diff --git a/Solutions/CofenseTriage/Package/3.0.0.zip b/Solutions/CofenseTriage/Package/3.0.0.zip index b9a02a11dcc..8b664cb1f3c 100644 Binary files a/Solutions/CofenseTriage/Package/3.0.0.zip and b/Solutions/CofenseTriage/Package/3.0.0.zip differ diff --git a/Solutions/CofenseTriage/Package/createUiDefinition.json b/Solutions/CofenseTriage/Package/createUiDefinition.json index 85d000b4cdc..2edb86df599 100644 --- a/Solutions/CofenseTriage/Package/createUiDefinition.json +++ b/Solutions/CofenseTriage/Package/createUiDefinition.json @@ -64,7 +64,7 @@ } }, { - "name": "dataconnectors-link2", + "name": "dataconnectors-link1", "type": "Microsoft.Common.TextBlock", "options": { "link": { diff --git a/Solutions/CofenseTriage/Package/mainTemplate.json b/Solutions/CofenseTriage/Package/mainTemplate.json index 47fffb5a090..01b717053e8 100644 --- a/Solutions/CofenseTriage/Package/mainTemplate.json +++ b/Solutions/CofenseTriage/Package/mainTemplate.json @@ -90,7 +90,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"/subscriptions/ec3e5f16-67b5-40aa-9289-23311c95451c\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"# [Cofense Triage Threat Indicators](https://cofense.com/product-services/cofense-triage/)\\n---\\n\\nCofense Triage is a phishing analysis and investigation platform. Cofense Triage ingests employee-reported suspicious emails and automatically analyzes emails to identify phishing threats. Cofense Triage’s API allows security teams to bidirectionally exchange threat indicators and ingest Cofense Triage threat indicators into Microsoft Sentinel. In addition, Microsoft Sentinel can write threat indicators into Cofense Triage.\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Workbook Overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h),SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":3,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelligenceIndicator\\r\\n | where SourceSystem startswith \\\"Cofense :\\\"\\r\\n // latest data of cofense indicator to avoid duplicates\\r\\n | summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Cofense Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| extend external_id = strcat(ExternalIndicatorId, \\\"-\\\", SourceSystem)\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| join Report_links_data_CL on $left.external_id == $right.external_id_s\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| extend [\\\"Threat Indicator Link\\\"] = strcat(\\\"https://reltest6.phishmecloud.com/threat_indicators/\\\", indicator_id_s)\\r\\n| project-rename URL = Url, [\\\"Date [Local Time]\\\"] = updated_at_t, [\\\"Triage Indicator ID\\\"] = indicator_id_s, [\\\"Confidence Score\\\"] = ConfidenceScore, [\\\"Threat Type\\\"] = ThreatType, [\\\"Host Name\\\"] = DomainName, [\\\"File Hash Type\\\"] = FileHashType, [\\\"File Hash Value\\\"] = FileHashValue\\r\\n| project [\\\"Triage Indicator ID\\\"], [\\\"Threat Indicator Link\\\"], [\\\"Confidence Score\\\"], [\\\"Threat Type\\\"], Tags, [\\\"Host Name\\\"], URL, [\\\"File Hash Type\\\"], [\\\"File Hash Value\\\"], [\\\"Date [Local Time]\\\"]\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cofense Threat Indicators Data\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Threat Indicator Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Triage Indicator ID\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Triage Indicator ID\",\"sortOrder\":1}]},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"_If more than one workspace is selected, then the latest updated indicators will be in the above Cofense Threat Indicators Data Grid View._\",\"style\":\"info\"},\"name\":\"text - 7\"}]},\"name\":\"Indicators Ingestion\"}],\"fromTemplateId\":\"sentinel-CofenseTriageThreatIndicators\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"/subscriptions/ec3e5f16-67b5-40aa-9289-23311c95451c\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"# [Cofense Triage Threat Indicators](https://cofense.com/product-services/cofense-triage/)\\n---\\n\\nCofense Triage is a phishing analysis and investigation platform. Cofense Triage ingests employee-reported suspicious emails and automatically analyzes emails to identify phishing threats. Cofense Triage’s API allows security teams to bidirectionally exchange threat indicators and ingest Cofense Triage threat indicators into Microsoft Sentinel. In addition, Microsoft Sentinel can write threat indicators into Cofense Triage.\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Workbook Overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelIndicatorsv2\\r\\n// Select cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h),SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelIndicatorsv2\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelIndicatorsv2\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelIndicatorsv2\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelIndicatorsv2\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":3,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelIndicatorsv2\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelIndicatorsv2\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelIndicatorsv2\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelIndicatorsv2\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelIndicatorsv2\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelIndicatorsv2\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelIndicatorsv2\\r\\n | where SourceSystem startswith \\\"Cofense :\\\"\\r\\n // latest data of cofense indicator to avoid duplicates\\r\\n | summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Cofense Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelIndicatorsv2\\r\\n| extend external_id = strcat(ExternalIndicatorId, \\\"-\\\", SourceSystem)\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| join Report_links_data_CL on $left.external_id == $right.external_id_s\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| extend [\\\"Threat Indicator Link\\\"] = strcat(\\\"https://reltest6.phishmecloud.com/threat_indicators/\\\", indicator_id_s)\\r\\n| project-rename URL = Url, [\\\"Date [Local Time]\\\"] = updated_at_t, [\\\"Triage Indicator ID\\\"] = indicator_id_s, [\\\"Confidence Score\\\"] = ConfidenceScore, [\\\"Threat Type\\\"] = ThreatType, [\\\"Host Name\\\"] = DomainName, [\\\"File Hash Type\\\"] = FileHashType, [\\\"File Hash Value\\\"] = FileHashValue\\r\\n| project [\\\"Triage Indicator ID\\\"], [\\\"Threat Indicator Link\\\"], [\\\"Confidence Score\\\"], [\\\"Threat Type\\\"], Tags, [\\\"Host Name\\\"], URL, [\\\"File Hash Type\\\"], [\\\"File Hash Value\\\"], [\\\"Date [Local Time]\\\"]\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cofense Threat Indicators Data\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Threat Indicator Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Triage Indicator ID\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Triage Indicator ID\",\"sortOrder\":1}]},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"_If more than one workspace is selected, then the latest updated indicators will be in the above Cofense Threat Indicators Data Grid View._\",\"style\":\"info\"},\"name\":\"text - 7\"}]},\"name\":\"Indicators Ingestion\"}],\"fromTemplateId\":\"sentinel-CofenseTriageThreatIndicators\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" diff --git a/Solutions/CofenseTriage/Workbooks/CofenseTriageThreatIndicators.json b/Solutions/CofenseTriage/Workbooks/CofenseTriageThreatIndicators.json index c9f520949e3..2aca9674193 100644 --- a/Solutions/CofenseTriage/Workbooks/CofenseTriageThreatIndicators.json +++ b/Solutions/CofenseTriage/Workbooks/CofenseTriageThreatIndicators.json @@ -140,7 +140,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ThreatIntelligenceIndicator\r\n// Select cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h),SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=stacked ", + "query": "ThreatIntelIndicatorsv2\r\n// Select cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h),SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=stacked ", "size": 0, "showAnalytics": true, "title": "Number of Cofense Indicators Imported into Sentinel by Indicator Type and Date", @@ -173,7 +173,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\r\n| render barchart kind=stacked", + "query": "ThreatIntelIndicatorsv2\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\r\n| render barchart kind=stacked", "size": 0, "showAnalytics": true, "title": "Number of Cofense Indicators Imported into Sentinel by Indicator Provider and Date", @@ -192,7 +192,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked", + "query": "ThreatIntelIndicatorsv2\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked", "size": 0, "showAnalytics": true, "title": "Number of Active Cofense Indicators by Indicator Type", @@ -211,7 +211,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked", + "query": "ThreatIntelIndicatorsv2\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked", "size": 0, "showAnalytics": true, "title": "Number of Active Cofense Indicators by Indicator Source", @@ -230,7 +230,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\r\n| order by CountOfIndicators desc \r\n| render piechart", + "query": "ThreatIntelIndicatorsv2\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\r\n| order by CountOfIndicators desc \r\n| render piechart", "size": 3, "showAnalytics": true, "title": "Number of Active Cofense Indicators by Confidence Score", @@ -249,7 +249,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let DomainQuery=view() { \r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(DomainName)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"DomainEntry\"\r\n};\r\nlet UrlQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(Url)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"UrlEntry\"\r\n};\r\nlet FileHashQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(FileHashValue)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"FileHashEntry\"\r\n};\r\nlet IPQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"IPEntry\"\r\n};\r\nlet EmailAddressQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSenderAddress)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailAddressEntry\"\r\n};\r\nlet EmailMessageQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSubject)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailMessageEntry\"\r\n};\r\nlet SingleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))==1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1 \r\n};\r\nlet MultipleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))!=1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1\r\n};\r\nlet CountOfActiveIndicatorsBySource=view(){\r\n ThreatIntelligenceIndicator\r\n | where SourceSystem startswith \"Cofense :\"\r\n // latest data of cofense indicator to avoid duplicates\r\n | summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n\t| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n | where ExpirationDateTime > now() and Active == true\r\n | summarize count() by SourceSystem\r\n | project SourceSystem, count_\r\n};\r\nSingleSourceIndicators\r\n| join kind=fullouter MultipleSourceIndicators on counter \r\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \r\n| order by SourceSystemArray\r\n| extend solitary_count=sum_count_\r\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\r\n| extend total_count = shared_count + solitary_count\r\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\r\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\r\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\r\n| order by unique_percentage desc\r\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\r\n\r\n", + "query": "let DomainQuery=view() { \r\nThreatIntelIndicatorsv2\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(DomainName)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"DomainEntry\"\r\n};\r\nlet UrlQuery=view(){\r\nThreatIntelIndicatorsv2\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(Url)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"UrlEntry\"\r\n};\r\nlet FileHashQuery=view(){\r\nThreatIntelIndicatorsv2\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(FileHashValue)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"FileHashEntry\"\r\n};\r\nlet IPQuery=view(){\r\nThreatIntelIndicatorsv2\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"IPEntry\"\r\n};\r\nlet EmailAddressQuery=view(){\r\nThreatIntelIndicatorsv2\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSenderAddress)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailAddressEntry\"\r\n};\r\nlet EmailMessageQuery=view(){\r\nThreatIntelIndicatorsv2\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSubject)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailMessageEntry\"\r\n};\r\nlet SingleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))==1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1 \r\n};\r\nlet MultipleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))!=1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1\r\n};\r\nlet CountOfActiveIndicatorsBySource=view(){\r\n ThreatIntelIndicatorsv2\r\n | where SourceSystem startswith \"Cofense :\"\r\n // latest data of cofense indicator to avoid duplicates\r\n | summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n\t| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n | where ExpirationDateTime > now() and Active == true\r\n | summarize count() by SourceSystem\r\n | project SourceSystem, count_\r\n};\r\nSingleSourceIndicators\r\n| join kind=fullouter MultipleSourceIndicators on counter \r\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \r\n| order by SourceSystemArray\r\n| extend solitary_count=sum_count_\r\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\r\n| extend total_count = shared_count + solitary_count\r\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\r\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\r\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\r\n| order by unique_percentage desc\r\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\r\n\r\n", "size": 0, "showAnalytics": true, "title": "Uniqueness of Cofense Threat Intelligence Sources", @@ -307,7 +307,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ThreatIntelligenceIndicator\r\n| extend external_id = strcat(ExternalIndicatorId, \"-\", SourceSystem)\r\n// latest data of cofense indicator to avoid duplicates\r\n| join Report_links_data_CL on $left.external_id == $right.external_id_s\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| extend [\"Threat Indicator Link\"] = strcat(\"https://reltest6.phishmecloud.com/threat_indicators/\", indicator_id_s)\r\n| project-rename URL = Url, [\"Date [Local Time]\"] = updated_at_t, [\"Triage Indicator ID\"] = indicator_id_s, [\"Confidence Score\"] = ConfidenceScore, [\"Threat Type\"] = ThreatType, [\"Host Name\"] = DomainName, [\"File Hash Type\"] = FileHashType, [\"File Hash Value\"] = FileHashValue\r\n| project [\"Triage Indicator ID\"], [\"Threat Indicator Link\"], [\"Confidence Score\"], [\"Threat Type\"], Tags, [\"Host Name\"], URL, [\"File Hash Type\"], [\"File Hash Value\"], [\"Date [Local Time]\"]\r\n", + "query": "ThreatIntelIndicatorsv2\r\n| extend external_id = strcat(ExternalIndicatorId, \"-\", SourceSystem)\r\n// latest data of cofense indicator to avoid duplicates\r\n| join Report_links_data_CL on $left.external_id == $right.external_id_s\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| extend [\"Threat Indicator Link\"] = strcat(\"https://reltest6.phishmecloud.com/threat_indicators/\", indicator_id_s)\r\n| project-rename URL = Url, [\"Date [Local Time]\"] = updated_at_t, [\"Triage Indicator ID\"] = indicator_id_s, [\"Confidence Score\"] = ConfidenceScore, [\"Threat Type\"] = ThreatType, [\"Host Name\"] = DomainName, [\"File Hash Type\"] = FileHashType, [\"File Hash Value\"] = FileHashValue\r\n| project [\"Triage Indicator ID\"], [\"Threat Indicator Link\"], [\"Confidence Score\"], [\"Threat Type\"], Tags, [\"Host Name\"], URL, [\"File Hash Type\"], [\"File Hash Value\"], [\"Date [Local Time]\"]\r\n", "size": 0, "showAnalytics": true, "title": "Cofense Threat Indicators Data",