![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Microsoft Defender for Identity](https://docs.microsoft.com/defender-for-identity/what-is) solution for Microsoft Sentinel allows you to ingest [security alerts](https://docs.microsoft.com/defender-for-identity/suspicious-activity-guide) reported in the Microsoft Defender for Identity platform to get better insights into the identity posture of your organization’s Active Directory environment.\n\n\r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20for%20Identity/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Microsoft Defender for Identity](https://docs.microsoft.com/defender-for-identity/what-is) solution for Microsoft Sentinel allows you to ingest [security alerts](https://docs.microsoft.com/defender-for-identity/suspicious-activity-guide) reported in the Microsoft Defender for Identity platform to get better insights into the identity posture of your organization’s Active Directory environment.\n\n\r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,11 +60,11 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs the data connector for ingesting the security alerts on suspicious behaviour reported in the Microsoft Defender for Identity platform. These alerts help SecOps analysts to detect advanced credential theft attacks in your Active Directory environment. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "This Solution installs the data connector for Microsoft Defender for Identity. You can get Microsoft Defender for Identity custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
- "name": "dataconnectors-link2",
+ "name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
diff --git a/Solutions/Microsoft Defender For Identity/Package/mainTemplate.json b/Solutions/Microsoft Defender For Identity/Package/mainTemplate.json
index 6bb101502e1..adff21b42b5 100644
--- a/Solutions/Microsoft Defender For Identity/Package/mainTemplate.json
+++ b/Solutions/Microsoft Defender For Identity/Package/mainTemplate.json
@@ -30,49 +30,34 @@
}
},
"variables": {
- "solutionId": "azuresentinel.azure-sentinel-solution-mdefenderforidentity",
- "_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_solutionName": "Microsoft Defender for Identity",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "azuresentinel.azure-sentinel-solution-mdefenderforidentity",
+ "_solutionId": "[variables('solutionId')]",
"uiConfigId1": "AzureAdvancedThreatProtection",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "AzureAdvancedThreatProtection",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
- "dataConnectorVersion1": "1.0.0"
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
+ "dataConnectorVersion1": "1.0.0",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "properties": {
- "description": "Microsoft Defender for Identity data connector with template",
- "displayName": "Microsoft Defender for Identity template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Microsoft Defender for Identity data connector with template version 2.0.1",
+ "description": "Microsoft Defender for Identity data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -90,7 +75,7 @@
"id": "[variables('_uiConfigId1')]",
"title": "Microsoft Defender for Identity",
"publisher": "Microsoft",
- "descriptionMarkdown": "Connect Microsoft Defender for Identity to gain visibility into the events and user analytics. Microsoft Defender for Identity identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Microsoft Defender for Identity enables SecOp analysts and security professionals struggling to detect advanced attacks in hybrid environments to:\n\n- Monitor users, entity behavior, and activities with learning-based analytics\n- Protect user identities and credentials stored in Active Directory\n- Identify and investigate suspicious user activities and advanced attacks throughout the kill chain\n- Provide clear incident information on a simple timeline for fast triage\n\n[Try now >](https://aka.ms/AtpTryNow)\n\n[Deploy now >](https://aka.ms/AzureATP_Deploy)\n\nFor more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2220069&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
+ "descriptionMarkdown": "Connect Microsoft Defender for Identity to gain visibility into the events and user analytics. Microsoft Defender for Identity identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Microsoft Defender for Identity enables SecOp analysts and security professionals struggling to detect advanced attacks in hybrid environments to:\n\n- Monitor users, entity behavior, and activities with learning-based analytics\n- Protect user identities and credentials stored in Active Directory\n- Identify and investigate suspicious user activities and advanced attacks throughout the kill chain\n- Provide clear incident information on a simple timeline for fast triage\n\n[Try now >](https://aka.ms/AtpTryNow)\n\n[Deploy now >](https://aka.ms/AzureATP_Deploy)\n\nFor more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2220069&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"graphQueries": [
{
"metricName": "Total data received",
@@ -100,7 +85,7 @@
],
"connectivityCriterias": [
{
- "type": "SentinelKinds",
+ "type": "MtpAlerts",
"value": [
"AzureAdvancedThreatProtection"
]
@@ -117,7 +102,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -142,12 +127,23 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "Microsoft Defender for Identity",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
@@ -185,7 +181,7 @@
"connectorUiConfig": {
"title": "Microsoft Defender for Identity",
"publisher": "Microsoft",
- "descriptionMarkdown": "Connect Microsoft Defender for Identity to gain visibility into the events and user analytics. Microsoft Defender for Identity identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Microsoft Defender for Identity enables SecOp analysts and security professionals struggling to detect advanced attacks in hybrid environments to:\n\n- Monitor users, entity behavior, and activities with learning-based analytics\n- Protect user identities and credentials stored in Active Directory\n- Identify and investigate suspicious user activities and advanced attacks throughout the kill chain\n- Provide clear incident information on a simple timeline for fast triage\n\n[Try now >](https://aka.ms/AtpTryNow)\n\n[Deploy now >](https://aka.ms/AzureATP_Deploy)\n\nFor more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2220069&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
+ "descriptionMarkdown": "Connect Microsoft Defender for Identity to gain visibility into the events and user analytics. Microsoft Defender for Identity identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Microsoft Defender for Identity enables SecOp analysts and security professionals struggling to detect advanced attacks in hybrid environments to:\n\n- Monitor users, entity behavior, and activities with learning-based analytics\n- Protect user identities and credentials stored in Active Directory\n- Identify and investigate suspicious user activities and advanced attacks throughout the kill chain\n- Provide clear incident information on a simple timeline for fast triage\n\n[Try now >](https://aka.ms/AtpTryNow)\n\n[Deploy now >](https://aka.ms/AzureATP_Deploy)\n\nFor more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2220069&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"graphQueries": [
{
"metricName": "Total data received",
@@ -201,7 +197,7 @@
],
"connectivityCriterias": [
{
- "type": "SentinelKinds",
+ "type": "MtpAlerts",
"value": [
"AzureAdvancedThreatProtection"
]
@@ -212,13 +208,20 @@
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.0.1",
+ "version": "3.0.0",
"kind": "Solution",
- "contentSchemaVersion": "2.0.0",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "Microsoft Defender for Identity",
+ "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Microsoft Defender for Identity solution for Microsoft Sentinel allows you to ingest security alerts reported in the Microsoft Defender for Identity platform to get better insights into the identity posture of your organization’s Active Directory environment.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
diff --git a/Solutions/Microsoft Defender For Identity/Package/testParameters.json b/Solutions/Microsoft Defender For Identity/Package/testParameters.json
new file mode 100644
index 00000000000..e55ec41a9ac
--- /dev/null
+++ b/Solutions/Microsoft Defender For Identity/Package/testParameters.json
@@ -0,0 +1,24 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+}
diff --git a/Solutions/Microsoft Defender For Identity/ReleaseNotes.md b/Solutions/Microsoft Defender For Identity/ReleaseNotes.md
new file mode 100644
index 00000000000..d0b09ab8804
--- /dev/null
+++ b/Solutions/Microsoft Defender For Identity/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|----------------------------------------|
+| 3.0.0 | 07-04-2025 | Updated ConnectivityCriteria Type in **Data Connector**. |
\ No newline at end of file
diff --git a/Solutions/Microsoft Defender XDR/Data Connectors/MicrosoftThreatProtection.JSON b/Solutions/Microsoft Defender XDR/Data Connectors/MicrosoftThreatProtection.JSON
index 4d5ccd9cdb9..a7559bcf63d 100644
--- a/Solutions/Microsoft Defender XDR/Data Connectors/MicrosoftThreatProtection.JSON
+++ b/Solutions/Microsoft Defender XDR/Data Connectors/MicrosoftThreatProtection.JSON
@@ -69,6 +69,18 @@
"MicrosoftThreatProtection"
]
},
+ {
+ "type": "MtpAlerts",
+ "value": [
+ "AzureAdvancedThreatProtection",
+ "MicrosoftCloudAppSecurity",
+ "MicrosoftThreatProtection",
+ "OfficeATP",
+ "MicrosoftDefenderAdvancedThreatProtection",
+ "AzureActiveDirectory",
+ "OfficeIRM"
+ ]
+ },
{
"type": "IsConnectedQuery",
"value": [
diff --git a/Solutions/Microsoft Defender XDR/Package/3.0.12.zip b/Solutions/Microsoft Defender XDR/Package/3.0.12.zip
new file mode 100644
index 00000000000..1da88e7039a
Binary files /dev/null and b/Solutions/Microsoft Defender XDR/Package/3.0.12.zip differ
diff --git a/Solutions/Microsoft Defender XDR/Package/mainTemplate.json b/Solutions/Microsoft Defender XDR/Package/mainTemplate.json
index a04f31732aa..5cf19400b12 100644
--- a/Solutions/Microsoft Defender XDR/Package/mainTemplate.json
+++ b/Solutions/Microsoft Defender XDR/Package/mainTemplate.json
@@ -57,7 +57,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Microsoft Defender XDR",
- "_solutionVersion": "3.0.11",
+ "_solutionVersion": "3.0.12",
"solutionId": "azuresentinel.azure-sentinel-solution-microsoft365defender",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "MicrosoftThreatProtection",
@@ -1185,7 +1185,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Microsoft Defender XDR data connector with template version 3.0.11",
+ "description": "Microsoft Defender XDR data connector with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -1248,6 +1248,18 @@
"MicrosoftThreatProtection"
]
},
+ {
+ "type": "MtpAlerts",
+ "value": [
+ "AzureAdvancedThreatProtection",
+ "MicrosoftCloudAppSecurity",
+ "MicrosoftThreatProtection",
+ "OfficeATP",
+ "MicrosoftDefenderAdvancedThreatProtection",
+ "AzureActiveDirectory",
+ "OfficeIRM"
+ ]
+ },
{
"type": "IsConnectedQuery",
"value": [
@@ -1603,6 +1615,18 @@
"MicrosoftThreatProtection"
]
},
+ {
+ "type": "MtpAlerts",
+ "value": [
+ "AzureAdvancedThreatProtection",
+ "MicrosoftCloudAppSecurity",
+ "MicrosoftThreatProtection",
+ "OfficeATP",
+ "MicrosoftDefenderAdvancedThreatProtection",
+ "AzureActiveDirectory",
+ "OfficeIRM"
+ ]
+ },
{
"type": "IsConnectedQuery",
"value": [
@@ -1662,7 +1686,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PossiblePhishingwithCSL&NetworkSession_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "PossiblePhishingwithCSL&NetworkSession_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -1904,7 +1928,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SUNSPOTHashes_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "SUNSPOTHashes_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -2034,7 +2058,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PotentialBuildProcessCompromiseMDE_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "PotentialBuildProcessCompromiseMDE_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -2160,7 +2184,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SolarWinds_TEARDROP_Process-IOCs_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "SolarWinds_TEARDROP_Process-IOCs_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -2306,7 +2330,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SolarWinds_SUNBURST_Network-IOCs_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "SolarWinds_SUNBURST_Network-IOCs_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -2470,7 +2494,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -2616,7 +2640,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AVdetectionsrelatedtoUkrainebasedthreats_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "AVdetectionsrelatedtoUkrainebasedthreats_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -2728,7 +2752,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AVTarrask_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "AVTarrask_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -2849,7 +2873,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AVSpringShell_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "AVSpringShell_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -2970,7 +2994,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PossibleWebpBufferOverflow_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "PossibleWebpBufferOverflow_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@@ -3157,7 +3181,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DeimosComponentExecution_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "DeimosComponentExecution_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]",
@@ -3273,7 +3297,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ImminentRansomware_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "ImminentRansomware_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]",
@@ -3379,7 +3403,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MaliciousCMDExecutionByJava_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "MaliciousCMDExecutionByJava_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]",
@@ -3491,7 +3515,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "C2-NamedPipe_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "C2-NamedPipe_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]",
@@ -3603,7 +3627,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DoppelPaymerProcDump_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "DoppelPaymerProcDump_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]",
@@ -3715,7 +3739,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LSASSCredDumpProcdump_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "LSASSCredDumpProcdump_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]",
@@ -3827,7 +3851,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DoppelpaymerStopService_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "DoppelpaymerStopService_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]",
@@ -3941,7 +3965,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "QakbotCampaignSelfDeletion_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "QakbotCampaignSelfDeletion_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]",
@@ -4053,7 +4077,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Regsvr32Rundll32ImageLoadsAbnormalExtension_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "Regsvr32Rundll32ImageLoadsAbnormalExtension_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]",
@@ -4198,7 +4222,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Regsvr32Rundll32WithAnomalousParentProcess_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "Regsvr32Rundll32WithAnomalousParentProcess_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]",
@@ -4343,7 +4367,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuspiciousCommandInitiatedByWebServerProcess_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "SuspiciousCommandInitiatedByWebServerProcess_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]",
@@ -4460,7 +4484,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "BITSAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "BITSAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]",
@@ -4589,7 +4613,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OfficeAppsLaunchingWscript_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "OfficeAppsLaunchingWscript_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]",
@@ -4718,7 +4742,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PotentialKerberoastActivities_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "PotentialKerberoastActivities_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]",
@@ -4850,7 +4874,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FilesCopiedToUSBDrives_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "FilesCopiedToUSBDrives_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]",
@@ -4989,7 +5013,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MosaicLoader_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "MosaicLoader_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]",
@@ -5114,7 +5138,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AnomalousVoulmeOfFileDeletion_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "AnomalousVoulmeOfFileDeletion_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]",
@@ -5244,7 +5268,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RemoteFileCreationWithPsExec_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "RemoteFileCreationWithPsExec_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]",
@@ -5356,7 +5380,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ServiceAccountsPerformingRemotePS_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "ServiceAccountsPerformingRemotePS_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]",
@@ -5486,7 +5510,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AccountCreation_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "AccountCreation_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]",
@@ -5611,7 +5635,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LocalAdminGroupChanges_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "LocalAdminGroupChanges_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]",
@@ -5741,7 +5765,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RareProcessAsService_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "RareProcessAsService_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]",
@@ -5873,7 +5897,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DisableSecurityServiceViaRegistry_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "DisableSecurityServiceViaRegistry_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]",
@@ -6015,7 +6039,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DataDeletionOnMulipleDrivesUsingCipherExe_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "DataDeletionOnMulipleDrivesUsingCipherExe_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]",
@@ -6127,7 +6151,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LaZagneCredTheft_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "LaZagneCredTheft_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]",
@@ -6252,7 +6276,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LogDeletionUsingWevtutil_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "LogDeletionUsingWevtutil_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]",
@@ -6364,7 +6388,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MultiProcessKillWithTaskKill_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "MultiProcessKillWithTaskKill_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]",
@@ -6476,7 +6500,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PotentialCobaltStrikeRansomwareActivity_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "PotentialCobaltStrikeRansomwareActivity_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]",
@@ -6622,7 +6646,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "QakbotDiscoveryActivities_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "QakbotDiscoveryActivities_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]",
@@ -6738,7 +6762,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ShadowCopyDeletion_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "ShadowCopyDeletion_AnalyticalRules Analytics Rule with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]",
@@ -6880,7 +6904,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Check for spoofing attempts on the domain with Authentication failures_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Check for spoofing attempts on the domain with Authentication failures_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -6965,7 +6989,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Delivered Bad Emails from Top bad IPv4 addresses_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Delivered Bad Emails from Top bad IPv4 addresses_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -7050,7 +7074,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "EmailDelivered-ToInbox_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "EmailDelivered-ToInbox_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -7135,7 +7159,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DeimosComponentExecution_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "DeimosComponentExecution_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -7216,7 +7240,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LemonDuckRegistrationFunction_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "LemonDuckRegistrationFunction_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -7297,7 +7321,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DeviceWithLog4jAlerts_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "DeviceWithLog4jAlerts_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -7378,7 +7402,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Log4jVulnRelatedAlerts_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Log4jVulnRelatedAlerts_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -7459,7 +7483,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MaliciousUseOfMSBuildAsLoLBin_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "MaliciousUseOfMSBuildAsLoLBin_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -7540,7 +7564,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "QakbotReconActivities_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "QakbotReconActivities_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -7621,7 +7645,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "JudgementPandaExfilActivity_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "JudgementPandaExfilActivity_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -7706,7 +7730,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "C2-NamedPipe_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "C2-NamedPipe_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject11').huntingQueryVersion11]",
@@ -7787,7 +7811,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ReconWithRundll_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "ReconWithRundll_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject12').huntingQueryVersion12]",
@@ -7868,7 +7892,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DoppelPaymerProcdump_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "DoppelPaymerProcdump_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject13').huntingQueryVersion13]",
@@ -7949,7 +7973,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LaZagne_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "LaZagne_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject14').huntingQueryVersion14]",
@@ -8030,7 +8054,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LSASSCredDumpProcdump_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "LSASSCredDumpProcdump_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject15').huntingQueryVersion15]",
@@ -8111,7 +8135,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DoppelpaymerStopServices_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "DoppelpaymerStopServices_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject16').huntingQueryVersion16]",
@@ -8192,7 +8216,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "QakbotCampaignSelfDeletion_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "QakbotCampaignSelfDeletion_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject17').huntingQueryVersion17]",
@@ -8273,7 +8297,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuspiciousCommandInitiatedByWebServerProcess_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "SuspiciousCommandInitiatedByWebServerProcess_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject18').huntingQueryVersion18]",
@@ -8354,7 +8378,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AnomalousPayloadDeliveredWithISOFile_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "AnomalousPayloadDeliveredWithISOFile_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject19').huntingQueryVersion19]",
@@ -8439,7 +8463,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "BitsadminActivity_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "BitsadminActivity_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject20').huntingQueryVersion20]",
@@ -8520,7 +8544,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MaliciousUseOfMSIExec_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "MaliciousUseOfMSIExec_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject21').huntingQueryVersion21]",
@@ -8601,7 +8625,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MaliciousUseOfMsiExecMimikatz_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "MaliciousUseOfMsiExecMimikatz_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject22').huntingQueryVersion22]",
@@ -8682,7 +8706,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OfficeAppsLaunchingWscript_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "OfficeAppsLaunchingWscript_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject23').huntingQueryVersion23]",
@@ -8763,7 +8787,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PowerShellDownloads_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "PowerShellDownloads_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject24').huntingQueryVersion24]",
@@ -8844,7 +8868,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuspiciousMshtaUsage_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "SuspiciousMshtaUsage_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject25').huntingQueryVersion25]",
@@ -8925,7 +8949,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FilesCopiedToUSBDrives_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "FilesCopiedToUSBDrives_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject26').huntingQueryVersion26]",
@@ -9006,7 +9030,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuspiciousDLLInSpoolFolder_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "SuspiciousDLLInSpoolFolder_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject27').huntingQueryVersion27]",
@@ -9087,7 +9111,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuspiciousFilesInSpoolFolder_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "SuspiciousFilesInSpoolFolder_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject28').huntingQueryVersion28]",
@@ -9168,7 +9192,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuspiciousSpoolsvChildProcess_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "SuspiciousSpoolsvChildProcess_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject29').huntingQueryVersion29]",
@@ -9249,7 +9273,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CVE-2022-26134-Confluence_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "CVE-2022-26134-Confluence_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject30').huntingQueryVersion30]",
@@ -9334,7 +9358,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MosaicLoader_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "MosaicLoader_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject31').huntingQueryVersion31]",
@@ -9415,7 +9439,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PrintNightmareUsageDetection-CVE-2021-1675_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "PrintNightmareUsageDetection-CVE-2021-1675_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject32').huntingQueryVersion32]",
@@ -9496,7 +9520,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AnomalousVoulmeOfFileDeletion_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "AnomalousVoulmeOfFileDeletion_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject33').huntingQueryVersion33]",
@@ -9577,7 +9601,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DetectMailSniper_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "DetectMailSniper_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject34').huntingQueryVersion34]",
@@ -9658,7 +9682,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AccountBruteForce_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "AccountBruteForce_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject35').huntingQueryVersion35]",
@@ -9735,7 +9759,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ServiceAccountsPerformingRemotePS_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "ServiceAccountsPerformingRemotePS_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject36').huntingQueryVersion36]",
@@ -9816,7 +9840,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LocalAdminGroupChanges_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "LocalAdminGroupChanges_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject37').huntingQueryVersion37]",
@@ -9897,7 +9921,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ScheduledTaskCreation_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "ScheduledTaskCreation_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject38').huntingQueryVersion38]",
@@ -9978,7 +10002,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DetectMultipleSignsOfRamsomwareActivity_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "DetectMultipleSignsOfRamsomwareActivity_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject39').huntingQueryVersion39]",
@@ -10059,7 +10083,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IcedIdSuspiciousImageLoad_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "IcedIdSuspiciousImageLoad_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject40').huntingQueryVersion40]",
@@ -10140,7 +10164,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LogDeletionUsingWevtutil_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "LogDeletionUsingWevtutil_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject41').huntingQueryVersion41]",
@@ -10221,7 +10245,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MultiProcessKillWithTaskKill_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "MultiProcessKillWithTaskKill_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject42').huntingQueryVersion42]",
@@ -10302,7 +10326,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PotentialCobaltStrikeRansomwareActivity_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "PotentialCobaltStrikeRansomwareActivity_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject43').huntingQueryVersion43]",
@@ -10383,7 +10407,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "QakbotDiscoveryActivities_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "QakbotDiscoveryActivities_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject44').huntingQueryVersion44]",
@@ -10464,7 +10488,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ShadowCopyDeletion_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "ShadowCopyDeletion_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject45').huntingQueryVersion45]",
@@ -10549,7 +10573,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TurningOffServicesWithSCCommad_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "TurningOffServicesWithSCCommad_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject46').huntingQueryVersion46]",
@@ -10630,7 +10654,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Detect_CISA_Alert_AA22-117A2021_Top_Routinely_Exploited_Vulnerabilities_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Detect_CISA_Alert_AA22-117A2021_Top_Routinely_Exploited_Vulnerabilities_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject47').huntingQueryVersion47]",
@@ -10711,7 +10735,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PayloadDropUsingCertUtil_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "PayloadDropUsingCertUtil_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject48').huntingQueryVersion48]",
@@ -10792,7 +10816,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ImminentRansomware_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "ImminentRansomware_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject49').huntingQueryVersion49]",
@@ -10873,7 +10897,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RobbinhoodDriver_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "RobbinhoodDriver_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject50').huntingQueryVersion50]",
@@ -10954,7 +10978,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Snip3MaliciousNetworkConnectivity_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Snip3MaliciousNetworkConnectivity_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject51').huntingQueryVersion51]",
@@ -11035,7 +11059,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MaliciousCMDExecutionByJava_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "MaliciousCMDExecutionByJava_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject52').huntingQueryVersion52]",
@@ -11116,7 +11140,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClearSystemLogs_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "ClearSystemLogs_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject53').huntingQueryVersion53]",
@@ -11197,7 +11221,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Regsvr32Rundll32ImageLoadsAbnormalExtension_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Regsvr32Rundll32ImageLoadsAbnormalExtension_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject54').huntingQueryVersion54]",
@@ -11282,7 +11306,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Regsvr32Rundll32WithAnomalousParentProcess_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Regsvr32Rundll32WithAnomalousParentProcess_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject55').huntingQueryVersion55]",
@@ -11367,7 +11391,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "User&GroupEnumWithNetCommand_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "User&GroupEnumWithNetCommand_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject56').huntingQueryVersion56]",
@@ -11444,7 +11468,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PotentialKerberoastActivities_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "PotentialKerberoastActivities_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject57').huntingQueryVersion57]",
@@ -11529,7 +11553,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuspiciousAppExeutedByWebserver_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "SuspiciousAppExeutedByWebserver_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject58').huntingQueryVersion58]",
@@ -11610,7 +11634,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuspiciousFileCreationByPrintSpoolerService_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "SuspiciousFileCreationByPrintSpoolerService_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject59').huntingQueryVersion59]",
@@ -11695,7 +11719,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SpoolsvSpawningRundll32_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "SpoolsvSpawningRundll32_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject60').huntingQueryVersion60]",
@@ -11776,7 +11800,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MITRESuspiciousEvents_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "MITRESuspiciousEvents_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject61').huntingQueryVersion61]",
@@ -11853,7 +11877,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RemoteFileCreationWithPsExec_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "RemoteFileCreationWithPsExec_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject62').huntingQueryVersion62]",
@@ -11934,7 +11958,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AccountCreation_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "AccountCreation_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject63').huntingQueryVersion63]",
@@ -12011,7 +12035,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RareProcessAsService_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "RareProcessAsService_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject64').huntingQueryVersion64]",
@@ -12096,7 +12120,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SAMNameChange_CVE-2021-42278_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "SAMNameChange_CVE-2021-42278_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject65').huntingQueryVersion65]",
@@ -12177,7 +12201,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DisableSecurityServiceViaRegistry_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "DisableSecurityServiceViaRegistry_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject66').huntingQueryVersion66]",
@@ -12258,7 +12282,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DomainDiscoveryWMICwithDLLHostExe_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "DomainDiscoveryWMICwithDLLHostExe_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject67').huntingQueryVersion67]",
@@ -12339,7 +12363,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MDEExclusionUsingPowerShell_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "MDEExclusionUsingPowerShell_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject68').huntingQueryVersion68]",
@@ -12420,7 +12444,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DataDeletionOnMulipleDrivesUsingCipherExe_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "DataDeletionOnMulipleDrivesUsingCipherExe_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject69').huntingQueryVersion69]",
@@ -12501,7 +12525,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LaZagneCredTheft_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "LaZagneCredTheft_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject70').huntingQueryVersion70]",
@@ -12582,7 +12606,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ATP policy status check_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "ATP policy status check_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject71').huntingQueryVersion71]",
@@ -12667,7 +12691,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "JNLP attachment_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "JNLP attachment_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject72').huntingQueryVersion72]",
@@ -12752,7 +12776,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Safe attachment detection_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Safe attachment detection_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject73').huntingQueryVersion73]",
@@ -12837,7 +12861,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Authentication failures_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Authentication failures_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject74').huntingQueryVersion74]",
@@ -12922,7 +12946,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Spoof attempts with auth failure_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Spoof attempts with auth failure_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject75').huntingQueryVersion75]",
@@ -13007,7 +13031,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Audit Email Preview-Download action_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Audit Email Preview-Download action_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject76').huntingQueryVersion76]",
@@ -13092,7 +13116,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Hunt for TABL changes_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Hunt for TABL changes_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject77').huntingQueryVersion77]",
@@ -13177,7 +13201,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Local time to UTC time conversion_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Local time to UTC time conversion_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject78').huntingQueryVersion78]",
@@ -13262,7 +13286,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MDO daily detection summary report_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "MDO daily detection summary report_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject79').huntingQueryVersion79]",
@@ -13347,7 +13371,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Mail item accessed_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Mail item accessed_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject80').huntingQueryVersion80]",
@@ -13432,7 +13456,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Malicious email senders_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Malicious email senders_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject81').huntingQueryVersion81]",
@@ -13517,7 +13541,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "New TABL Items_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "New TABL Items_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject82').huntingQueryVersion82]",
@@ -13602,7 +13626,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Emails containing links to IP addresses_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Emails containing links to IP addresses_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject83').huntingQueryVersion83]",
@@ -13687,7 +13711,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Good emails from senders with bad patterns_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Good emails from senders with bad patterns_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject84').huntingQueryVersion84]",
@@ -13772,7 +13796,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Hunt for email conversation take over attempts_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Hunt for email conversation take over attempts_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject85').huntingQueryVersion85]",
@@ -13857,7 +13881,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Hunt for malicious URLs using external IOC source_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Hunt for malicious URLs using external IOC source_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject86').huntingQueryVersion86]",
@@ -13942,7 +13966,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Hunt for malicious attachments using external IOC source_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Hunt for malicious attachments using external IOC source_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject87').huntingQueryVersion87]",
@@ -14027,7 +14051,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Inbox rule change which forward-redirect email_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Inbox rule change which forward-redirect email_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject88').huntingQueryVersion88]",
@@ -14112,7 +14136,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MDO_CountOfRecipientsEmailaddressbySubject_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "MDO_CountOfRecipientsEmailaddressbySubject_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject89').huntingQueryVersion89]",
@@ -14197,7 +14221,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MDO_CountOfSendersEmailaddressbySubject_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "MDO_CountOfSendersEmailaddressbySubject_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject90').huntingQueryVersion90]",
@@ -14282,7 +14306,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MDO_Countofrecipientsemailaddressesbysubject_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "MDO_Countofrecipientsemailaddressesbysubject_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject91').huntingQueryVersion91]",
@@ -14367,7 +14391,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MDO_SummaryOfSenders_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "MDO_SummaryOfSenders_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject92').huntingQueryVersion92]",
@@ -14452,7 +14476,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MDO_URLClickedinEmail_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "MDO_URLClickedinEmail_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject93').huntingQueryVersion93]",
@@ -14537,7 +14561,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Detections by detection methods_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Detections by detection methods_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject94').huntingQueryVersion94]",
@@ -14622,7 +14646,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Mail reply to new domain_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Mail reply to new domain_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject95').huntingQueryVersion95]",
@@ -14707,7 +14731,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Mailflow by directionality_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Mailflow by directionality_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject96').huntingQueryVersion96]",
@@ -14792,7 +14816,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Malicious emails detected per day_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Malicious emails detected per day_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject97').huntingQueryVersion97]",
@@ -14877,7 +14901,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Sender recipient contact establishment_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Sender recipient contact establishment_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject98').huntingQueryVersion98]",
@@ -14962,7 +14986,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Top 100 malicious email senders_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Top 100 malicious email senders_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject99').huntingQueryVersion99]",
@@ -15047,7 +15071,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Top 100 senders_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Top 100 senders_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject100').huntingQueryVersion100]",
@@ -15132,7 +15156,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Zero day threats_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Zero day threats_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject101').huntingQueryVersion101]",
@@ -15217,7 +15241,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Email containing malware accessed on a unmanaged device_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Email containing malware accessed on a unmanaged device_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject102').huntingQueryVersion102]",
@@ -15302,7 +15326,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Email containing malware sent by an internal sender_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Email containing malware sent by an internal sender_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject103').huntingQueryVersion103]",
@@ -15387,7 +15411,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Email malware detection report_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Email malware detection report_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject104').huntingQueryVersion104]",
@@ -15472,7 +15496,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Malware detections by detection methods_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Malware detections by detection methods_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject105').huntingQueryVersion105]",
@@ -15557,7 +15581,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Admin overrides_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Admin overrides_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject106').huntingQueryVersion106]",
@@ -15642,7 +15666,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Top policies performing admin overrides_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Top policies performing admin overrides_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject107').huntingQueryVersion107]",
@@ -15727,7 +15751,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Top policies performing user overrides_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Top policies performing user overrides_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject108').huntingQueryVersion108]",
@@ -15812,7 +15836,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "User overrides_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "User overrides_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject109').huntingQueryVersion109]",
@@ -15897,7 +15921,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Appspot phishing abuse_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Appspot phishing abuse_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject110').huntingQueryVersion110]",
@@ -15982,7 +16006,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PhishDetectionByDetectionMethod_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "PhishDetectionByDetectionMethod_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject111').huntingQueryVersion111]",
@@ -16067,7 +16091,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Campaign with randomly named attachments_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Campaign with randomly named attachments_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject112').huntingQueryVersion112]",
@@ -16152,7 +16176,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Campaign with suspicious keywords_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Campaign with suspicious keywords_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject113').huntingQueryVersion113]",
@@ -16237,7 +16261,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Custom detection-Emails with QR from non-prevalent senders_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Custom detection-Emails with QR from non-prevalent senders_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject114').huntingQueryVersion114]",
@@ -16322,7 +16346,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Emails delivered having URLs from QR codes_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Emails delivered having URLs from QR codes_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject115').huntingQueryVersion115]",
@@ -16407,7 +16431,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Emails with QR codes and suspicious keywords in subject_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Emails with QR codes and suspicious keywords in subject_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject116').huntingQueryVersion116]",
@@ -16492,7 +16516,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Emails with QR codes from non-prevalent sender_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Emails with QR codes from non-prevalent sender_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject117').huntingQueryVersion117]",
@@ -16577,7 +16601,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Hunting for sender patterns_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Hunting for sender patterns_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject118').huntingQueryVersion118]",
@@ -16662,7 +16686,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Hunting for user signals-clusters_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Hunting for user signals-clusters_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject119').huntingQueryVersion119]",
@@ -16747,7 +16771,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Inbound emails with QR code URLs_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Inbound emails with QR code URLs_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject120').huntingQueryVersion120]",
@@ -16832,7 +16856,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Personalized campaigns based on the first few keywords_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Personalized campaigns based on the first few keywords_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject121').huntingQueryVersion121]",
@@ -16917,7 +16941,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Personalized campaigns based on the last few keywords_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Personalized campaigns based on the last few keywords_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject122').huntingQueryVersion122]",
@@ -17002,7 +17026,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Risky sign-in attempt from a non-managed device_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Risky sign-in attempt from a non-managed device_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject123').huntingQueryVersion123]",
@@ -17087,7 +17111,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Suspicious sign-in attempts from QR code phishing campaigns_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Suspicious sign-in attempts from QR code phishing campaigns_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject124').huntingQueryVersion124]",
@@ -17172,7 +17196,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Group quarantine release_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Group quarantine release_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject125').huntingQueryVersion125]",
@@ -17257,7 +17281,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "High Confidence Phish Released_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "High Confidence Phish Released_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject126').huntingQueryVersion126]",
@@ -17342,7 +17366,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Quarantine Release Email Details_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Quarantine Release Email Details_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject127').huntingQueryVersion127]",
@@ -17427,7 +17451,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Quarantine release trend_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Quarantine release trend_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject128').huntingQueryVersion128]",
@@ -17512,7 +17536,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Email remediation action list_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Email remediation action list_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject129').huntingQueryVersion129]",
@@ -17597,7 +17621,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Display Name - Spoof and Impersonation_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Display Name - Spoof and Impersonation_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject130').huntingQueryVersion130]",
@@ -17682,7 +17706,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Referral phish emails_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Referral phish emails_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject131').huntingQueryVersion131]",
@@ -17767,7 +17791,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Spoof and impersonation detections by sender IP_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Spoof and impersonation detections by sender IP_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject132').huntingQueryVersion132]",
@@ -17852,7 +17876,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Spoof and impersonation phish detections_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Spoof and impersonation phish detections_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject133').huntingQueryVersion133]",
@@ -17937,7 +17961,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "User not covered under display name impersonation_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "User not covered under display name impersonation_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject134').huntingQueryVersion134]",
@@ -18022,7 +18046,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Admin reported submissions_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Admin reported submissions_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject135').huntingQueryVersion135]",
@@ -18107,7 +18131,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Status of submissions_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Status of submissions_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject136').huntingQueryVersion136]",
@@ -18192,7 +18216,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Top submitters of admin submissions_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Top submitters of admin submissions_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject137').huntingQueryVersion137]",
@@ -18277,7 +18301,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Top submitters of user submissions_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Top submitters of user submissions_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject138').huntingQueryVersion138]",
@@ -18362,7 +18386,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "User reported submissions_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "User reported submissions_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject139').huntingQueryVersion139]",
@@ -18447,7 +18471,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Attacked more than x times average_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Attacked more than x times average_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject140').huntingQueryVersion140]",
@@ -18532,7 +18556,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Malicious mails by sender IPs_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Malicious mails by sender IPs_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject141').huntingQueryVersion141]",
@@ -18617,7 +18641,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Top 10 URL domains attacking organization_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Top 10 URL domains attacking organization_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject142').huntingQueryVersion142]",
@@ -18702,7 +18726,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Top 10 percent of most attacked users_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Top 10 percent of most attacked users_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject143').huntingQueryVersion143]",
@@ -18787,7 +18811,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Top external malicious senders_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Top external malicious senders_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject144').huntingQueryVersion144]",
@@ -18872,7 +18896,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Top targeted users_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Top targeted users_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject145').huntingQueryVersion145]",
@@ -18957,7 +18981,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "End user malicious clicks_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "End user malicious clicks_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject146').huntingQueryVersion146]",
@@ -19042,7 +19066,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "URL click count by click action_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "URL click count by click action_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject147').huntingQueryVersion147]",
@@ -19127,7 +19151,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "URL click on ZAP Email_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "URL click on ZAP Email_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject148').huntingQueryVersion148]",
@@ -19212,7 +19236,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "URL clicks actions by URL_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "URL clicks actions by URL_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject149').huntingQueryVersion149]",
@@ -19297,7 +19321,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "URLClick details based on malicious URL click alert_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "URLClick details based on malicious URL click alert_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject150').huntingQueryVersion150]",
@@ -19382,7 +19406,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "User clicked through events_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "User clicked through events_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject151').huntingQueryVersion151]",
@@ -19467,7 +19491,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "User clicks on malicious inbound emails_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "User clicks on malicious inbound emails_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject152').huntingQueryVersion152]",
@@ -19552,7 +19576,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "User clicks on phishing URLs in emails_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "User clicks on phishing URLs in emails_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject153').huntingQueryVersion153]",
@@ -19637,7 +19661,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Phishing Email Url Redirector_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Phishing Email Url Redirector_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject154').huntingQueryVersion154]",
@@ -19722,7 +19746,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SafeLinks URL detections_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "SafeLinks URL detections_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject155').huntingQueryVersion155]",
@@ -19807,7 +19831,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Total ZAP count_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Total ZAP count_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject156').huntingQueryVersion156]",
@@ -19892,7 +19916,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Automated email notifications and suspicious sign-in activity_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Automated email notifications and suspicious sign-in activity_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject157').huntingQueryVersion157]",
@@ -19977,7 +20001,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Files share contents and suspicious sign-in activity_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Files share contents and suspicious sign-in activity_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject158').huntingQueryVersion158]",
@@ -20062,7 +20086,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "BEC - File sharing tactics - OneDrive or SharePoint_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "BEC - File sharing tactics - OneDrive or SharePoint_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject159').huntingQueryVersion159]",
@@ -20147,7 +20171,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "BEC - File sharing tactics - Dropbox_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "BEC - File sharing tactics - Dropbox_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject160').huntingQueryVersion160]",
@@ -20232,7 +20256,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Email bombing_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "Email bombing_HuntingQueries Hunting Query with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject161').huntingQueryVersion161]",
@@ -20313,7 +20337,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MicrosoftDefenderForOffice365detectionsandinsights Workbook with template version 3.0.11",
+ "description": "MicrosoftDefenderForOffice365detectionsandinsights Workbook with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -20417,7 +20441,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MicrosoftDefenderForEndPoint Workbook with template version 3.0.11",
+ "description": "MicrosoftDefenderForEndPoint Workbook with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@@ -20492,7 +20516,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MicrosoftDefenderForIdentity Workbook with template version 3.0.11",
+ "description": "MicrosoftDefenderForIdentity Workbook with template version 3.0.12",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion3')]",
@@ -20584,7 +20608,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.11",
+ "version": "3.0.12",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Microsoft Defender XDR",
diff --git a/Solutions/Microsoft Defender XDR/ReleaseNotes.md b/Solutions/Microsoft Defender XDR/ReleaseNotes.md
index 5ec83e0edd9..081805d5852 100644
--- a/Solutions/Microsoft Defender XDR/ReleaseNotes.md
+++ b/Solutions/Microsoft Defender XDR/ReleaseNotes.md
@@ -1,14 +1,15 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------------------------------------------------|
+| 3.0.12 | 07-04-2025 | Updated ConnectivityCriteria Type in **Data Connector**. |
| 3.0.11 | 16-12-2024 | Updated **Analytic Rule** LocalAdminGroupChanges.yaml.\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Microsoft Defender for Cloud Apps](https://docs.microsoft.com/defender-cloud-apps/) solution for Microsoft Sentinel enables you to ingest security alerts and discovery logs from the Defender for Cloud Apps platform, providing visibility into threats in your cloud app environment, including coverage for shadow IT, impossible travel, ransomware, and data exfiltration use cases.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20for%20Cloud%20Apps/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Microsoft Defender for Cloud Apps](https://docs.microsoft.com/defender-cloud-apps/) solution for Microsoft Sentinel enables you to ingest security alerts and discovery logs from the Defender for Cloud Apps platform, providing visibility into threats in your cloud app environment, including coverage for shadow IT, impossible travel, ransomware, and data exfiltration use cases.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,11 +60,11 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs the data connector for ingesting Microsoft Defender for Cloud Apps logs into Microsoft Sentinel, using Codeless Connector Platform and Native Sentinel Polling. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "This Solution installs the data connector for Microsoft Defender for Cloud Apps. You can get Microsoft Defender for Cloud Apps custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
- "name": "dataconnectors-link2",
+ "name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
diff --git a/Solutions/Microsoft Defender for Cloud Apps/Package/mainTemplate.json b/Solutions/Microsoft Defender for Cloud Apps/Package/mainTemplate.json
index a47259f8dfe..86c6cb4b8ca 100644
--- a/Solutions/Microsoft Defender for Cloud Apps/Package/mainTemplate.json
+++ b/Solutions/Microsoft Defender for Cloud Apps/Package/mainTemplate.json
@@ -38,59 +38,48 @@
}
},
"variables": {
- "solutionId": "azuresentinel.azure-sentinel-solution-microsoftdefendercloudapps",
- "_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_solutionName": "Microsoft Defender for Cloud Apps",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "azuresentinel.azure-sentinel-solution-microsoftdefendercloudapps",
+ "_solutionId": "[variables('solutionId')]",
"uiConfigId1": "MicrosoftCloudAppSecurity",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "MicrosoftCloudAppSecurity",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"workbookVersion1": "1.2.0",
"workbookContentId1": "MicrosoftCloudAppSecurityWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
- "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
"_workbookContentId1": "[variables('workbookContentId1')]",
- "analyticRuleVersion1": "1.0.3",
- "analyticRulecontentId1": "b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d",
- "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
- "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]"
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "analyticRuleObject1": {
+ "analyticRuleVersion1": "1.0.3",
+ "_analyticRulecontentId1": "b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d')]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d')))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d','-', '1.0.3')))]"
+ },
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "properties": {
- "description": "Microsoft Defender for Cloud Apps data connector with template",
- "displayName": "Microsoft Defender for Cloud Apps template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Microsoft Defender for Cloud Apps data connector with template version 2.0.2",
+ "description": "Microsoft Defender for Cloud Apps data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -123,7 +112,7 @@
],
"connectivityCriterias": [
{
- "type": "SentinelKinds",
+ "type": "MtpAlerts",
"value": [
"MicrosoftCloudAppSecurity"
]
@@ -144,7 +133,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -169,12 +158,23 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "Microsoft Defender for Cloud Apps",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
@@ -237,7 +237,7 @@
],
"connectivityCriterias": [
{
- "type": "SentinelKinds",
+ "type": "MtpAlerts",
"value": [
"MicrosoftCloudAppSecurity"
]
@@ -248,33 +248,15 @@
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('workbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
- "properties": {
- "description": "Microsoft Defender for Cloud Apps Workbook with template",
- "displayName": "Microsoft Defender for Cloud Apps workbook template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MicrosoftCloudAppSecurityWorkbook with template version 2.0.2",
+ "description": "MicrosoftCloudAppSecurity Workbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -288,7 +270,7 @@
"kind": "shared",
"apiVersion": "2021-08-01",
"metadata": {
- "description": "Using this workbook, you can identify which cloud apps are being used in your organization, gain insights from usage trends and drill down to a specific user and application"
+ "description": "Using this workbook, you can identify which cloud apps are being used in your organization, gain insights from usage trends and drill down to a specific user and application."
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
@@ -303,7 +285,7 @@
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
"properties": {
- "description": "@{workbookKey=MicrosoftCloudAppSecurityWorkbook; logoFileName=Microsoft_logo.svg; description=Using this workbook, you can identify which cloud apps are being used in your organization, gain insights from usage trends and drill down to a specific user and application; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.2.0; title=Microsoft Cloud App Security - discovery logs; templateRelativePath=MicrosoftCloudAppSecurity.json; subtitle=; provider=Microsoft}.description",
+ "description": "@{workbookKey=MicrosoftCloudAppSecurityWorkbook; logoFileName=Microsoft_logo.svg; description=Using this workbook, you can identify which cloud apps are being used in your organization, gain insights from usage trends and drill down to a specific user and application.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.2.0; title=Microsoft Cloud App Security - discovery logs; templateRelativePath=MicrosoftCloudAppSecurity.json; subtitle=; provider=Microsoft}.description",
"parentId": "[variables('workbookId1')]",
"contentId": "[variables('_workbookContentId1')]",
"kind": "Workbook",
@@ -339,47 +321,40 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Microsoft Defender for Cloud Apps Analytics Rule 1 with template",
- "displayName": "Microsoft Defender for Cloud Apps Analytics Rule template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_workbookContentId1')]",
+ "contentKind": "Workbook",
+ "displayName": "[parameters('workbook1-name')]",
+ "contentProductId": "[variables('_workbookcontentProductId1')]",
+ "id": "[variables('_workbookcontentProductId1')]",
+ "version": "[variables('workbookVersion1')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AdditionalFilesUploadedByActor_AnalyticalRules Analytics Rule with template version 2.0.2",
+ "description": "AdditionalFilesUploadedByActor_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion1')]",
+ "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId1')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -415,8 +390,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "AttackerIP"
+ "columnName": "AttackerIP",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -424,12 +399,12 @@
{
"fieldMappings": [
{
- "identifier": "Algorithm",
- "columnName": "HashAlgorithm"
+ "columnName": "HashAlgorithm",
+ "identifier": "Algorithm"
},
{
- "identifier": "Value",
- "columnName": "LinkedMaliciousFileHash"
+ "columnName": "LinkedMaliciousFileHash",
+ "identifier": "Value"
}
],
"entityType": "FileHash"
@@ -440,13 +415,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
"properties": {
"description": "Microsoft Defender for Cloud Apps Analytics Rule 1",
- "parentId": "[variables('analyticRuleId1')]",
- "contentId": "[variables('_analyticRulecontentId1')]",
+ "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion1')]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"source": {
"kind": "Solution",
"name": "Microsoft Defender for Cloud Apps",
@@ -465,17 +440,35 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Linked Malicious Storage Artifacts",
+ "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.0.2",
+ "version": "3.0.0",
"kind": "Solution",
- "contentSchemaVersion": "2.0.0",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "Microsoft Defender for Cloud Apps",
+ "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Microsoft Defender for Cloud Apps solution for Microsoft Sentinel enables you to ingest security alerts and discovery logs from the Defender for Cloud Apps platform, providing visibility into threats in your cloud app environment, including coverage for shadow IT, impossible travel, ransomware, and data exfiltration use cases.
\nData Connectors: 1, Workbooks: 1, Analytic Rules: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
@@ -508,8 +501,8 @@
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId1')]",
- "version": "[variables('analyticRuleVersion1')]"
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
}
]
},
diff --git a/Solutions/Microsoft Defender for Cloud Apps/Package/testParameters.json b/Solutions/Microsoft Defender for Cloud Apps/Package/testParameters.json
new file mode 100644
index 00000000000..e744a76b7a3
--- /dev/null
+++ b/Solutions/Microsoft Defender for Cloud Apps/Package/testParameters.json
@@ -0,0 +1,32 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "Microsoft Cloud App Security - discovery logs",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ }
+}
diff --git a/Solutions/Microsoft Defender for Cloud Apps/ReleaseNotes.md b/Solutions/Microsoft Defender for Cloud Apps/ReleaseNotes.md
new file mode 100644
index 00000000000..d0b09ab8804
--- /dev/null
+++ b/Solutions/Microsoft Defender for Cloud Apps/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|----------------------------------------|
+| 3.0.0 | 07-04-2025 | Updated ConnectivityCriteria Type in **Data Connector**. |
\ No newline at end of file
diff --git a/Solutions/Microsoft Defender for Office 365/Data Connectors/template_OfficeATP.json b/Solutions/Microsoft Defender for Office 365/Data Connectors/template_OfficeATP.json
index 6672bbbab70..aad6c6c32eb 100644
--- a/Solutions/Microsoft Defender for Office 365/Data Connectors/template_OfficeATP.json
+++ b/Solutions/Microsoft Defender for Office 365/Data Connectors/template_OfficeATP.json
@@ -19,7 +19,7 @@
],
"connectivityCriterias": [
{
- "type": "SentinelKinds",
+ "type": "MtpAlerts",
"value": [
"OfficeATP"
]
diff --git a/Solutions/Microsoft Defender for Office 365/Data/Solution_MicrosoftDefenderforOffice365.json b/Solutions/Microsoft Defender for Office 365/Data/Solution_MicrosoftDefenderforOffice365.json
index 444a2df51ea..599a3404695 100644
--- a/Solutions/Microsoft Defender for Office 365/Data/Solution_MicrosoftDefenderforOffice365.json
+++ b/Solutions/Microsoft Defender for Office 365/Data/Solution_MicrosoftDefenderforOffice365.json
@@ -2,7 +2,7 @@
"Name": "Microsoft Defender for Office 365",
"Author": "Microsoft - support@microsoft.com",
"Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/office365_logo.svg\"width=\"75px\"){kind=logo}
",
- "Description": "The [Microsoft Defender for Office 365](https://www.microsoft.com/security/business/threat-protection/office-365-defender) solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Office 365 platform, providing visibility into threats within email messages, links (URLs) and collaboration tools.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform/Native Sentinel Polling](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal)",
+ "Description": "The [Microsoft Defender for Office 365](https://www.microsoft.com/security/business/threat-protection/office-365-defender) solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Office 365 platform, providing visibility into threats within email messages, links (URLs) and collaboration tools.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform/Native Microsoft Sentinel Polling](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal)",
"Data Connectors": [
"Solutions/Microsoft Defender for Office 365/Data Connectors/template_OfficeATP.json"
],
diff --git a/Solutions/Microsoft Defender for Office 365/Package/3.0.3.zip b/Solutions/Microsoft Defender for Office 365/Package/3.0.3.zip
new file mode 100644
index 00000000000..f8ce53e2160
Binary files /dev/null and b/Solutions/Microsoft Defender for Office 365/Package/3.0.3.zip differ
diff --git a/Solutions/Microsoft Defender for Office 365/Package/createUiDefinition.json b/Solutions/Microsoft Defender for Office 365/Package/createUiDefinition.json
index dff5156b48f..d3dc0252186 100644
--- a/Solutions/Microsoft Defender for Office 365/Package/createUiDefinition.json
+++ b/Solutions/Microsoft Defender for Office 365/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20for%20Office%20365/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution.\n\nThe [Microsoft Defender for Office 365](https://www.microsoft.com/security/business/threat-protection/office-365-defender) solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Office 365 platform, providing visibility into threats within email messages, links (URLs) and collaboration tools.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform/Native Microsoft Sentinel Polling](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Function Apps:** 1, **Playbooks:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20for%20Office%20365/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Microsoft Defender for Office 365](https://www.microsoft.com/security/business/threat-protection/office-365-defender) solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Office 365 platform, providing visibility into threats within email messages, links (URLs) and collaboration tools.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform/Native Microsoft Sentinel Polling](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Function Apps:** 1, **Playbooks:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,11 +60,11 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs the data connector for ingesting Microsoft Defender for Office 365 logs into Microsoft Sentinel, using Codeless Connector Platform and Native Microsoft Sentinel Polling. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "This Solution installs the data connector for Microsoft Defender for Office 365. You can get Microsoft Defender for Office 365 custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
- "name": "dataconnectors-link2",
+ "name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
diff --git a/Solutions/Microsoft Defender for Office 365/Package/mainTemplate.json b/Solutions/Microsoft Defender for Office 365/Package/mainTemplate.json
index ef4c7659e38..4a74bdc2964 100644
--- a/Solutions/Microsoft Defender for Office 365/Package/mainTemplate.json
+++ b/Solutions/Microsoft Defender for Office 365/Package/mainTemplate.json
@@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Microsoft Defender for Office 365",
- "_solutionVersion": "3.0.2",
+ "_solutionVersion": "3.0.3",
"solutionId": "azuresentinel.azure-sentinel-solution-microsoftdefenderforo365",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "OfficeATP",
@@ -121,7 +121,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Microsoft Defender for Office 365 data connector with template version 3.0.2",
+ "description": "Microsoft Defender for Office 365 data connector with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -149,7 +149,7 @@
],
"connectivityCriterias": [
{
- "type": "SentinelKinds",
+ "type": "MtpAlerts",
"value": [
"OfficeATP"
]
@@ -261,7 +261,7 @@
],
"connectivityCriterias": [
{
- "type": "SentinelKinds",
+ "type": "MtpAlerts",
"value": [
"OfficeATP"
]
@@ -280,7 +280,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MicrosoftDefenderForOffice365 Workbook with template version 3.0.2",
+ "description": "MicrosoftDefenderForOffice365 Workbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -309,7 +309,7 @@
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
"properties": {
- "description": "@{workbookKey=MicrosoftDefenderForOffice365; logoFileName=office365_logo.svg; description=Gain insights into your Microsoft Defender for Office 365 raw data logs. This workbook lets you look at trends in email senders, attachments and embedded URL data to find anomalies. You can also search by, sender, recipient, subject, attachment or embedded URL to find where the related messages have been sent.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Microsoft Defender For Office 365; templateRelativePath=MicrosoftDefenderForOffice365.json; subtitle=; provider=Microsoft Sentinel Community}.description",
+ "description": "@{workbookKey=MicrosoftDefenderForOffice365; logoFileName=office365_logo.svg; description=Gain insights into your Microsoft Defender for Office 365 raw data logs. This workbook lets you look at trends in email senders, attachments and embedded URL data to find anomalies. You can also search by, sender, recipient, subject, attachment or embedded URL to find where the related messages have been sent.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Microsoft Defender For Office 365; templateRelativePath=MicrosoftDefenderForOffice365.json; subtitle=; provider=Microsoft Sentinel Community; support=; author=; source=; categories=}.description",
"parentId": "[variables('workbookId1')]",
"contentId": "[variables('_workbookContentId1')]",
"kind": "Workbook",
@@ -372,7 +372,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "O365_Defender_FunctionAppConnector Playbook with template version 3.0.2",
+ "description": "O365_Defender_FunctionAppConnector Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -547,7 +547,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "o365-BlockMalwareFileExtension Playbook with template version 3.0.2",
+ "description": "o365-BlockMalwareFileExtension Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@@ -1252,7 +1252,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "o365-BlockSender Playbook with template version 3.0.2",
+ "description": "o365-BlockSender Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@@ -1883,7 +1883,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "o365-BlockSender-EntityTrigger Playbook with template version 3.0.2",
+ "description": "o365-BlockSender-EntityTrigger Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
@@ -2390,7 +2390,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "o365-BlockSpamDomain Playbook with template version 3.0.2",
+ "description": "o365-BlockSpamDomain Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion5')]",
@@ -3296,7 +3296,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "o365-DeleteMaliciousInboxRule Playbook with template version 3.0.2",
+ "description": "o365-DeleteMaliciousInboxRule Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion6')]",
@@ -4041,12 +4041,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.2",
+ "version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Microsoft Defender for Office 365",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Microsoft Defender for Office 365 solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Office 365 platform, providing visibility into threats within email messages, links (URLs) and collaboration tools.
\nUnderlying Microsoft Technologies used:
\nThis solution is dependent on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 1, Workbooks: 1, Function Apps: 1, Playbooks: 5
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Microsoft Defender for Office 365 solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Office 365 platform, providing visibility into threats within email messages, links (URLs) and collaboration tools.
\nUnderlying Microsoft Technologies used:
\nThis solution is dependent on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 1, Workbooks: 1, Function Apps: 1, Playbooks: 5
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", diff --git a/Solutions/Microsoft Defender for Office 365/ReleaseNotes.md b/Solutions/Microsoft Defender for Office 365/ReleaseNotes.md index af0a42980a8..8bc0b1f0429 100644 --- a/Solutions/Microsoft Defender for Office 365/ReleaseNotes.md +++ b/Solutions/Microsoft Defender for Office 365/ReleaseNotes.md @@ -1,6 +1,7 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------------| +| 3.0.3 | 07-04-2025 | Updated ConnectivityCriteria Type in **Data Connector**. | | 3.0.2 | 24-04-2024 | Updated link for **Custom Connector** redirection in playbooks | | 3.0.1 | 29-09-2023 | 1 new **Playbook** added to the solution | | 3.0.0 | 11-07-2023 | 4 new **Playbooks** added to the solution | -| | | 1 **Custom Connector** added as a pre-requisite for playbooks deployment | +| | | 1 **Custom Connector** added as a pre-requisite for playbooks deployment | \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID Protection/Data Connectors/template_AzureActiveDirectoryIdentityProtection.JSON b/Solutions/Microsoft Entra ID Protection/Data Connectors/template_AzureActiveDirectoryIdentityProtection.JSON index 587c95dd315..8a8a4fc90ee 100644 --- a/Solutions/Microsoft Entra ID Protection/Data Connectors/template_AzureActiveDirectoryIdentityProtection.JSON +++ b/Solutions/Microsoft Entra ID Protection/Data Connectors/template_AzureActiveDirectoryIdentityProtection.JSON @@ -26,7 +26,7 @@ ], "connectivityCriterias": [ { - "type": "SentinelKinds", + "type": "MtpAlerts", "value": [ "AzureActiveDirectory" ] diff --git a/Solutions/Microsoft Entra ID Protection/Package/3.0.2.zip b/Solutions/Microsoft Entra ID Protection/Package/3.0.2.zip new file mode 100644 index 00000000000..52c47960400 Binary files /dev/null and b/Solutions/Microsoft Entra ID Protection/Package/3.0.2.zip differ diff --git a/Solutions/Microsoft Entra ID Protection/Package/createUiDefinition.json b/Solutions/Microsoft Entra ID Protection/Package/createUiDefinition.json index 998d41ea454..c9a81b85689 100644 --- a/Solutions/Microsoft Entra ID Protection/Package/createUiDefinition.json +++ b/Solutions/Microsoft Entra ID Protection/Package/createUiDefinition.json @@ -64,7 +64,7 @@ } }, { - "name": "dataconnectors-link2", + "name": "dataconnectors-link1", "type": "Microsoft.Common.TextBlock", "options": { "link": { diff --git a/Solutions/Microsoft Entra ID Protection/Package/mainTemplate.json b/Solutions/Microsoft Entra ID Protection/Package/mainTemplate.json index 752a9b4fca8..a25f47eb4da 100644 --- a/Solutions/Microsoft Entra ID Protection/Package/mainTemplate.json +++ b/Solutions/Microsoft Entra ID Protection/Package/mainTemplate.json @@ -33,7 +33,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Microsoft Entra ID Protection", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "azuresentinel.azure-sentinel-solution-azureactivedirectoryip", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "AzureActiveDirectoryIdentityProtection", @@ -106,7 +106,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Entra ID Protection data connector with template version 3.0.1", + "description": "Microsoft Entra ID Protection data connector with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -134,7 +134,7 @@ ], "connectivityCriterias": [ { - "type": "SentinelKinds", + "type": "MtpAlerts", "value": [ "AzureActiveDirectory" ] @@ -246,7 +246,7 @@ ], "connectivityCriterias": [ { - "type": "SentinelKinds", + "type": "MtpAlerts", "value": [ "AzureActiveDirectory" ] @@ -265,7 +265,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorrelateIPC_Unfamiliar-Atypical_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "CorrelateIPC_Unfamiliar-Atypical_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -293,16 +293,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectoryIdentityProtection", "dataTypes": [ "SecurityAlert (IPC)" - ], - "connectorId": "AzureActiveDirectoryIdentityProtection" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "IdentityInfo" - ], - "connectorId": "BehaviorAnalytics" + ] } ], "tactics": [ @@ -358,16 +358,16 @@ } ], "customDetails": { - "PreviousIPAddress": "PreviousIPAddress", - "PreviousLocation": "PreviousLocation", - "Alert1_Severity": "Alert_UnfamiliarSignInProps_Severity", "Alert2_Severity": "Alert_AtypicalTravels_Severity", + "Alert1_Severity": "Alert_UnfamiliarSignInProps_Severity", + "PreviousIPAddress": "PreviousIPAddress", + "Alert2_Time": "Alert_AtypicalTravels_Time", "Alert1_Name": "Alert_UnfamiliarSignInProps_Name", "Alert2_Name": "Alert_AtypicalTravels_Name", + "PreviousLocation": "PreviousLocation", "CurrentIPAddress": "CurrentIPAddress", - "CurrentLocation": "CurrentLocation", - "Alert2_Time": "Alert_AtypicalTravels_Time", "TimeDelta": "TimeDelta", + "CurrentLocation": "CurrentLocation", "Alert1_Time": "Alert_UnfamiliarSignInProps_Time" } } @@ -423,7 +423,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Confirm-EntraIDRiskyUser-Alert Playbook with template version 3.0.1", + "description": "Confirm-EntraIDRiskyUser-Alert Playbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -727,7 +727,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Confirm-EntraIDRiskyUser-Incident Playbook with template version 3.0.1", + "description": "Confirm-EntraIDRiskyUser-Incident Playbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -1016,7 +1016,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Dismiss-EntraIDRiskyUser-UserAlert Playbook with template version 3.0.1", + "description": "Dismiss-EntraIDRiskyUser-UserAlert Playbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -1326,7 +1326,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Dismiss-EntraIDRiskyUser-UserIncident Playbook with template version 3.0.1", + "description": "Dismiss-EntraIDRiskyUser-UserIncident Playbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -1615,7 +1615,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IdentityProtection-ResponseFromTeams Playbook with template version 3.0.1", + "description": "IdentityProtection-ResponseFromTeams Playbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", @@ -2284,7 +2284,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Microsoft Entra ID Protection", diff --git a/Solutions/Microsoft Entra ID Protection/ReleaseNotes.md b/Solutions/Microsoft Entra ID Protection/ReleaseNotes.md index 792337a3e25..8754636dae1 100644 --- a/Solutions/Microsoft Entra ID Protection/ReleaseNotes.md +++ b/Solutions/Microsoft Entra ID Protection/ReleaseNotes.md @@ -1,8 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.2 | 07-04-2025 | Updated ConnectivityCriteria Type in **Data Connector**. | | 3.0.1 | 01-18-2024 | Updated mapping in **Analytic Rule** for better correlation | -| 3.0.0 | 09-11-2023 | Changes for rebranding from Azure Active Directory Identity Protection to Microsoft Entra ID Protection | - - - - +| 3.0.0 | 09-11-2023 | Changes for rebranding from Azure Active Directory Identity Protection to Microsoft Entra ID Protection | \ No newline at end of file diff --git a/Solutions/MicrosoftDefenderForEndpoint/Data Connectors/template_MicrosoftDefenderAdvancedThreatProtection.JSON b/Solutions/MicrosoftDefenderForEndpoint/Data Connectors/template_MicrosoftDefenderAdvancedThreatProtection.JSON index 824a2e0059a..0a2747ae6a2 100644 --- a/Solutions/MicrosoftDefenderForEndpoint/Data Connectors/template_MicrosoftDefenderAdvancedThreatProtection.JSON +++ b/Solutions/MicrosoftDefenderForEndpoint/Data Connectors/template_MicrosoftDefenderAdvancedThreatProtection.JSON @@ -20,7 +20,7 @@ "isConnectivityCriteriasMatchSome": true, "connectivityCriterias": [ { - "type": "SentinelKinds", + "type": "MtpAlerts", "value": [ "MicrosoftDefenderAdvancedThreatProtection" ] diff --git a/Solutions/MicrosoftDefenderForEndpoint/Package/3.0.4.zip b/Solutions/MicrosoftDefenderForEndpoint/Package/3.0.4.zip new file mode 100644 index 00000000000..7d66cbeea61 Binary files /dev/null and b/Solutions/MicrosoftDefenderForEndpoint/Package/3.0.4.zip differ diff --git a/Solutions/MicrosoftDefenderForEndpoint/Package/createUiDefinition.json b/Solutions/MicrosoftDefenderForEndpoint/Package/createUiDefinition.json index 8b3bddd59d1..37e9520e926 100644 --- a/Solutions/MicrosoftDefenderForEndpoint/Package/createUiDefinition.json +++ b/Solutions/MicrosoftDefenderForEndpoint/Package/createUiDefinition.json @@ -71,7 +71,7 @@ } }, { - "name": "dataconnectors-link2", + "name": "dataconnectors-link1", "type": "Microsoft.Common.TextBlock", "options": { "link": { diff --git a/Solutions/MicrosoftDefenderForEndpoint/Package/mainTemplate.json b/Solutions/MicrosoftDefenderForEndpoint/Package/mainTemplate.json index 42a7eceba97..8900cb44fe8 100644 --- a/Solutions/MicrosoftDefenderForEndpoint/Package/mainTemplate.json +++ b/Solutions/MicrosoftDefenderForEndpoint/Package/mainTemplate.json @@ -33,7 +33,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "MicrosoftDefenderForEndpoint", - "_solutionVersion": "3.0.3", + "_solutionVersion": "3.0.4", "solutionId": "azuresentinel.azure-sentinel-solution-microsoftdefenderendpoint", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "MicrosoftDefenderAdvancedThreatProtection", @@ -266,7 +266,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MicrosoftDefenderForEndpoint data connector with template version 3.0.3", + "description": "MicrosoftDefenderForEndpoint data connector with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -294,7 +294,7 @@ ], "connectivityCriterias": [ { - "type": "SentinelKinds", + "type": "MtpAlerts", "value": [ "MicrosoftDefenderAdvancedThreatProtection" ] @@ -406,7 +406,7 @@ ], "connectivityCriterias": [ { - "type": "SentinelKinds", + "type": "MtpAlerts", "value": [ "MicrosoftDefenderAdvancedThreatProtection" ] @@ -425,7 +425,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AquaBlizzardAVHits_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "AquaBlizzardAVHits_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -567,7 +567,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AssignedIPAddress Data Parser with template version 3.0.3", + "description": "AssignedIPAddress Data Parser with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -699,7 +699,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Devicefromip Data Parser with template version 3.0.3", + "description": "Devicefromip Data Parser with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject2').parserVersion2]", @@ -831,7 +831,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MDE_Usage_HuntingQueries Hunting Query with template version 3.0.3", + "description": "MDE_Usage_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -916,7 +916,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MDE_Process-IOCs_HuntingQueries Hunting Query with template version 3.0.3", + "description": "MDE_Process-IOCs_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -997,7 +997,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Isolate-MDEMachine Playbook with template version 3.0.3", + "description": "Isolate-MDEMachine Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -1323,7 +1323,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Isolate-MDEMachine Playbook with template version 3.0.3", + "description": "Isolate-MDEMachine Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -1632,7 +1632,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Restrict-MDEAppExecution Playbook with template version 3.0.3", + "description": "Restrict-MDEAppExecution Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -1957,7 +1957,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Restrict-MDEAppExecution Playbook with template version 3.0.3", + "description": "Restrict-MDEAppExecution Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -2265,7 +2265,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Restrict-MDEDomain Playbook with template version 3.0.3", + "description": "Restrict-MDEDomain Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", @@ -2684,7 +2684,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Restrict-MDEDomain Playbook with template version 3.0.3", + "description": "Restrict-MDEDomain Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion6')]", @@ -2934,7 +2934,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Restrict-MDEFileHash Playbook with template version 3.0.3", + "description": "Restrict-MDEFileHash Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion7')]", @@ -3237,7 +3237,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Restrict-MDEFileHash Playbook with template version 3.0.3", + "description": "Restrict-MDEFileHash Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion8')]", @@ -3523,7 +3523,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Restrict-MDEIpAddress Playbook with template version 3.0.3", + "description": "Restrict-MDEIpAddress Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion9')]", @@ -3792,7 +3792,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Restrict-MDEIpAddress Playbook with template version 3.0.3", + "description": "Restrict-MDEIpAddress Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion10')]", @@ -4044,7 +4044,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Restrict-MDEUrl Playbook with template version 3.0.3", + "description": "Restrict-MDEUrl Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion11')]", @@ -4313,7 +4313,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Restrict-MDEUrl Playbook with template version 3.0.3", + "description": "Restrict-MDEUrl Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion12')]", @@ -4565,7 +4565,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Run-MDEAntivirus Playbook with template version 3.0.3", + "description": "Run-MDEAntivirus Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion13')]", @@ -5003,7 +5003,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Run-MDEAntivirus Playbook with template version 3.0.3", + "description": "Run-MDEAntivirus Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion14')]", @@ -5400,7 +5400,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Unisolate-MDEMachine Playbook with template version 3.0.3", + "description": "Unisolate-MDEMachine Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion15')]", @@ -5725,7 +5725,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Unisolate-MDEMachine Playbook with template version 3.0.3", + "description": "Unisolate-MDEMachine Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion16')]", @@ -6033,7 +6033,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Restrict-MDEDomain-entityTrigger Playbook with template version 3.0.3", + "description": "Restrict-MDEDomain-entityTrigger Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion17')]", @@ -6270,7 +6270,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Restrict-MDEFileHash-entityTrigger Playbook with template version 3.0.3", + "description": "Restrict-MDEFileHash-entityTrigger Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion18')]", @@ -6565,7 +6565,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Restrict-MDEIP-entityTrigger Playbook with template version 3.0.3", + "description": "Restrict-MDEIP-entityTrigger Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion19')]", @@ -6805,7 +6805,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Restrict-MDEUrl-entityTrigger Playbook with template version 3.0.3", + "description": "Restrict-MDEUrl-entityTrigger Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion20')]", @@ -7042,7 +7042,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Isolate-MDE-Machine-entityTrigger Playbook with template version 3.0.3", + "description": "Isolate-MDE-Machine-entityTrigger Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion21')]", @@ -7299,7 +7299,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Unisolate-MDE-Machine-entityTrigger Playbook with template version 3.0.3", + "description": "Unisolate-MDE-Machine-entityTrigger Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion22')]", @@ -7551,7 +7551,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.3", + "version": "3.0.4", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "MicrosoftDefenderForEndpoint", diff --git a/Solutions/MicrosoftDefenderForEndpoint/ReleaseNotes.md b/Solutions/MicrosoftDefenderForEndpoint/ReleaseNotes.md index a0672dd86a6..8df609948ac 100644 --- a/Solutions/MicrosoftDefenderForEndpoint/ReleaseNotes.md +++ b/Solutions/MicrosoftDefenderForEndpoint/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.0.4 | 07-04-2025 | Updated ConnectivityCriteria Type in **Data Connector**. | | 3.0.3 | 26-07-2024 | Updated **Analytical Rule** for missing TTP | | 3.0.2 | 08-07-2024 | Corrected UI changes in **Playbook's** metadata | | 3.0.1 | 24-11-2023 | Entities has been mapped for **Playbooks** | diff --git a/Solutions/MicrosoftPurviewInsiderRiskManagement/Data Connectors/template_OfficeIRM.JSON b/Solutions/MicrosoftPurviewInsiderRiskManagement/Data Connectors/template_OfficeIRM.JSON index 4e7a325e43e..efabad03ec0 100644 --- a/Solutions/MicrosoftPurviewInsiderRiskManagement/Data Connectors/template_OfficeIRM.JSON +++ b/Solutions/MicrosoftPurviewInsiderRiskManagement/Data Connectors/template_OfficeIRM.JSON @@ -22,7 +22,7 @@ ], "connectivityCriterias": [ { - "type": "SentinelKinds", + "type": "MtpAlerts", "value": [ "OfficeIRM" ] diff --git a/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/3.0.6.zip b/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/3.0.6.zip new file mode 100644 index 00000000000..97a279309fb Binary files /dev/null and b/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/3.0.6.zip differ diff --git a/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/createUiDefinition.json b/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/createUiDefinition.json index 8636675b8a7..77b34345cba 100644 --- a/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/createUiDefinition.json +++ b/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\")
\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MicrosoftPurviewInsiderRiskManagement/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThis solution enables insider risk management teams to investigate risk-based behavior across 25+ Microsoft products. This solution is a better-together story between Microsoft Sentinel and Microsoft Purview Insider Risk Management. The solution includes the Insider Risk Management Workbook, (5) Hunting Queries, (1) Data Connector, (5) Analytics Rules, (1) Playbook automation and the Microsoft Purview Insider Risk Management connector. While only Microsoft Sentinel is required to get started, the solution is enhanced with numerous Microsoft offerings, including, but not limited to:\n\n- [Microsoft Purview Insider Risk Management](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-solution-overview?view=o365-worldwide)\n- [Microsoft Purview Communications Compliance](https://docs.microsoft.com/microsoft-365/compliance/communication-compliance-solution-overview?view=o365-worldwide)\n- [Microsoft Purview Advanced eDiscovery](https://docs.microsoft.com/microsoft-365/compliance/ediscovery?view=o365-worldwide)\n- [Microsoft Purview Defender](https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender?rtc=1)\n- [Microsoft Information Protection](https://docs.microsoft.com/microsoft-365/compliance/information-protection?view=o365-worldwide)\n- [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)\n- [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)\n- [Microsoft Sentinel Notebooks](https://docs.microsoft.com/azure/sentinel/notebooks) [(Bring Your Own Machine Learning)](https://docs.microsoft.com/azure/sentinel/bring-your-own-ml)\n- [Microsoft Defender for Endpoint](https://www.microsoft.com/security/business/threat-protection/endpoint-defender?rtc=1)\n- [Microsoft Defender for Identity](https://www.microsoft.com/security/business/threat-protection/identity-defender?rtc=1)\n- [Microsoft Defender for Cloud Apps](https://www.microsoft.com/security/business/cloud-apps-defender?rtc=1)\n- [Microsoft Defender for Office 365](https://www.microsoft.com/security/business/threat-protection/office-365-defender?rtc=1)\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 5, **Hunting Queries:** 5, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MicrosoftPurviewInsiderRiskManagement/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThis solution enables insider risk management teams to investigate risk-based behavior across 25+ Microsoft products. This solution is a better-together story between Microsoft Sentinel and Microsoft Purview Insider Risk Management. The solution includes the Insider Risk Management Workbook, (5) Hunting Queries, (1) Data Connector, (5) Analytics Rules, (1) Playbook automation and the Microsoft Purview Insider Risk Management connector. While only Microsoft Sentinel is required to get started, the solution is enhanced with numerous Microsoft offerings, including, but not limited to:\n\n- [Microsoft Purview Insider Risk Management](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-solution-overview?view=o365-worldwide)\n- [Microsoft Purview Communications Compliance](https://docs.microsoft.com/microsoft-365/compliance/communication-compliance-solution-overview?view=o365-worldwide)\n- [Microsoft Purview Advanced eDiscovery](https://docs.microsoft.com/microsoft-365/compliance/ediscovery?view=o365-worldwide)\n- [Microsoft Purview Defender](https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender?rtc=1)\n- [Microsoft Information Protection](https://docs.microsoft.com/microsoft-365/compliance/information-protection?view=o365-worldwide)\n- [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)\n- [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)\n- [Microsoft Sentinel Notebooks](https://docs.microsoft.com/azure/sentinel/notebooks) [(Bring Your Own Machine Learning)](https://docs.microsoft.com/azure/sentinel/bring-your-own-ml)\n- [Microsoft Defender for Endpoint](https://www.microsoft.com/security/business/threat-protection/endpoint-defender?rtc=1)\n- [Microsoft Defender for Identity](https://www.microsoft.com/security/business/threat-protection/identity-defender?rtc=1)\n- [Microsoft Defender for Cloud Apps](https://www.microsoft.com/security/business/cloud-apps-defender?rtc=1)\n- [Microsoft Defender for Office 365](https://www.microsoft.com/security/business/threat-protection/office-365-defender?rtc=1)\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 5, **Hunting Queries:** 5, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -64,7 +64,7 @@
}
},
{
- "name": "dataconnectors-link2",
+ "name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
diff --git a/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/mainTemplate.json b/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/mainTemplate.json
index 8b4476722ba..e7e289b1ad9 100644
--- a/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/mainTemplate.json
+++ b/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/mainTemplate.json
@@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "MicrosoftPurviewInsiderRiskManagement",
- "_solutionVersion": "3.0.5",
+ "_solutionVersion": "3.0.6",
"solutionId": "azuresentinel.azure-sentinel-solution-insiderriskmanagement",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
@@ -140,7 +140,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "InsiderRiskManagement Workbook with template version 3.0.5",
+ "description": "InsiderRiskManagement Workbook with template version 3.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -244,7 +244,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "InsiderRiskHighUserAlertsCorrelation_AnalyticalRules Analytics Rule with template version 3.0.5",
+ "description": "InsiderRiskHighUserAlertsCorrelation_AnalyticalRules Analytics Rule with template version 3.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -324,16 +324,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "UPN"
+ "columnName": "UPN",
+ "identifier": "FullName"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "UPNSuffix",
- "columnName": "AccountUPNSuffix"
+ "columnName": "AccountUPNSuffix",
+ "identifier": "UPNSuffix"
}
],
"entityType": "Account"
@@ -392,7 +392,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "InsiderRiskHighUserIncidentsCorrelation_AnalyticalRules Analytics Rule with template version 3.0.5",
+ "description": "InsiderRiskHighUserIncidentsCorrelation_AnalyticalRules Analytics Rule with template version 3.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -472,16 +472,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "UPN"
+ "columnName": "UPN",
+ "identifier": "FullName"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "UPNSuffix",
- "columnName": "AccountUPNSuffix"
+ "columnName": "AccountUPNSuffix",
+ "identifier": "UPNSuffix"
}
],
"entityType": "Account"
@@ -491,16 +491,16 @@
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
+ "createIncident": true,
"groupingConfiguration": {
+ "matchingMethod": "Selected",
"groupByEntities": [
"Account"
],
- "enabled": true,
+ "lookbackDuration": "3d",
"reopenClosedIncident": true,
- "matchingMethod": "Selected",
- "lookbackDuration": "3d"
- },
- "createIncident": true
+ "enabled": true
+ }
}
}
},
@@ -555,7 +555,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "InsiderRiskM365IRMAlertObserved_AnalyticalRules Analytics Rule with template version 3.0.5",
+ "description": "InsiderRiskM365IRMAlertObserved_AnalyticalRules Analytics Rule with template version 3.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -599,16 +599,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "UserPrincipalName"
+ "columnName": "UserPrincipalName",
+ "identifier": "FullName"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "UPNSuffix",
- "columnName": "AccountUPNSuffix"
+ "columnName": "AccountUPNSuffix",
+ "identifier": "UPNSuffix"
}
],
"entityType": "Account"
@@ -618,16 +618,16 @@
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
+ "createIncident": true,
"groupingConfiguration": {
+ "matchingMethod": "Selected",
"groupByEntities": [
"Account"
],
- "enabled": true,
+ "lookbackDuration": "3d",
"reopenClosedIncident": true,
- "matchingMethod": "Selected",
- "lookbackDuration": "3d"
- },
- "createIncident": true
+ "enabled": true
+ }
}
}
},
@@ -682,7 +682,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "InsiderRiskSensitiveDataAccessOutsideOrgGeo_AnalyticalRules Analytics Rule with template version 3.0.5",
+ "description": "InsiderRiskSensitiveDataAccessOutsideOrgGeo_AnalyticalRules Analytics Rule with template version 3.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -732,16 +732,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "UserPrincipalName"
+ "columnName": "UserPrincipalName",
+ "identifier": "FullName"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "UPNSuffix",
- "columnName": "AccountUPNSuffix"
+ "columnName": "AccountUPNSuffix",
+ "identifier": "UPNSuffix"
}
],
"entityType": "Account"
@@ -751,16 +751,16 @@
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
+ "createIncident": true,
"groupingConfiguration": {
+ "matchingMethod": "Selected",
"groupByEntities": [
"Account"
],
- "enabled": true,
+ "lookbackDuration": "3d",
"reopenClosedIncident": true,
- "matchingMethod": "Selected",
- "lookbackDuration": "3d"
- },
- "createIncident": true
+ "enabled": true
+ }
}
}
},
@@ -815,7 +815,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "InsiderRiskyAccessByApplication_AnalyticalRules Analytics Rule with template version 3.0.5",
+ "description": "InsiderRiskyAccessByApplication_AnalyticalRules Analytics Rule with template version 3.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -859,16 +859,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "UserPrincipalName"
+ "columnName": "UserPrincipalName",
+ "identifier": "FullName"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "UPNSuffix",
- "columnName": "AccountUPNSuffix"
+ "columnName": "AccountUPNSuffix",
+ "identifier": "UPNSuffix"
}
],
"entityType": "Account"
@@ -878,16 +878,16 @@
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
+ "createIncident": true,
"groupingConfiguration": {
+ "matchingMethod": "Selected",
"groupByEntities": [
"Account"
],
- "enabled": true,
+ "lookbackDuration": "3d",
"reopenClosedIncident": true,
- "matchingMethod": "Selected",
- "lookbackDuration": "3d"
- },
- "createIncident": true
+ "enabled": true
+ }
}
}
},
@@ -942,7 +942,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Notify-InsiderRiskTeam Playbook with template version 3.0.5",
+ "description": "Notify-InsiderRiskTeam Playbook with template version 3.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -1206,7 +1206,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "InsiderEntityAnomalyFollowedByIRMAlert_HuntingQueries Hunting Query with template version 3.0.5",
+ "description": "InsiderEntityAnomalyFollowedByIRMAlert_HuntingQueries Hunting Query with template version 3.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -1291,7 +1291,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "InsiderISPAnomalyCorrelatedToExfiltrationAlert_HuntingQueries Hunting Query with template version 3.0.5",
+ "description": "InsiderISPAnomalyCorrelatedToExfiltrationAlert_HuntingQueries Hunting Query with template version 3.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -1376,7 +1376,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "InsiderMultipleEntityAnomalies_HuntingQueries Hunting Query with template version 3.0.5",
+ "description": "InsiderMultipleEntityAnomalies_HuntingQueries Hunting Query with template version 3.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -1461,7 +1461,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "InsiderPossibleSabotage_HuntingQueries Hunting Query with template version 3.0.5",
+ "description": "InsiderPossibleSabotage_HuntingQueries Hunting Query with template version 3.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -1546,7 +1546,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "InsiderSignInRiskFollowedBySensitiveDataAccessyaml_HuntingQueries Hunting Query with template version 3.0.5",
+ "description": "InsiderSignInRiskFollowedBySensitiveDataAccessyaml_HuntingQueries Hunting Query with template version 3.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -1631,7 +1631,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MicrosoftPurviewInsiderRiskManagement data connector with template version 3.0.5",
+ "description": "MicrosoftPurviewInsiderRiskManagement data connector with template version 3.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -1659,7 +1659,7 @@
],
"connectivityCriterias": [
{
- "type": "SentinelKinds",
+ "type": "MtpAlerts",
"value": [
"OfficeIRM"
]
@@ -1771,7 +1771,7 @@
],
"connectivityCriterias": [
{
- "type": "SentinelKinds",
+ "type": "MtpAlerts",
"value": [
"OfficeIRM"
]
@@ -1786,7 +1786,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.5",
+ "version": "3.0.6",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "MicrosoftPurviewInsiderRiskManagement",
diff --git a/Solutions/MicrosoftPurviewInsiderRiskManagement/ReleaseNotes.md b/Solutions/MicrosoftPurviewInsiderRiskManagement/ReleaseNotes.md
index 1127a71e6aa..f3a95b98d38 100644
--- a/Solutions/MicrosoftPurviewInsiderRiskManagement/ReleaseNotes.md
+++ b/Solutions/MicrosoftPurviewInsiderRiskManagement/ReleaseNotes.md
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------------|
+| 3.0.6 | 07-04-2025 | Updated ConnectivityCriteria Type in **Data Connector**. |
| 3.0.5 | 10-04-2024 | Updated Entity Mappings InsiderRiskyAccessByApplication.yaml |
| 3.0.4 | 07-11-2023 | Modified text as there is rebranding from Azure Active Directory to Microsoft Entra ID. |
| 3.0.3 | 10-10-2023 | Updated **Workbook** template to replace the datatype InformationProtectionLogs_CL to MicrosoftPurviewInformationProtection |
diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json
index b7b875eaf34..70ec0b7aba8 100644
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@@ -3024,13 +3024,13 @@
"subtitle": "",
"provider": "Microsoft Sentinel Community",
"support": {
- "tier": "Community"
+ "tier": "Microsoft"
},
"author": {
- "name": "Brian Delaney"
+ "name": "Microsoft"
},
"source": {
- "kind": "Community"
+ "kind": "Microsoft"
},
"categories": {
"domains": [