessiveExecutionofDiscoveryEvents_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_ExcessiveExecutionofDiscoveryEvents_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject13').huntingQueryVersion13]", @@ -9873,7 +10070,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_FailedBruteForceS3Bucket_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_FailedBruteForceS3Bucket_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject14').huntingQueryVersion14]", @@ -9957,7 +10154,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_FailedBruteForceWithoutMFA_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_FailedBruteForceWithoutMFA_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject15').huntingQueryVersion15]", @@ -10041,7 +10238,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_IAMAccsesDeniedDiscoveryEvents_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_IAMAccsesDeniedDiscoveryEvents_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject16').huntingQueryVersion16]", @@ -10125,7 +10322,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_IAMUserGroupChanges_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_IAMUserGroupChanges_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject17').huntingQueryVersion17]", @@ -10209,7 +10406,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_LambdaFunctionThrottled_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_LambdaFunctionThrottled_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject18').huntingQueryVersion18]", @@ -10293,7 +10490,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_LambdaLayerImportedExternalAccount_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_LambdaLayerImportedExternalAccount_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject19').huntingQueryVersion19]", @@ -10377,7 +10574,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_LambdaUpdateFunctionCode_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_LambdaUpdateFunctionCode_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject20').huntingQueryVersion20]", @@ -10461,7 +10658,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_LoginProfileUpdated_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_LoginProfileUpdated_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject21').huntingQueryVersion21]", @@ -10545,7 +10742,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_ModificationofRouteTableAttributes_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_ModificationofRouteTableAttributes_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject22').huntingQueryVersion22]", @@ -10629,7 +10826,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_ModificationofSubnetAttributes_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_ModificationofSubnetAttributes_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject23').huntingQueryVersion23]", @@ -10713,7 +10910,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_ModificationofVPCAttributes_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_ModificationofVPCAttributes_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject24').huntingQueryVersion24]", @@ -10797,7 +10994,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_NetworkACLDeleted_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_NetworkACLDeleted_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject25').huntingQueryVersion25]", @@ -10881,7 +11078,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_NewRootAccessKey_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_NewRootAccessKey_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject26').huntingQueryVersion26]", @@ -10965,7 +11162,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_PolicywithExcessivePermissions_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_PolicywithExcessivePermissions_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject27').huntingQueryVersion27]", @@ -11049,7 +11246,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_RDSMasterPasswordChanged_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_RDSMasterPasswordChanged_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject28').huntingQueryVersion28]", @@ -11133,7 +11330,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_RiskyRoleName_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_RiskyRoleName_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject29').huntingQueryVersion29]", @@ -11217,7 +11414,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_S3BucketDeleted_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_S3BucketDeleted_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject30').huntingQueryVersion30]", @@ -11301,7 +11498,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_S3BucketEncryptionModified_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_S3BucketEncryptionModified_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject31').huntingQueryVersion31]", @@ -11385,7 +11582,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_STStoEC2_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_STStoEC2_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject32').huntingQueryVersion32]", @@ -11469,7 +11666,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_STStoECS_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_STStoECS_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject33').huntingQueryVersion33]", @@ -11553,7 +11750,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_STStoGlue_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_STStoGlue_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject34').huntingQueryVersion34]", @@ -11637,7 +11834,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_STStoKWN_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_STStoKWN_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject35').huntingQueryVersion35]", @@ -11721,7 +11918,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AWS_STStoLambda_HuntingQueries Hunting Query with template version 3.0.4", + "description": "AWS_STStoLambda_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject36').huntingQueryVersion36]", @@ -11801,7 +11998,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.4", + "version": "3.0.5", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Amazon Web Services", diff --git a/Solutions/Amazon Web Services/ReleaseNotes.md b/Solutions/Amazon Web Services/ReleaseNotes.md index d6062253d20..4ec7da7ce9f 100644 --- a/Solutions/Amazon Web Services/ReleaseNotes.md +++ b/Solutions/Amazon Web Services/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.0.5 | 10-02-2025 | Repackaged to fix ccp grid showing only 1 record and rename of file | | 3.0.4 | 13-12-2024 | Updated title of **Analytic Rule** - AWS_LogTampering.yaml | | 3.0.3 | 27-05-2024 | Updated **Hunting Query** AWS_FailedBruteForceS3Bucket.yaml and **Analytic Rules** for missing TTP | | 3.0.2 | 05-04-2024 | Updated awsS3 **Data connector**, added new Data Type CloudWatch |