diff --git a/.script/tests/KqlvalidationsTests/CustomTables/ThreatIntelIndicators.json b/.script/tests/KqlvalidationsTests/CustomTables/ThreatIntelIndicators.json index aa36a2134ae..566c5074f0b 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/ThreatIntelIndicators.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/ThreatIntelIndicators.json @@ -92,6 +92,18 @@ { "Name": "_ResourceId", "Type": "string" + }, + { + "Name": "ExpirationDateTime", + "Type": "datetime" + }, + { + "Name": "NetworkIP", + "Type": "string" + }, + { + "Name": "ThreatType", + "Type": "string" } ] } \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_CloudAppEvents_Updated.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_CloudAppEvents_Updated.yaml index 710d095884f..16d7c60e1d1 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_CloudAppEvents_Updated.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_CloudAppEvents_Updated.yaml @@ -9,7 +9,7 @@ requiredDataConnectors: - CloudAppEvents - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -77,5 +77,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.5 +version: 1.0.6 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_CommonSecurityLog.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_CommonSecurityLog.yaml index 94d85722a71..1d0d2941ec4 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_CommonSecurityLog.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_CommonSecurityLog.yaml @@ -6,13 +6,13 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -72,5 +72,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: PA_Url -version: 1.4.3 +version: 1.4.4 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_DeviceNetworkEvents_Updated.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_DeviceNetworkEvents_Updated.yaml index e92819c4397..b07e0442efa 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_DeviceNetworkEvents_Updated.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_DeviceNetworkEvents_Updated.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - DeviceNetworkEvents - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -75,5 +75,5 @@ entityMappings: fieldMappings: - identifier: CommandLine columnName: InitiatingProcessCommandLine -version: 1.0.3 +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_DnsEvents.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_DnsEvents.yaml index 7a4c0faafae..8a59a042a02 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_DnsEvents.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_DnsEvents.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - DnsEvents - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -91,5 +91,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.5 +version: 1.4.6 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_EmailEvents_Updated.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_EmailEvents_Updated.yaml index f18cc696608..ba0194adc34 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_EmailEvents_Updated.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_EmailEvents_Updated.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - EmailEvents - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -60,5 +60,5 @@ entityMappings: columnName: Name - identifier: UPNSuffix columnName: UPNSuffix -version: 1.0.3 +version: 1.0.4 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_EmailUrlInfo_Updated.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_EmailUrlInfo_Updated.yaml index e37ae82f50f..4df47f398d3 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_EmailUrlInfo_Updated.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_EmailUrlInfo_Updated.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - EmailUrlInfo - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -85,5 +85,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_PaloAlto.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_PaloAlto.yaml index d4d45431a30..31c2e072a9f 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_PaloAlto.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_PaloAlto.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - CommonSecurityLog - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -102,5 +102,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: PA_Url -version: 1.4.3 +version: 1.4.4 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_SecurityAlert.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_SecurityAlert.yaml index b02b2ca434a..a8539c20f0a 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_SecurityAlert.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_SecurityAlert.yaml @@ -6,10 +6,10 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftCloudAppSecurity dataTypes: - SecurityAlert @@ -18,7 +18,7 @@ requiredDataConnectors: - SecurityAlert - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -80,5 +80,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.4 +version: 1.4.5 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_Syslog.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_Syslog.yaml index 33229ed26bf..f2d2e728aec 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_Syslog.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_Syslog.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - Syslog - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -96,5 +96,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.5 +version: 1.4.6 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_imWebSession.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_imWebSession.yaml index ef366f4a79e..d70b8686b6d 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_imWebSession.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_imWebSession.yaml @@ -12,13 +12,13 @@ requiredDataConnectors: - CommonSecurityLog - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -82,5 +82,5 @@ customDetails: alertDetailsOverride: alertDisplayNameFormat: A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC alertDescriptionFormat: A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{Type}}. Consult the threat intelligence blade for more information on the indicator. -version: 1.0.9 +version: 1.0.10 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_AzureActivity.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_AzureActivity.yaml index d9711bdd4ad..962ec2bb0df 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_AzureActivity.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_AzureActivity.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - AzureActivity - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -72,5 +72,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.2.10 +version: 1.2.11 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_CloudAppEvents_Updated.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_CloudAppEvents_Updated.yaml index cf14608bd55..ad01e1e2507 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_CloudAppEvents_Updated.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_CloudAppEvents_Updated.yaml @@ -9,7 +9,7 @@ requiredDataConnectors: - CloudAppEvents - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -52,5 +52,5 @@ entityMappings: columnName: User_Id - identifier: UPNSuffix columnName: UPNSuffix -version: 1.0.5 +version: 1.0.6 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_EmailEvents_Updated.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_EmailEvents_Updated.yaml index 15c8a6f23b0..3740cea6a38 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_EmailEvents_Updated.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_EmailEvents_Updated.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - EmailEvents - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -63,5 +63,5 @@ entityMappings: columnName: Name - identifier: UPNSuffix columnName: UPNSuffix -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_OfficeActivity.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_OfficeActivity.yaml index 02c3965574c..27bf367752f 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_OfficeActivity.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_OfficeActivity.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - OfficeActivity - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -75,5 +75,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.2.10 +version: 1.2.11 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_PaloAlto.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_PaloAlto.yaml index b0d0018415e..c007dd0420e 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_PaloAlto.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_PaloAlto.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - CommonSecurityLog - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -71,5 +71,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.2.8 +version: 1.2.9 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_SecurityAlert.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_SecurityAlert.yaml index fb7e27d7764..acc5f020842 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_SecurityAlert.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_SecurityAlert.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - SecurityAlert - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -80,5 +80,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.2.10 +version: 1.2.11 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_SecurityEvent.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_SecurityEvent.yaml index 430373b74b0..f9e1187c002 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_SecurityEvent.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_SecurityEvent.yaml @@ -6,10 +6,10 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: SecurityEvents dataTypes: - SecurityEvent @@ -21,7 +21,7 @@ requiredDataConnectors: - WindowsEvent - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -96,5 +96,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.3.9 +version: 1.3.10 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_SigninLogs.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_SigninLogs.yaml index 3b2bacf0eef..ebda36bfeb2 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_SigninLogs.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_SigninLogs.yaml @@ -6,10 +6,10 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: AzureActiveDirectory dataTypes: - SigninLogs @@ -18,7 +18,7 @@ requiredDataConnectors: - AADNonInteractiveUserSignInLogs - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -83,5 +83,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.2.10 +version: 1.2.11 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/FileHashEntity_CommonSecurityLog.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/FileHashEntity_CommonSecurityLog.yaml index 148be09468f..558da7c091a 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/FileHashEntity_CommonSecurityLog.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/FileHashEntity_CommonSecurityLog.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - CommonSecurityLog - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -91,5 +91,5 @@ entityMappings: columnName: FileHashValue - identifier: Algorithm columnName: FileHashType -version: 1.3.8 +version: 1.3.9 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/FileHashEntity_DeviceFileEvents_Updated.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/FileHashEntity_DeviceFileEvents_Updated.yaml index 7ecb45f1977..be3eed9a056 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/FileHashEntity_DeviceFileEvents_Updated.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/FileHashEntity_DeviceFileEvents_Updated.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - DeviceFileEvents - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -73,5 +73,5 @@ entityMappings: fieldMappings: - identifier: HostName columnName: DeviceName -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/FileHashEntity_SecurityEvent.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/FileHashEntity_SecurityEvent.yaml index eabbdddef2f..c8034c6b20c 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/FileHashEntity_SecurityEvent.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/FileHashEntity_SecurityEvent.yaml @@ -15,13 +15,13 @@ requiredDataConnectors: - WindowsEvent - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -94,5 +94,5 @@ entityMappings: columnName: FileHashValue - identifier: Algorithm columnName: FileHashType -version: 1.4.8 +version: 1.4.9 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AWSCloudTrail.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AWSCloudTrail.yaml index 8b912bb9dd3..d0b770343da 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AWSCloudTrail.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AWSCloudTrail.yaml @@ -6,16 +6,16 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: AWS dataTypes: - AWSCloudTrail - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -79,5 +79,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.5 +version: 1.4.6 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml index db563871e4d..c4991e98eb7 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml @@ -6,13 +6,13 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -96,6 +96,6 @@ entityMappings: columnName: _ResourceId alertDetailsOverride: alertSeverityColumnName: AlertPriority -version: 1.5.5 +version: 1.5.6 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureActivity.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureActivity.yaml index 6a13134ad4a..089813ad787 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureActivity.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureActivity.yaml @@ -6,16 +6,16 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: AzureActivity dataTypes: - AzureActivity - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -89,5 +89,5 @@ entityMappings: fieldMappings: - identifier: ResourceId columnName: ResourceId -version: 1.4.6 +version: 1.4.7 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureFirewall.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureFirewall.yaml index d0d28b09a9e..fed0627f6ca 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureFirewall.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureFirewall.yaml @@ -6,16 +6,16 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: AzureFirewall dataTypes: - AzureDiagnostics - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -80,5 +80,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.3.4 +version: 1.3.5 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureKeyVault.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureKeyVault.yaml index 8609fa4f6c6..f6c9671b9b3 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureKeyVault.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureKeyVault.yaml @@ -6,16 +6,16 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: AzureKeyVault dataTypes: - KeyVaultData - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -72,5 +72,5 @@ entityMappings: fieldMappings: - identifier: ResourceId columnName: ResourceId -version: 1.3.6 +version: 1.3.7 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml index 7de97b100f2..2043a8c6ed9 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml @@ -6,13 +6,13 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -82,5 +82,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.5 +version: 1.4.6 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureSQL.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureSQL.yaml index 9e18b6ed70f..f150393d880 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureSQL.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureSQL.yaml @@ -6,16 +6,16 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: AzureSql dataTypes: - AzureDiagnostics - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -72,5 +72,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 1.3.4 +version: 1.3.5 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_CloudAppEvents_Updated.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_CloudAppEvents_Updated.yaml index b4df87b21d8..1de02e5a47f 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_CloudAppEvents_Updated.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_CloudAppEvents_Updated.yaml @@ -9,7 +9,7 @@ requiredDataConnectors: - CloudAppEvents - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -70,5 +70,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: EmailSourceIPAddress -version: 1.0.5 +version: 1.0.6 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_CustomSecurityLog.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_CustomSecurityLog.yaml index ff052b3ad8a..65880af5625 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_CustomSecurityLog.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_CustomSecurityLog.yaml @@ -6,16 +6,16 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: CEF dataTypes: - CommonSecurityLog - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -69,5 +69,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: SourceIP -version: 1.2.7 +version: 1.2.8 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_DeviceNetworkEvents_Updated.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_DeviceNetworkEvents_Updated.yaml index 1e07486d9f1..0414676aa49 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_DeviceNetworkEvents_Updated.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_DeviceNetworkEvents_Updated.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - DeviceNetworkEvents - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -70,5 +70,5 @@ entityMappings: fieldMappings: - identifier: HostName columnName: DeviceName -version: 1.0.3 +version: 1.0.4 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_DnsEvents.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_DnsEvents.yaml index 08caf16fa23..bf813041e6d 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_DnsEvents.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_DnsEvents.yaml @@ -6,16 +6,16 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: DNS dataTypes: - DnsEvents - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -79,5 +79,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.6 +version: 1.4.7 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_DuoSecurity.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_DuoSecurity.yaml index e6df16485cd..026ee3dbfdc 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_DuoSecurity.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_DuoSecurity.yaml @@ -6,16 +6,16 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: CiscoDuoSecurity dataTypes: - CiscoDuo - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -70,5 +70,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: access_device_ip_s -version: 1.0.8 +version: 1.0.9 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_OfficeActivity.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_OfficeActivity.yaml index e4101ee7071..261fb22b944 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_OfficeActivity.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_OfficeActivity.yaml @@ -6,13 +6,13 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: Office365 dataTypes: - OfficeActivity @@ -80,5 +80,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.6 +version: 1.4.7 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_SigninLogs_Updated.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_SigninLogs_Updated.yaml index 4bdeddf29ed..fb385a2d071 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_SigninLogs_Updated.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_SigninLogs_Updated.yaml @@ -6,10 +6,10 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: AzureActiveDirectory dataTypes: - SigninLogs @@ -18,7 +18,7 @@ requiredDataConnectors: - AADNonInteractiveUserSignInLogs - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -80,5 +80,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.3.1 +version: 1.3.2 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_VMConnection.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_VMConnection.yaml index addef47f8e3..6e847a60161 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_VMConnection.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_VMConnection.yaml @@ -6,13 +6,13 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: AzureMonitor(VMInsights) dataTypes: - VMConnection @@ -76,5 +76,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.5 +version: 1.4.6 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_W3CIISLog.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_W3CIISLog.yaml index 19641559901..64ab013933b 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_W3CIISLog.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_W3CIISLog.yaml @@ -6,13 +6,13 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: AzureMonitor(IIS) dataTypes: - W3CIISLog @@ -80,5 +80,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.5 +version: 1.4.6 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_Workday_Updated.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_Workday_Updated.yaml index 424e7aa7cb0..f4f5f003a8c 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_Workday_Updated.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_Workday_Updated.yaml @@ -6,16 +6,16 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: Workday dataTypes: - Workday - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -79,5 +79,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: DvcIpAddr -version: 1.0.2 +version: 1.0.3 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_imNetworkSession.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_imNetworkSession.yaml index 0a085f1c5b7..62155f8a7af 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_imNetworkSession.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_imNetworkSession.yaml @@ -52,14 +52,14 @@ requiredDataConnectors: - CommonSecurityLog - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: CiscoMeraki dataTypes: - Syslog - CiscoMerakiNativePoller - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d @@ -134,5 +134,5 @@ tags: - Schema: ASIMNetworkSession SchemaVersion: 0.2.4 -version: 1.2.8 +version: 1.2.9 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_imWebSession.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_imWebSession.yaml index 0deaa2da7ff..bcbf2873159 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_imWebSession.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_imWebSession.yaml @@ -12,13 +12,13 @@ requiredDataConnectors: - CommonSecurityLog - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -87,5 +87,5 @@ customDetails: alertDetailsOverride: alertDisplayNameFormat: The IP {{SrcIpAddr}} of the web request matches an IP IoC alertDescriptionFormat: The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator. -version: 1.2.9 +version: 1.2.10 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml index f99448cc027..837efd8ff0e 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml @@ -6,13 +6,13 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -57,5 +57,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPaddress -version: 1.0.7 +version: 1.0.8 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_AuditLogs.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_AuditLogs.yaml index 10dfcd958d9..15dca98dd89 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_AuditLogs.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_AuditLogs.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - AuditLogs - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -78,5 +78,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.2.9 +version: 1.2.10 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_CloudAppEvents_Updated.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_CloudAppEvents_Updated.yaml index b4724d78a64..558945d0b1e 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_CloudAppEvents_Updated.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_CloudAppEvents_Updated.yaml @@ -9,7 +9,7 @@ requiredDataConnectors: - CloudAppEvents - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -75,5 +75,5 @@ entityMappings: columnName: Application - identifier: AppId columnName: ApplicationID -version: 1.0.5 +version: 1.0.6 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_DeviceNetworkEvents_Updated.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_DeviceNetworkEvents_Updated.yaml index 4643092af79..509fa8d943b 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_DeviceNetworkEvents_Updated.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_DeviceNetworkEvents_Updated.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - DeviceNetworkEvents - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -75,5 +75,5 @@ entityMappings: fieldMappings: - identifier: CommandLine columnName: InitiatingProcessCommandLine -version: 1.0.4 +version: 1.0.5 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_EmailUrlInfo_Updated.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_EmailUrlInfo_Updated.yaml index 42b07443d8c..c727112bf24 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_EmailUrlInfo_Updated.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_EmailUrlInfo_Updated.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - EmailUrlInfo - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -70,5 +70,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.0.3 +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_PaloAlto.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_PaloAlto.yaml index 87932c0f63a..b8fdaae0d64 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_PaloAlto.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_PaloAlto.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - CommonSecurityLog - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -73,5 +73,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: PA_Url -version: 1.2.6 +version: 1.2.7 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_SecurityAlerts.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_SecurityAlerts.yaml index 759c46439fa..d6ba48ae427 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_SecurityAlerts.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_SecurityAlerts.yaml @@ -12,13 +12,13 @@ requiredDataConnectors: - SecurityAlert - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -71,5 +71,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.2.10 +version: 1.2.11 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_Syslog.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_Syslog.yaml index 956982bedcf..0e79160001d 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_Syslog.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_Syslog.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - Syslog - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -64,5 +64,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.2.7 +version: 1.2.8 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_UrlClickEvents_Updated.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_UrlClickEvents_Updated.yaml index 3e2d673d772..0a3175027ab 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_UrlClickEvents_Updated.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_UrlClickEvents_Updated.yaml @@ -9,13 +9,13 @@ requiredDataConnectors: - UrlClickEvents - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -75,5 +75,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.0.4 +version: 1.0.5 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml index 86c61ec11d1..d6911417f9d 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml @@ -7,10 +7,10 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: DNS dataTypes: - DnsEvents @@ -31,7 +31,7 @@ requiredDataConnectors: - NXLog_DNS_Server_CL - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: CiscoUmbrellaDataConnector dataTypes: - Cisco_Umbrella_dns_CL @@ -115,5 +115,5 @@ customDetails: SourceIPAddress: SrcIpAddr DnsQuery: DnsQuery QueryType: DnsQueryType -version: 1.2.2 +version: 1.2.3 kind: Scheduled diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/imDns_IPEntity_DnsEvents.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/imDns_IPEntity_DnsEvents.yaml index 5b2c32feb15..56cd7342108 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/imDns_IPEntity_DnsEvents.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/imDns_IPEntity_DnsEvents.yaml @@ -6,10 +6,10 @@ severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: DNS dataTypes: - DnsEvents @@ -33,7 +33,7 @@ requiredDataConnectors: - Cisco_Umbrella_dns_CL - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: Corelight dataTypes: - Corelight_CL @@ -108,5 +108,5 @@ customDetails: alertDetailsOverride: alertDisplayNameFormat: The response {{IoC}} to DNS query matched an IoC alertDescriptionFormat: The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{Type}}. Consult the threat intelligence blade for more information on the indicator. -version: 1.2.7 +version: 1.2.8 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Data Connectors/template_MicrosoftDefenderThreatIntelligence.json b/Solutions/Threat Intelligence (NEW)/Data Connectors/template_MicrosoftDefenderThreatIntelligence.json index 9f0d83750b1..65ed5038c80 100644 --- a/Solutions/Threat Intelligence (NEW)/Data Connectors/template_MicrosoftDefenderThreatIntelligence.json +++ b/Solutions/Threat Intelligence (NEW)/Data Connectors/template_MicrosoftDefenderThreatIntelligence.json @@ -10,18 +10,18 @@ "graphQueries": [ { "metricName": "Total data received", - "legend": "ThreatIntelligenceIndicator", - "baseQuery": "ThreatIntelligenceIndicator\n | where SourceSystem in (\"Microsoft Defender Threat Intelligence\", \"Microsoft Emerging Threat Feed\")" + "legend": "ThreatIntelIndicators", + "baseQuery": "ThreatIntelIndicators\n | where SourceSystem in (\"Microsoft Defender Threat Intelligence\", \"Microsoft Emerging Threat Feed\")" } ], "sampleQueries": [ { "description": "Summarize by threat type", - "query": "ThreatIntelligenceIndicator\n| where ExpirationDateTime > now()\n| where SourceSystem in (\"Microsoft Defender Threat Intelligence\", \"Microsoft Emerging Threat Feed\")\n| where ExpirationDateTime > now()\n| join ( SigninLogs ) on $left.NetworkIP == $right.IPAddress | summarize count() by ThreatType" + "query": "ThreatIntelIndicators\n| where ExpirationDateTime > now()\n| where SourceSystem in (\"Microsoft Defender Threat Intelligence\", \"Microsoft Emerging Threat Feed\")\n| where ExpirationDateTime > now()\n| join ( SigninLogs ) on $left.NetworkIP == $right.IPAddress | summarize count() by ThreatType" }, { "description": "Summarize by 1 hour bins", - "query": "ThreatIntelligenceIndicator\n| where SourceSystem in (\"Microsoft Defender Threat Intelligence\", \"Microsoft Emerging Threat Feed\")\n| where TimeGenerated >= ago(1d) | summarize count()​​" + "query": "ThreatIntelIndicators\n| where SourceSystem in (\"Microsoft Defender Threat Intelligence\", \"Microsoft Emerging Threat Feed\")\n| where TimeGenerated >= ago(1d) | summarize count()​​" } ], "connectivityCriterias": [ @@ -34,8 +34,8 @@ ], "dataTypes": [ { - "name": "ThreatIntelligenceIndicator", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator \n | where SourceSystem in (\"Microsoft Defender Threat Intelligence\", \"Microsoft Emerging Threat Feed\")\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "ThreatIntelIndicators", + "lastDataReceivedQuery": "ThreatIntelIndicators \n | where SourceSystem in (\"Microsoft Defender Threat Intelligence\", \"Microsoft Emerging Threat Feed\")\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "availability": { diff --git a/Solutions/Threat Intelligence (NEW)/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json b/Solutions/Threat Intelligence (NEW)/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json index c67da2d2cc2..988ce00ae20 100644 --- a/Solutions/Threat Intelligence (NEW)/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json +++ b/Solutions/Threat Intelligence (NEW)/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json @@ -10,18 +10,18 @@ "graphQueries": [ { "metricName": "Total data received", - "legend": "ThreatIntelligenceIndicator", - "baseQuery": "ThreatIntelligenceIndicator\n | where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"" + "legend": "ThreatIntelIndicators", + "baseQuery": "ThreatIntelIndicators\n | where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"" } ], "sampleQueries": [ { "description": "Summarize by threat type", - "query": "ThreatIntelligenceIndicator\n| where ExpirationDateTime > now()\n| where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"\n| where ExpirationDateTime > now()\n| join ( SigninLogs ) on $left.NetworkIP == $right.IPAddress | summarize count() by ThreatType" + "query": "ThreatIntelIndicators\n| where ExpirationDateTime > now()\n| where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"\n| where ExpirationDateTime > now()\n| join ( SigninLogs ) on $left.NetworkIP == $right.IPAddress | summarize count() by ThreatType" }, { "description": "Summarize by 1 hour bins", - "query": "ThreatIntelligenceIndicator\n| where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"\n| where TimeGenerated >= ago(1d) | summarize count()​​" + "query": "ThreatIntelIndicators\n| where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"\n| where TimeGenerated >= ago(1d) | summarize count()​​" } ], "connectivityCriterias": [ @@ -34,8 +34,8 @@ ], "dataTypes": [ { - "name": "ThreatIntelligenceIndicator", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator \n | where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "ThreatIntelIndicators", + "lastDataReceivedQuery": "ThreatIntelIndicators \n | where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "availability": { diff --git a/Solutions/Threat Intelligence (NEW)/Data Connectors/template_ThreatIntelligence.json b/Solutions/Threat Intelligence (NEW)/Data Connectors/template_ThreatIntelligence.json index 9d229d16f50..1e6a63d265b 100644 --- a/Solutions/Threat Intelligence (NEW)/Data Connectors/template_ThreatIntelligence.json +++ b/Solutions/Threat Intelligence (NEW)/Data Connectors/template_ThreatIntelligence.json @@ -10,18 +10,18 @@ "graphQueries": [ { "metricName": "Total data received", - "legend": "ThreatIntelligenceIndicator", - "baseQuery": "ThreatIntelligenceIndicator | where SourceSystem == \"SecurityGraph\"" + "legend": "ThreatIntelIndicators", + "baseQuery": "ThreatIntelIndicators | where SourceSystem == \"SecurityGraph\"" } ], "sampleQueries": [ { "description": "Summarize by threat type", - "query": "ThreatIntelligenceIndicator\n| where ExpirationDateTime > now()\n| where SourceSystem == \"SecurityGraph\"\n| join (\n SigninLogs\n) on $left.NetworkIP == $right.IPAddress\n| summarize count() by ThreatType" + "query": "ThreatIntelIndicators\n| where ExpirationDateTime > now()\n| where SourceSystem == \"SecurityGraph\"\n| join (\n SigninLogs\n) on $left.NetworkIP == $right.IPAddress\n| summarize count() by ThreatType" }, { "description": "Summarize by 1 hour bins", - "query": "CommonSecurityLog\n| where DestinationIP in\n((\n ThreatIntelligenceIndicator\n | where ExpirationDateTime > now()\n | where SourceSystem == \"SecurityGraph\"\n | where ThreatType == \"DDoS\"\n | project NetworkIP\n))\n| summarize count() by bin(TimeGenerated, 1d)​​" + "query": "CommonSecurityLog\n| where DestinationIP in\n((\n ThreatIntelIndicators\n | where ExpirationDateTime > now()\n | where SourceSystem == \"SecurityGraph\"\n | where ThreatType == \"DDoS\"\n | project NetworkIP\n))\n| summarize count() by bin(TimeGenerated, 1d)​​" } ], "connectivityCriterias": [ @@ -34,8 +34,8 @@ ], "dataTypes": [ { - "name": "ThreatIntelligenceIndicator", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator | where SourceSystem == \"SecurityGraph\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "ThreatIntelIndicators", + "lastDataReceivedQuery": "ThreatIntelIndicators | where SourceSystem == \"SecurityGraph\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "availability": { diff --git a/Solutions/Threat Intelligence (NEW)/Data Connectors/template_ThreatIntelligenceTaxii.json b/Solutions/Threat Intelligence (NEW)/Data Connectors/template_ThreatIntelligenceTaxii.json index 230ee0b37f0..b46fcf00b16 100644 --- a/Solutions/Threat Intelligence (NEW)/Data Connectors/template_ThreatIntelligenceTaxii.json +++ b/Solutions/Threat Intelligence (NEW)/Data Connectors/template_ThreatIntelligenceTaxii.json @@ -6,18 +6,18 @@ "graphQueries": [ { "metricName": "Total data received", - "legend": "ThreatIntelligenceIndicator", - "baseQuery": "ThreatIntelligenceIndicator | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") " + "legend": "ThreatIntelIndicators", + "baseQuery": "ThreatIntelIndicators | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") " } ], "sampleQueries": [ { "description": "Summarize by threat type", - "query": "ThreatIntelligenceIndicator | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") \n and ExpirationDateTime > now() | join ( SigninLogs ) on $left.NetworkIP == $right.IPAddress | summarize count() by ThreatType" + "query": "ThreatIntelIndicators | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") \n and ExpirationDateTime > now() | join ( SigninLogs ) on $left.NetworkIP == $right.IPAddress | summarize count() by ThreatType" }, { "description": "Summarize by 1 hour bins", - "query": "ThreatIntelligenceIndicator | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") \n and TimeGenerated >= ago(1d) | summarize count()" + "query": "ThreatIntelIndicators | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") \n and TimeGenerated >= ago(1d) | summarize count()" } ], "connectivityCriterias": [ @@ -30,8 +30,8 @@ ], "dataTypes": [ { - "name": "ThreatIntelligenceIndicator", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "ThreatIntelIndicators", + "lastDataReceivedQuery": "ThreatIntelIndicators | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "availability": { diff --git a/Solutions/Threat Intelligence (NEW)/Data Connectors/template_ThreatIntelligenceUploadIndicators.json b/Solutions/Threat Intelligence (NEW)/Data Connectors/template_ThreatIntelligenceUploadIndicators.json index 60b822a8097..9ba10a3eba2 100644 --- a/Solutions/Threat Intelligence (NEW)/Data Connectors/template_ThreatIntelligenceUploadIndicators.json +++ b/Solutions/Threat Intelligence (NEW)/Data Connectors/template_ThreatIntelligenceUploadIndicators.json @@ -7,26 +7,26 @@ { "metricName": "Total indicators received", "legend": "Connection Events", - "baseQuery": "ThreatIntelligenceIndicator | where SourceSystem != 'Microsoft Sentinel'" + "baseQuery": "ThreatIntelIndicators | where SourceSystem != 'Microsoft Sentinel'" } ], "sampleQueries": [ { "description": "All Threat Intelligence APIs Indicators", - "query": "ThreatIntelligenceIndicator | where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| sort by TimeGenerated desc" + "query": "ThreatIntelIndicators | where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| sort by TimeGenerated desc" } ], "dataTypes": [ { - "name": "ThreatIntelligenceIndicator", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator| where isnotempty(TimeGenerated) and SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| summarize Time = max(TimeGenerated)" + "name": "ThreatIntelIndicators", + "lastDataReceivedQuery": "ThreatIntelIndicators | where isnotempty(TimeGenerated) and SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| summarize Time = max(TimeGenerated)" } ], "connectivityCriterias": [ { "type": "IsConnectedQuery", "value": [ - "ThreatIntelligenceIndicator | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = false" + "ThreatIntelIndicators | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = false" ] } ], diff --git a/Solutions/Threat Intelligence (NEW)/Data Connectors/template_ThreatIntelligenceUploadIndicators_ForGov.json b/Solutions/Threat Intelligence (NEW)/Data Connectors/template_ThreatIntelligenceUploadIndicators_ForGov.json index bc52ee3c3b0..c1fc714e63d 100644 --- a/Solutions/Threat Intelligence (NEW)/Data Connectors/template_ThreatIntelligenceUploadIndicators_ForGov.json +++ b/Solutions/Threat Intelligence (NEW)/Data Connectors/template_ThreatIntelligenceUploadIndicators_ForGov.json @@ -7,26 +7,26 @@ { "metricName": "Total indicators received", "legend": "Connection Events", - "baseQuery": "ThreatIntelligenceIndicator | where SourceSystem != 'Microsoft Sentinel'" + "baseQuery": "ThreatIntelIndicators | where SourceSystem != 'Microsoft Sentinel'" } ], "sampleQueries": [ { "description": "All Threat Intelligence APIs Indicators", - "query": "ThreatIntelligenceIndicator | where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| sort by TimeGenerated desc" + "query": "ThreatIntelIndicators | where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| sort by TimeGenerated desc" } ], "dataTypes": [ { - "name": "ThreatIntelligenceIndicator", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator| where isnotempty(TimeGenerated) and SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| summarize Time = max(TimeGenerated)" + "name": "ThreatIntelIndicators", + "lastDataReceivedQuery": "ThreatIntelIndicators| where isnotempty(TimeGenerated) and SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| summarize Time = max(TimeGenerated)" } ], "connectivityCriterias": [ { "type": "IsConnectedQuery", "value": [ - "ThreatIntelligenceIndicator | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = false" + "ThreatIntelIndicators | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = false" ] } ], diff --git a/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_OfficeActivity.yaml b/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_OfficeActivity.yaml index 9dd7f7498e8..d2f53dd9b9f 100644 --- a/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_OfficeActivity.yaml +++ b/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_OfficeActivity.yaml @@ -11,13 +11,13 @@ requiredDataConnectors: - OfficeActivity - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators tactics: - Impact query: | diff --git a/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_SecurityEvent.yaml b/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_SecurityEvent.yaml index b428dc2946c..f3d37996023 100644 --- a/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_SecurityEvent.yaml +++ b/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_SecurityEvent.yaml @@ -11,13 +11,13 @@ requiredDataConnectors: - SecurityEvent - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators tactics: - Impact query: | diff --git a/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_Syslog.yaml b/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_Syslog.yaml index 3acee81e47c..98f58bd420b 100644 --- a/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_Syslog.yaml +++ b/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_Syslog.yaml @@ -11,13 +11,13 @@ requiredDataConnectors: - Syslog - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators tactics: - Impact query: | diff --git a/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_VMConnection.yaml b/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_VMConnection.yaml index 033487c2467..80af0ebfc7c 100644 --- a/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_VMConnection.yaml +++ b/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_VMConnection.yaml @@ -11,13 +11,13 @@ requiredDataConnectors: - VMConnection - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators tactics: - Impact query: | diff --git a/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_WireData.yaml b/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_WireData.yaml index 4a41d9f9e6e..31bfaa4ee6d 100644 --- a/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_WireData.yaml +++ b/Solutions/Threat Intelligence (NEW)/Hunting Queries/FileEntity_WireData.yaml @@ -11,13 +11,13 @@ requiredDataConnectors: - WireData - connectorId: ThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: ThreatIntelligenceTaxii dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - - ThreatIntelligenceIndicator + - ThreatIntelIndicators tactics: - Impact query: | diff --git a/Solutions/Threat Intelligence (NEW)/Package/3.0.4.zip b/Solutions/Threat Intelligence (NEW)/Package/3.0.4.zip new file mode 100644 index 00000000000..acdeee2faf1 Binary files /dev/null and b/Solutions/Threat Intelligence (NEW)/Package/3.0.4.zip differ diff --git a/Solutions/Threat Intelligence (NEW)/Package/createUiDefinition.json b/Solutions/Threat Intelligence (NEW)/Package/createUiDefinition.json index 1b662c4e3d3..cfc70923a8c 100644 --- a/Solutions/Threat Intelligence (NEW)/Package/createUiDefinition.json +++ b/Solutions/Threat Intelligence (NEW)/Package/createUiDefinition.json @@ -974,7 +974,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query finds matches in OfficeActivity Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection. This hunting query depends on Office365 ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence data connector (OfficeActivity ThreatIntelligenceIndicator ThreatIntelligenceIndicator ThreatIntelligenceIndicator Parser or Table)" + "text": "This query finds matches in OfficeActivity Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection. This hunting query depends on Office365 ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence data connector (OfficeActivity ThreatIntelIndicators ThreatIntelIndicators ThreatIntelIndicators Parser or Table)" } } ] @@ -988,7 +988,7 @@ "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query finds matches in Security Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection. This hunting query depends on SecurityEvents ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence data connector (SecurityEvent ThreatIntelligenceIndicator ThreatIntelligenceIndicator ThreatIntelligenceIndicator Parser or Table)" + "text": "This query finds matches in Security Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection. This hunting query depends on SecurityEvents ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence data connector (SecurityEvent ThreatIntelIndicators ThreatIntelIndicators ThreatIntelIndicators Parser or Table)" } } ] @@ -1002,7 +1002,7 @@ "name": "huntingquery3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query finds matches in Syslog Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection. This hunting query depends on Syslog ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence data connector (Syslog ThreatIntelligenceIndicator ThreatIntelligenceIndicator ThreatIntelligenceIndicator Parser or Table)" + "text": "This query finds matches in Syslog Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection. This hunting query depends on Syslog ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence data connector (Syslog ThreatIntelIndicators ThreatIntelIndicators ThreatIntelIndicators Parser or Table)" } } ] @@ -1016,7 +1016,7 @@ "name": "huntingquery4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query finds matches in VMConnection Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection. This hunting query depends on AzureMonitor(VMInsights) ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence data connector (VMConnection ThreatIntelligenceIndicator ThreatIntelligenceIndicator ThreatIntelligenceIndicator Parser or Table)" + "text": "This query finds matches in VMConnection Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection. This hunting query depends on AzureMonitor(VMInsights) ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence data connector (VMConnection ThreatIntelIndicators ThreatIntelIndicators ThreatIntelIndicators Parser or Table)" } } ] @@ -1030,7 +1030,7 @@ "name": "huntingquery5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query finds matches in WireData Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection. This hunting query depends on AzureMonitor(WireData) ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence data connector (WireData ThreatIntelligenceIndicator ThreatIntelligenceIndicator ThreatIntelligenceIndicator Parser or Table)" + "text": "This query finds matches in WireData Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection. This hunting query depends on AzureMonitor(WireData) ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence data connector (WireData ThreatIntelIndicators ThreatIntelIndicators ThreatIntelIndicators Parser or Table)" } } ] diff --git a/Solutions/Threat Intelligence (NEW)/Package/mainTemplate.json b/Solutions/Threat Intelligence (NEW)/Package/mainTemplate.json index 9a5235147db..fdfe9dc56e7 100644 --- a/Solutions/Threat Intelligence (NEW)/Package/mainTemplate.json +++ b/Solutions/Threat Intelligence (NEW)/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Threat Intelligence (NEW)", - "_solutionVersion": "3.0.3", + "_solutionVersion": "3.0.4", "solutionId": "azuresentinel.azure-sentinel-solution-threatintelligence-updated", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "ThreatIntelligenceTaxii", @@ -97,357 +97,357 @@ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.5", + "analyticRuleVersion1": "1.0.6", "_analyticRulecontentId1": "a7d2b1e4-dd9c-40fd-9651-1a136eb8f0df", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a7d2b1e4-dd9c-40fd-9651-1a136eb8f0df')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a7d2b1e4-dd9c-40fd-9651-1a136eb8f0df')))]", "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a7d2b1e4-dd9c-40fd-9651-1a136eb8f0df','-', '1.0.5')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.4.3", + "analyticRuleVersion2": "1.4.4", "_analyticRulecontentId2": "094a4e6e-1a0d-4d49-9d64-cfc3b01a0be1", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '094a4e6e-1a0d-4d49-9d64-cfc3b01a0be1')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('094a4e6e-1a0d-4d49-9d64-cfc3b01a0be1')))]", "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','094a4e6e-1a0d-4d49-9d64-cfc3b01a0be1','-', '1.4.3')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.3", + "analyticRuleVersion3": "1.0.4", "_analyticRulecontentId3": "1546f3b3-de8a-4e62-bfea-815422154981", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1546f3b3-de8a-4e62-bfea-815422154981')]", "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1546f3b3-de8a-4e62-bfea-815422154981')))]", "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1546f3b3-de8a-4e62-bfea-815422154981','-', '1.0.3')))]" }, "analyticRuleObject4": { - "analyticRuleVersion4": "1.4.5", + "analyticRuleVersion4": "1.4.6", "_analyticRulecontentId4": "03a8e294-3fc7-4d65-9da2-cff91fb5b6dc", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '03a8e294-3fc7-4d65-9da2-cff91fb5b6dc')]", "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('03a8e294-3fc7-4d65-9da2-cff91fb5b6dc')))]", "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','03a8e294-3fc7-4d65-9da2-cff91fb5b6dc','-', '1.4.5')))]" }, "analyticRuleObject5": { - "analyticRuleVersion5": "1.0.3", + "analyticRuleVersion5": "1.0.4", "_analyticRulecontentId5": "bc3bb047-70b8-4a4b-ac21-e3b1172881a4", "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bc3bb047-70b8-4a4b-ac21-e3b1172881a4')]", "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bc3bb047-70b8-4a4b-ac21-e3b1172881a4')))]", "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bc3bb047-70b8-4a4b-ac21-e3b1172881a4','-', '1.0.3')))]" }, "analyticRuleObject6": { - "analyticRuleVersion6": "1.0.4", + "analyticRuleVersion6": "1.0.5", "_analyticRulecontentId6": "b56e2290-c65b-45a5-9636-3651e85bbe5d", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b56e2290-c65b-45a5-9636-3651e85bbe5d')]", "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b56e2290-c65b-45a5-9636-3651e85bbe5d')))]", "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b56e2290-c65b-45a5-9636-3651e85bbe5d','-', '1.0.4')))]" }, "analyticRuleObject7": { - "analyticRuleVersion7": "1.4.3", + "analyticRuleVersion7": "1.4.4", "_analyticRulecontentId7": "418192ba-01b8-4be8-89b7-5b5396a9d062", "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '418192ba-01b8-4be8-89b7-5b5396a9d062')]", "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('418192ba-01b8-4be8-89b7-5b5396a9d062')))]", "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','418192ba-01b8-4be8-89b7-5b5396a9d062','-', '1.4.3')))]" }, "analyticRuleObject8": { - "analyticRuleVersion8": "1.4.5", + "analyticRuleVersion8": "1.4.6", "_analyticRulecontentId8": "cd19434e-10f2-4e2f-b3c1-ce6f08ac5357", "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cd19434e-10f2-4e2f-b3c1-ce6f08ac5357')]", "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cd19434e-10f2-4e2f-b3c1-ce6f08ac5357')))]", "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cd19434e-10f2-4e2f-b3c1-ce6f08ac5357','-', '1.4.5')))]" }, "analyticRuleObject9": { - "analyticRuleVersion9": "1.4.4", + "analyticRuleVersion9": "1.4.5", "_analyticRulecontentId9": "df88b403-1cb9-49ea-a43d-b6613051cf7f", "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'df88b403-1cb9-49ea-a43d-b6613051cf7f')]", "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('df88b403-1cb9-49ea-a43d-b6613051cf7f')))]", "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','df88b403-1cb9-49ea-a43d-b6613051cf7f','-', '1.4.4')))]" }, "analyticRuleObject10": { - "analyticRuleVersion10": "1.0.9", + "analyticRuleVersion10": "1.0.10", "_analyticRulecontentId10": "afa4cb9e-6fec-4742-a17f-f494b54c01e7", "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'afa4cb9e-6fec-4742-a17f-f494b54c01e7')]", "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('afa4cb9e-6fec-4742-a17f-f494b54c01e7')))]", "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','afa4cb9e-6fec-4742-a17f-f494b54c01e7','-', '1.0.9')))]" }, "analyticRuleObject11": { - "analyticRuleVersion11": "1.2.10", + "analyticRuleVersion11": "1.2.11", "_analyticRulecontentId11": "a9a4d1ee-0f52-4a1f-8def-a2fb4462104c", "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a9a4d1ee-0f52-4a1f-8def-a2fb4462104c')]", "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a9a4d1ee-0f52-4a1f-8def-a2fb4462104c')))]", "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a9a4d1ee-0f52-4a1f-8def-a2fb4462104c','-', '1.2.10')))]" }, "analyticRuleObject12": { - "analyticRuleVersion12": "1.0.5", + "analyticRuleVersion12": "1.0.6", "_analyticRulecontentId12": "0385e99c-ae45-45f4-aecf-00104485cd6b", "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0385e99c-ae45-45f4-aecf-00104485cd6b')]", "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0385e99c-ae45-45f4-aecf-00104485cd6b')))]", "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0385e99c-ae45-45f4-aecf-00104485cd6b','-', '1.0.5')))]" }, "analyticRuleObject13": { - "analyticRuleVersion13": "1.0.4", + "analyticRuleVersion13": "1.0.5", "_analyticRulecontentId13": "18b61c3f-55fa-4eb9-8721-72dabd1eb3cb", "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '18b61c3f-55fa-4eb9-8721-72dabd1eb3cb')]", "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('18b61c3f-55fa-4eb9-8721-72dabd1eb3cb')))]", "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','18b61c3f-55fa-4eb9-8721-72dabd1eb3cb','-', '1.0.4')))]" }, "analyticRuleObject14": { - "analyticRuleVersion14": "1.2.10", + "analyticRuleVersion14": "1.2.11", "_analyticRulecontentId14": "795d43a3-6edc-4c99-971f-00d05841e5ac", "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '795d43a3-6edc-4c99-971f-00d05841e5ac')]", "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('795d43a3-6edc-4c99-971f-00d05841e5ac')))]", "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','795d43a3-6edc-4c99-971f-00d05841e5ac','-', '1.2.10')))]" }, "analyticRuleObject15": { - "analyticRuleVersion15": "1.2.8", + "analyticRuleVersion15": "1.2.9", "_analyticRulecontentId15": "17fe80fe-072f-44d4-b62c-97a5bce56a64", "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '17fe80fe-072f-44d4-b62c-97a5bce56a64')]", "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('17fe80fe-072f-44d4-b62c-97a5bce56a64')))]", "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','17fe80fe-072f-44d4-b62c-97a5bce56a64','-', '1.2.8')))]" }, "analyticRuleObject16": { - "analyticRuleVersion16": "1.2.10", + "analyticRuleVersion16": "1.2.11", "_analyticRulecontentId16": "4b451ade-ed28-48e2-8fe7-60ae83ab2fa5", "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4b451ade-ed28-48e2-8fe7-60ae83ab2fa5')]", "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4b451ade-ed28-48e2-8fe7-60ae83ab2fa5')))]", "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4b451ade-ed28-48e2-8fe7-60ae83ab2fa5','-', '1.2.10')))]" }, "analyticRuleObject17": { - "analyticRuleVersion17": "1.3.9", + "analyticRuleVersion17": "1.3.10", "_analyticRulecontentId17": "0a59051d-aed4-4fb6-bf84-bc80534482b2", "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0a59051d-aed4-4fb6-bf84-bc80534482b2')]", "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0a59051d-aed4-4fb6-bf84-bc80534482b2')))]", "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0a59051d-aed4-4fb6-bf84-bc80534482b2','-', '1.3.9')))]" }, "analyticRuleObject18": { - "analyticRuleVersion18": "1.2.10", + "analyticRuleVersion18": "1.2.11", "_analyticRulecontentId18": "4b5a7f32-899d-4d22-8de2-0ec90b911a72", "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4b5a7f32-899d-4d22-8de2-0ec90b911a72')]", "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4b5a7f32-899d-4d22-8de2-0ec90b911a72')))]", "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4b5a7f32-899d-4d22-8de2-0ec90b911a72','-', '1.2.10')))]" }, "analyticRuleObject19": { - "analyticRuleVersion19": "1.3.8", + "analyticRuleVersion19": "1.3.9", "_analyticRulecontentId19": "432996e9-8a93-4407-985f-13707b318a0b", "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '432996e9-8a93-4407-985f-13707b318a0b')]", "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('432996e9-8a93-4407-985f-13707b318a0b')))]", "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','432996e9-8a93-4407-985f-13707b318a0b','-', '1.3.8')))]" }, "analyticRuleObject20": { - "analyticRuleVersion20": "1.0.2", + "analyticRuleVersion20": "1.0.3", "_analyticRulecontentId20": "d6f04915-4471-4cb3-b163-a8b72997cf72", "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd6f04915-4471-4cb3-b163-a8b72997cf72')]", "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d6f04915-4471-4cb3-b163-a8b72997cf72')))]", "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d6f04915-4471-4cb3-b163-a8b72997cf72','-', '1.0.2')))]" }, "analyticRuleObject21": { - "analyticRuleVersion21": "1.4.8", + "analyticRuleVersion21": "1.4.9", "_analyticRulecontentId21": "9f7dc779-1e51-4925-ae4a-db1db933077f", "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9f7dc779-1e51-4925-ae4a-db1db933077f')]", "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9f7dc779-1e51-4925-ae4a-db1db933077f')))]", "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9f7dc779-1e51-4925-ae4a-db1db933077f','-', '1.4.8')))]" }, "analyticRuleObject22": { - "analyticRuleVersion22": "1.4.5", + "analyticRuleVersion22": "1.4.6", "_analyticRulecontentId22": "69f55be4-1b13-42d0-b975-a1e59c996dd2", "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '69f55be4-1b13-42d0-b975-a1e59c996dd2')]", "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('69f55be4-1b13-42d0-b975-a1e59c996dd2')))]", "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','69f55be4-1b13-42d0-b975-a1e59c996dd2','-', '1.4.5')))]" }, "analyticRuleObject23": { - "analyticRuleVersion23": "1.5.5", + "analyticRuleVersion23": "1.5.6", "_analyticRulecontentId23": "206277b1-9a2c-4c62-9ee8-a4c888810d3c", "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '206277b1-9a2c-4c62-9ee8-a4c888810d3c')]", "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('206277b1-9a2c-4c62-9ee8-a4c888810d3c')))]", "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','206277b1-9a2c-4c62-9ee8-a4c888810d3c','-', '1.5.5')))]" }, "analyticRuleObject24": { - "analyticRuleVersion24": "1.4.6", + "analyticRuleVersion24": "1.4.7", "_analyticRulecontentId24": "7a0c9989-1618-4126-9290-fb77b976d181", "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7a0c9989-1618-4126-9290-fb77b976d181')]", "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7a0c9989-1618-4126-9290-fb77b976d181')))]", "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7a0c9989-1618-4126-9290-fb77b976d181','-', '1.4.6')))]" }, "analyticRuleObject25": { - "analyticRuleVersion25": "1.3.4", + "analyticRuleVersion25": "1.3.5", "_analyticRulecontentId25": "4992d2f3-d6c0-4271-adac-b23532ba4492", "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4992d2f3-d6c0-4271-adac-b23532ba4492')]", "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4992d2f3-d6c0-4271-adac-b23532ba4492')))]", "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4992d2f3-d6c0-4271-adac-b23532ba4492','-', '1.3.4')))]" }, "analyticRuleObject26": { - "analyticRuleVersion26": "1.3.6", + "analyticRuleVersion26": "1.3.7", "_analyticRulecontentId26": "7c8051a7-3d29-4c0d-a340-893423f7b0a5", "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7c8051a7-3d29-4c0d-a340-893423f7b0a5')]", "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7c8051a7-3d29-4c0d-a340-893423f7b0a5')))]", "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7c8051a7-3d29-4c0d-a340-893423f7b0a5','-', '1.3.6')))]" }, "analyticRuleObject27": { - "analyticRuleVersion27": "1.4.5", + "analyticRuleVersion27": "1.4.6", "_analyticRulecontentId27": "929160b7-4449-4307-a3f9-bb742d1b8f01", "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '929160b7-4449-4307-a3f9-bb742d1b8f01')]", "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('929160b7-4449-4307-a3f9-bb742d1b8f01')))]", "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','929160b7-4449-4307-a3f9-bb742d1b8f01','-', '1.4.5')))]" }, "analyticRuleObject28": { - "analyticRuleVersion28": "1.3.4", + "analyticRuleVersion28": "1.3.5", "_analyticRulecontentId28": "239d987e-ee1b-4c49-b146-e88d682930a4", "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '239d987e-ee1b-4c49-b146-e88d682930a4')]", "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('239d987e-ee1b-4c49-b146-e88d682930a4')))]", "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','239d987e-ee1b-4c49-b146-e88d682930a4','-', '1.3.4')))]" }, "analyticRuleObject29": { - "analyticRuleVersion29": "1.0.5", + "analyticRuleVersion29": "1.0.6", "_analyticRulecontentId29": "16a45aee-5e39-4d1b-b508-40f847c99353", "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '16a45aee-5e39-4d1b-b508-40f847c99353')]", "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('16a45aee-5e39-4d1b-b508-40f847c99353')))]", "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','16a45aee-5e39-4d1b-b508-40f847c99353','-', '1.0.5')))]" }, "analyticRuleObject30": { - "analyticRuleVersion30": "1.2.7", + "analyticRuleVersion30": "1.2.8", "_analyticRulecontentId30": "cdd1933b-ef94-48a4-b94a-18d45b902751", "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cdd1933b-ef94-48a4-b94a-18d45b902751')]", "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cdd1933b-ef94-48a4-b94a-18d45b902751')))]", "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cdd1933b-ef94-48a4-b94a-18d45b902751','-', '1.2.7')))]" }, "analyticRuleObject31": { - "analyticRuleVersion31": "1.0.3", + "analyticRuleVersion31": "1.0.4", "_analyticRulecontentId31": "2474343c-9135-42ec-9c40-a1bace43da5c", "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2474343c-9135-42ec-9c40-a1bace43da5c')]", "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2474343c-9135-42ec-9c40-a1bace43da5c')))]", "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2474343c-9135-42ec-9c40-a1bace43da5c','-', '1.0.3')))]" }, "analyticRuleObject32": { - "analyticRuleVersion32": "1.4.6", + "analyticRuleVersion32": "1.4.7", "_analyticRulecontentId32": "6418fd33-92f2-407b-bd61-91c0d4bbcb8a", "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6418fd33-92f2-407b-bd61-91c0d4bbcb8a')]", "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6418fd33-92f2-407b-bd61-91c0d4bbcb8a')))]", "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6418fd33-92f2-407b-bd61-91c0d4bbcb8a','-', '1.4.6')))]" }, "analyticRuleObject33": { - "analyticRuleVersion33": "1.0.8", + "analyticRuleVersion33": "1.0.9", "_analyticRulecontentId33": "4988c238-a118-442c-80bd-6c689a1b2e97", "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4988c238-a118-442c-80bd-6c689a1b2e97')]", "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4988c238-a118-442c-80bd-6c689a1b2e97')))]", "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4988c238-a118-442c-80bd-6c689a1b2e97','-', '1.0.8')))]" }, "analyticRuleObject34": { - "analyticRuleVersion34": "1.4.6", + "analyticRuleVersion34": "1.4.7", "_analyticRulecontentId34": "f50280e5-5eb1-4e95-99fd-9d584a987bdd", "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f50280e5-5eb1-4e95-99fd-9d584a987bdd')]", "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f50280e5-5eb1-4e95-99fd-9d584a987bdd')))]", "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f50280e5-5eb1-4e95-99fd-9d584a987bdd','-', '1.4.6')))]" }, "analyticRuleObject35": { - "analyticRuleVersion35": "1.3.1", + "analyticRuleVersion35": "1.3.2", "_analyticRulecontentId35": "edfc9d8a-6fb3-49e2-80c9-fea15d941799", "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'edfc9d8a-6fb3-49e2-80c9-fea15d941799')]", "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('edfc9d8a-6fb3-49e2-80c9-fea15d941799')))]", "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edfc9d8a-6fb3-49e2-80c9-fea15d941799','-', '1.3.1')))]" }, "analyticRuleObject36": { - "analyticRuleVersion36": "1.4.5", + "analyticRuleVersion36": "1.4.6", "_analyticRulecontentId36": "888c4736-e604-48eb-b2c7-3462356d9510", "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '888c4736-e604-48eb-b2c7-3462356d9510')]", "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('888c4736-e604-48eb-b2c7-3462356d9510')))]", "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','888c4736-e604-48eb-b2c7-3462356d9510','-', '1.4.5')))]" }, "analyticRuleObject37": { - "analyticRuleVersion37": "1.4.5", + "analyticRuleVersion37": "1.4.6", "_analyticRulecontentId37": "aed70d71-adb2-4f73-becd-02150b13950b", "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'aed70d71-adb2-4f73-becd-02150b13950b')]", "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('aed70d71-adb2-4f73-becd-02150b13950b')))]", "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','aed70d71-adb2-4f73-becd-02150b13950b','-', '1.4.5')))]" }, "analyticRuleObject38": { - "analyticRuleVersion38": "1.0.2", + "analyticRuleVersion38": "1.0.3", "_analyticRulecontentId38": "92e8e945-6e99-4e4b-bef8-468b4c19fc3a", "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '92e8e945-6e99-4e4b-bef8-468b4c19fc3a')]", "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('92e8e945-6e99-4e4b-bef8-468b4c19fc3a')))]", "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','92e8e945-6e99-4e4b-bef8-468b4c19fc3a','-', '1.0.2')))]" }, "analyticRuleObject39": { - "analyticRuleVersion39": "1.2.8", + "analyticRuleVersion39": "1.2.9", "_analyticRulecontentId39": "54f4ceb4-fd83-4633-b5b0-c0de9feb8890", "analyticRuleId39": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '54f4ceb4-fd83-4633-b5b0-c0de9feb8890')]", "analyticRuleTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('54f4ceb4-fd83-4633-b5b0-c0de9feb8890')))]", "_analyticRulecontentProductId39": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','54f4ceb4-fd83-4633-b5b0-c0de9feb8890','-', '1.2.8')))]" }, "analyticRuleObject40": { - "analyticRuleVersion40": "1.2.9", + "analyticRuleVersion40": "1.2.10", "_analyticRulecontentId40": "0548be6c-135e-4eb6-b9ff-14a09df62c77", "analyticRuleId40": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0548be6c-135e-4eb6-b9ff-14a09df62c77')]", "analyticRuleTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0548be6c-135e-4eb6-b9ff-14a09df62c77')))]", "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0548be6c-135e-4eb6-b9ff-14a09df62c77','-', '1.2.9')))]" }, "analyticRuleObject41": { - "analyticRuleVersion41": "1.0.7", + "analyticRuleVersion41": "1.0.8", "_analyticRulecontentId41": "43d6c173-64c8-4416-b32e-636a9f318d15", "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '43d6c173-64c8-4416-b32e-636a9f318d15')]", "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('43d6c173-64c8-4416-b32e-636a9f318d15')))]", "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','43d6c173-64c8-4416-b32e-636a9f318d15','-', '1.0.7')))]" }, "analyticRuleObject42": { - "analyticRuleVersion42": "1.2.9", + "analyticRuleVersion42": "1.2.10", "_analyticRulecontentId42": "9991c277-e0a1-4079-8c40-fbfca2705615", "analyticRuleId42": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9991c277-e0a1-4079-8c40-fbfca2705615')]", "analyticRuleTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9991c277-e0a1-4079-8c40-fbfca2705615')))]", "_analyticRulecontentProductId42": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9991c277-e0a1-4079-8c40-fbfca2705615','-', '1.2.9')))]" }, "analyticRuleObject43": { - "analyticRuleVersion43": "1.0.5", + "analyticRuleVersion43": "1.0.6", "_analyticRulecontentId43": "526df43b-f514-477c-af7a-c8d3586457fb", "analyticRuleId43": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '526df43b-f514-477c-af7a-c8d3586457fb')]", "analyticRuleTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('526df43b-f514-477c-af7a-c8d3586457fb')))]", "_analyticRulecontentProductId43": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','526df43b-f514-477c-af7a-c8d3586457fb','-', '1.0.5')))]" }, "analyticRuleObject44": { - "analyticRuleVersion44": "1.0.4", + "analyticRuleVersion44": "1.0.5", "_analyticRulecontentId44": "4f0356b2-d344-4c19-9375-31b9575d80cb", "analyticRuleId44": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4f0356b2-d344-4c19-9375-31b9575d80cb')]", "analyticRuleTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4f0356b2-d344-4c19-9375-31b9575d80cb')))]", "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4f0356b2-d344-4c19-9375-31b9575d80cb','-', '1.0.4')))]" }, "analyticRuleObject45": { - "analyticRuleVersion45": "1.0.3", + "analyticRuleVersion45": "1.0.4", "_analyticRulecontentId45": "9e32e545-e60c-47de-9941-f9ca1ada0a42", "analyticRuleId45": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9e32e545-e60c-47de-9941-f9ca1ada0a42')]", "analyticRuleTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9e32e545-e60c-47de-9941-f9ca1ada0a42')))]", "_analyticRulecontentProductId45": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9e32e545-e60c-47de-9941-f9ca1ada0a42','-', '1.0.3')))]" }, "analyticRuleObject46": { - "analyticRuleVersion46": "1.2.6", + "analyticRuleVersion46": "1.2.7", "_analyticRulecontentId46": "32b437c4-dddb-45b3-9aae-5188e80624b0", "analyticRuleId46": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '32b437c4-dddb-45b3-9aae-5188e80624b0')]", "analyticRuleTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('32b437c4-dddb-45b3-9aae-5188e80624b0')))]", "_analyticRulecontentProductId46": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','32b437c4-dddb-45b3-9aae-5188e80624b0','-', '1.2.6')))]" }, "analyticRuleObject47": { - "analyticRuleVersion47": "1.2.10", + "analyticRuleVersion47": "1.2.11", "_analyticRulecontentId47": "3b6bdb38-93c5-452f-ab3a-97a3d1320d16", "analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3b6bdb38-93c5-452f-ab3a-97a3d1320d16')]", "analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3b6bdb38-93c5-452f-ab3a-97a3d1320d16')))]", "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3b6bdb38-93c5-452f-ab3a-97a3d1320d16','-', '1.2.10')))]" }, "analyticRuleObject48": { - "analyticRuleVersion48": "1.2.7", + "analyticRuleVersion48": "1.2.8", "_analyticRulecontentId48": "4de24a28-dcd0-4a0d-bf14-96d8483dc05a", "analyticRuleId48": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4de24a28-dcd0-4a0d-bf14-96d8483dc05a')]", "analyticRuleTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4de24a28-dcd0-4a0d-bf14-96d8483dc05a')))]", "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4de24a28-dcd0-4a0d-bf14-96d8483dc05a','-', '1.2.7')))]" }, "analyticRuleObject49": { - "analyticRuleVersion49": "1.0.4", + "analyticRuleVersion49": "1.0.5", "_analyticRulecontentId49": "ad4fa1f2-2189-459c-9458-f77d2039d2f5", "analyticRuleId49": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ad4fa1f2-2189-459c-9458-f77d2039d2f5')]", "analyticRuleTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ad4fa1f2-2189-459c-9458-f77d2039d2f5')))]", "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ad4fa1f2-2189-459c-9458-f77d2039d2f5','-', '1.0.4')))]" }, "analyticRuleObject50": { - "analyticRuleVersion50": "1.2.2", + "analyticRuleVersion50": "1.2.3", "_analyticRulecontentId50": "7c1ea2e6-6210-412c-92e4-180803a741b4", "analyticRuleId50": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7c1ea2e6-6210-412c-92e4-180803a741b4')]", "analyticRuleTemplateSpecName50": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7c1ea2e6-6210-412c-92e4-180803a741b4')))]", "_analyticRulecontentProductId50": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7c1ea2e6-6210-412c-92e4-180803a741b4','-', '1.2.2')))]" }, "analyticRuleObject51": { - "analyticRuleVersion51": "1.2.7", + "analyticRuleVersion51": "1.2.8", "_analyticRulecontentId51": "b306fba8-1a28-449f-aa24-30362e16d4f5", "analyticRuleId51": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b306fba8-1a28-449f-aa24-30362e16d4f5')]", "analyticRuleTemplateSpecName51": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b306fba8-1a28-449f-aa24-30362e16d4f5')))]", @@ -486,7 +486,7 @@ "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('d2fd7661-de21-47ab-a9f9-e6ded983fabe')))]" }, "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]", - "management": "[concat('https://management','.azure','.com/')]" + "management": "[concat('https://management','.azure','.com/')]" }, "resources": [ { @@ -498,7 +498,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence (NEW) data connector with template version 3.0.3", + "description": "Threat Intelligence (NEW) data connector with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -520,8 +520,8 @@ "graphQueries": [ { "metricName": "Total data received", - "legend": "ThreatIntelligenceIndicator", - "baseQuery": "ThreatIntelligenceIndicator | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") " + "legend": "ThreatIntelIndicators", + "baseQuery": "ThreatIntelIndicators | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") " } ], "connectivityCriterias": [ @@ -534,8 +534,8 @@ ], "dataTypes": [ { - "name": "ThreatIntelligenceIndicator", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "ThreatIntelIndicators", + "lastDataReceivedQuery": "ThreatIntelIndicators | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ] } @@ -626,14 +626,14 @@ "graphQueries": [ { "metricName": "Total data received", - "legend": "ThreatIntelligenceIndicator", - "baseQuery": "ThreatIntelligenceIndicator | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") " + "legend": "ThreatIntelIndicators", + "baseQuery": "ThreatIntelIndicators | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") " } ], "dataTypes": [ { - "name": "ThreatIntelligenceIndicator", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "ThreatIntelIndicators", + "lastDataReceivedQuery": "ThreatIntelIndicators | where SourceSystem !in (\"SecurityGraph\", \"Azure Sentinel\", \"Microsoft Sentinel\") \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ @@ -657,7 +657,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence (NEW) data connector with template version 3.0.3", + "description": "Threat Intelligence (NEW) data connector with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -679,8 +679,8 @@ "graphQueries": [ { "metricName": "Total data received", - "legend": "ThreatIntelligenceIndicator", - "baseQuery": "ThreatIntelligenceIndicator | where SourceSystem == \"SecurityGraph\"" + "legend": "ThreatIntelIndicators", + "baseQuery": "ThreatIntelIndicators | where SourceSystem == \"SecurityGraph\"" } ], "connectivityCriterias": [ @@ -693,8 +693,8 @@ ], "dataTypes": [ { - "name": "ThreatIntelligenceIndicator", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator | where SourceSystem == \"SecurityGraph\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "ThreatIntelIndicators", + "lastDataReceivedQuery": "ThreatIntelIndicators | where SourceSystem == \"SecurityGraph\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ] } @@ -785,14 +785,14 @@ "graphQueries": [ { "metricName": "Total data received", - "legend": "ThreatIntelligenceIndicator", - "baseQuery": "ThreatIntelligenceIndicator | where SourceSystem == \"SecurityGraph\"" + "legend": "ThreatIntelIndicators", + "baseQuery": "ThreatIntelIndicators | where SourceSystem == \"SecurityGraph\"" } ], "dataTypes": [ { - "name": "ThreatIntelligenceIndicator", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator | where SourceSystem == \"SecurityGraph\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "ThreatIntelIndicators", + "lastDataReceivedQuery": "ThreatIntelIndicators | where SourceSystem == \"SecurityGraph\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ @@ -816,7 +816,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence (NEW) data connector with template version 3.0.3", + "description": "Threat Intelligence (NEW) data connector with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion3')]", @@ -839,26 +839,26 @@ { "metricName": "Total indicators received", "legend": "Connection Events", - "baseQuery": "ThreatIntelligenceIndicator | where SourceSystem != 'Microsoft Sentinel'" + "baseQuery": "ThreatIntelIndicators | where SourceSystem != 'Microsoft Sentinel'" } ], "sampleQueries": [ { "description": "All Threat Intelligence APIs Indicators", - "query": "ThreatIntelligenceIndicator | where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| sort by TimeGenerated desc" + "query": "ThreatIntelIndicators | where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| sort by TimeGenerated desc" } ], "dataTypes": [ { - "name": "ThreatIntelligenceIndicator", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator| where isnotempty(TimeGenerated) and SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| summarize Time = max(TimeGenerated)" + "name": "ThreatIntelIndicators", + "lastDataReceivedQuery": "ThreatIntelIndicators | where isnotempty(TimeGenerated) and SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| summarize Time = max(TimeGenerated)" } ], "connectivityCriterias": [ { "type": "IsConnectedQuery", "value": [ - "ThreatIntelligenceIndicator | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = false" + "ThreatIntelIndicators | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = false" ] } ], @@ -890,7 +890,7 @@ "title": "Follow These Steps to Connect to your Threat Intelligence: " }, { - "description": "[concat('To send request to the APIs, you need to acquire Azure Active Directory access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n - Notice: Please request AAD access token with scope value: ', variables('management'), '.default')]", + "description": "[concat('To send request to the APIs, you need to acquire Microsoft Entra ID access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n - Notice: Please request Microsoft Entra ID access token with scope value: ', variables('management'), '.default')]", "title": "1. Get Microsoft Entra ID Access Token" }, { @@ -987,27 +987,27 @@ { "metricName": "Total indicators received", "legend": "Connection Events", - "baseQuery": "ThreatIntelligenceIndicator | where SourceSystem != 'Microsoft Sentinel'" + "baseQuery": "ThreatIntelIndicators | where SourceSystem != 'Microsoft Sentinel'" } ], "dataTypes": [ { - "name": "ThreatIntelligenceIndicator", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator| where isnotempty(TimeGenerated) and SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| summarize Time = max(TimeGenerated)" + "name": "ThreatIntelIndicators", + "lastDataReceivedQuery": "ThreatIntelIndicators | where isnotempty(TimeGenerated) and SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| summarize Time = max(TimeGenerated)" } ], "connectivityCriterias": [ { "type": "IsConnectedQuery", "value": [ - "ThreatIntelligenceIndicator | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = false" + "ThreatIntelIndicators | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = false" ] } ], "sampleQueries": [ { "description": "All Threat Intelligence APIs Indicators", - "query": "ThreatIntelligenceIndicator | where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| sort by TimeGenerated desc" + "query": "ThreatIntelIndicators | where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| sort by TimeGenerated desc" } ], "availability": { @@ -1038,7 +1038,7 @@ "title": "Follow These Steps to Connect to your Threat Intelligence: " }, { - "description": "[concat('To send request to the APIs, you need to acquire Azure Active Directory access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n - Notice: Please request AAD access token with scope value: ', variables('management'), '.default')]", + "description": "[concat('To send request to the APIs, you need to acquire Microsoft Entra ID access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n - Notice: Please request Microsoft Entra ID access token with scope value: ', variables('management'), '.default')]", "title": "1. Get Microsoft Entra ID Access Token" }, { @@ -1059,7 +1059,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence (NEW) data connector with template version 3.0.3", + "description": "Threat Intelligence (NEW) data connector with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion4')]", @@ -1081,8 +1081,8 @@ "graphQueries": [ { "metricName": "Total data received", - "legend": "ThreatIntelligenceIndicator", - "baseQuery": "ThreatIntelligenceIndicator\n | where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"" + "legend": "ThreatIntelIndicators", + "baseQuery": "ThreatIntelIndicators\n | where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"" } ], "connectivityCriterias": [ @@ -1095,8 +1095,8 @@ ], "dataTypes": [ { - "name": "ThreatIntelligenceIndicator", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator \n | where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "ThreatIntelIndicators", + "lastDataReceivedQuery": "ThreatIntelIndicators \n | where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ] } @@ -1187,14 +1187,14 @@ "graphQueries": [ { "metricName": "Total data received", - "legend": "ThreatIntelligenceIndicator", - "baseQuery": "ThreatIntelligenceIndicator\n | where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"" + "legend": "ThreatIntelIndicators", + "baseQuery": "ThreatIntelIndicators\n | where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"" } ], "dataTypes": [ { - "name": "ThreatIntelligenceIndicator", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator \n | where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "ThreatIntelIndicators", + "lastDataReceivedQuery": "ThreatIntelIndicators \n | where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ @@ -1218,7 +1218,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence (NEW) data connector with template version 3.0.3", + "description": "Threat Intelligence (NEW) data connector with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion5')]", @@ -1240,8 +1240,8 @@ "graphQueries": [ { "metricName": "Total data received", - "legend": "ThreatIntelligenceIndicator", - "baseQuery": "ThreatIntelligenceIndicator\n | where SourceSystem in (\"Microsoft Defender Threat Intelligence\", \"Microsoft Emerging Threat Feed\")" + "legend": "ThreatIntelIndicators", + "baseQuery": "ThreatIntelIndicators\n | where SourceSystem in (\"Microsoft Defender Threat Intelligence\", \"Microsoft Emerging Threat Feed\")" } ], "connectivityCriterias": [ @@ -1254,8 +1254,8 @@ ], "dataTypes": [ { - "name": "ThreatIntelligenceIndicator", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator \n | where SourceSystem in (\"Microsoft Defender Threat Intelligence\", \"Microsoft Emerging Threat Feed\")\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "ThreatIntelIndicators", + "lastDataReceivedQuery": "ThreatIntelIndicators \n | where SourceSystem in (\"Microsoft Defender Threat Intelligence\", \"Microsoft Emerging Threat Feed\")\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ] } @@ -1346,14 +1346,14 @@ "graphQueries": [ { "metricName": "Total data received", - "legend": "ThreatIntelligenceIndicator", - "baseQuery": "ThreatIntelligenceIndicator\n | where SourceSystem in (\"Microsoft Defender Threat Intelligence\", \"Microsoft Emerging Threat Feed\")" + "legend": "ThreatIntelIndicators", + "baseQuery": "ThreatIntelIndicators\n | where SourceSystem in (\"Microsoft Defender Threat Intelligence\", \"Microsoft Emerging Threat Feed\")" } ], "dataTypes": [ { - "name": "ThreatIntelligenceIndicator", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator \n | where SourceSystem in (\"Microsoft Defender Threat Intelligence\", \"Microsoft Emerging Threat Feed\")\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "ThreatIntelIndicators", + "lastDataReceivedQuery": "ThreatIntelIndicators \n | where SourceSystem in (\"Microsoft Defender Threat Intelligence\", \"Microsoft Emerging Threat Feed\")\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ @@ -1377,7 +1377,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ThreatIntelligenceNew Workbook with template version 3.0.3", + "description": "ThreatIntelligenceNew Workbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1465,7 +1465,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_CloudAppEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "DomainEntity_CloudAppEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -1493,16 +1493,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "CloudAppEvents" - ], - "connectorId": "MicrosoftThreatProtection" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -1584,7 +1584,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -1612,22 +1612,22 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -1718,7 +1718,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_DeviceNetworkEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "DomainEntity_DeviceNetworkEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -1746,28 +1746,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceNetworkEvents" - ], - "connectorId": "MicrosoftThreatProtection" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -1871,7 +1871,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -1899,28 +1899,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "DNS", "dataTypes": [ "DnsEvents" - ], - "connectorId": "DNS" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -2019,7 +2019,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_EmailEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "DomainEntity_EmailEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -2047,28 +2047,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Office365", "dataTypes": [ "EmailEvents" - ], - "connectorId": "Office365" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -2149,7 +2149,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_EmailUrlInfo_Updated_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "DomainEntity_EmailUrlInfo_Updated_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -2177,28 +2177,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Office365", "dataTypes": [ "EmailUrlInfo" - ], - "connectorId": "Office365" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -2288,7 +2288,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -2316,28 +2316,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ], - "connectorId": "PaloAltoNetworks" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -2428,7 +2428,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -2456,28 +2456,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Syslog", "dataTypes": [ "Syslog" - ], - "connectorId": "Syslog" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -2576,7 +2576,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -2604,34 +2604,34 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftCloudAppSecurity", "dataTypes": [ "SecurityAlert" - ], - "connectorId": "MicrosoftCloudAppSecurity" + ] }, { + "connectorId": "AzureSecurityCenter", "dataTypes": [ "SecurityAlert" - ], - "connectorId": "AzureSecurityCenter" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -2722,7 +2722,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -2750,34 +2750,34 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SquidProxy", "dataTypes": [ "SquidProxy_CL" - ], - "connectorId": "SquidProxy" + ] }, { + "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ], - "connectorId": "Zscaler" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -2807,17 +2807,17 @@ } ], "customDetails": { - "ThreatType": "ThreatType", - "IndicatorId": "IndicatorId", + "IoCDescription": "Description", "ActivityGroupNames": "ActivityGroupNames", + "IoCExpirationTime": "ValidUntil", + "IndicatorId": "IndicatorId", "IoCConfidenceScore": "Confidence", - "IoCDescription": "Description", - "EventTime": "Event_TimeGenerated", - "IoCExpirationTime": "ValidUntil" + "ThreatType": "ThreatType", + "EventTime": "Event_TimeGenerated" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC", - "alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{Type}}. Consult the threat intelligence blade for more information on the indicator." + "alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{Type}}. Consult the threat intelligence blade for more information on the indicator.", + "alertDisplayNameFormat": "A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC" } } }, @@ -2872,7 +2872,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -2900,28 +2900,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActivity", "dataTypes": [ "AzureActivity" - ], - "connectorId": "AzureActivity" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -3020,7 +3020,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_CloudAppEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "EmailEntity_CloudAppEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", @@ -3048,16 +3048,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "CloudAppEvents" - ], - "connectorId": "MicrosoftThreatProtection" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -3138,7 +3138,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_EmailEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "EmailEntity_EmailEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", @@ -3166,28 +3166,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Office365", "dataTypes": [ "EmailEvents" - ], - "connectorId": "Office365" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -3268,7 +3268,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", @@ -3296,28 +3296,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Office365", "dataTypes": [ "OfficeActivity" - ], - "connectorId": "Office365" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -3416,7 +3416,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", @@ -3444,28 +3444,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ], - "connectorId": "PaloAltoNetworks" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -3556,7 +3556,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", @@ -3584,28 +3584,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureSecurityCenter", "dataTypes": [ "SecurityAlert" - ], - "connectorId": "AzureSecurityCenter" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -3695,7 +3695,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", @@ -3723,40 +3723,40 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ], - "connectorId": "SecurityEvents" + ] }, { + "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvents" - ], - "connectorId": "WindowsSecurityEvents" + ] }, { + "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ], - "connectorId": "WindowsForwardedEvents" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -3860,7 +3860,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", @@ -3888,34 +3888,34 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -4014,7 +4014,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", @@ -4042,28 +4042,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ], - "connectorId": "PaloAltoNetworks" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -4192,7 +4192,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_DeviceFileEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "FileHashEntity_DeviceFileEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", @@ -4220,28 +4220,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceFileEvents" - ], - "connectorId": "MicrosoftThreatProtection" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -4344,7 +4344,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", @@ -4372,40 +4372,40 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ], - "connectorId": "SecurityEvents" + ] }, { + "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvents" - ], - "connectorId": "WindowsSecurityEvents" + ] }, { + "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ], - "connectorId": "WindowsForwardedEvents" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -4525,7 +4525,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", @@ -4553,28 +4553,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "AWS", "dataTypes": [ "AWSCloudTrail" - ], - "connectorId": "AWS" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -4665,7 +4665,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", @@ -4693,22 +4693,22 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -4824,7 +4824,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", @@ -4852,28 +4852,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "AzureActivity", "dataTypes": [ "AzureActivity" - ], - "connectorId": "AzureActivity" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -4990,7 +4990,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", @@ -5018,28 +5018,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics" - ], - "connectorId": "AzureFirewall" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -5121,7 +5121,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", @@ -5149,28 +5149,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "AzureKeyVault", "dataTypes": [ "KeyVaultData" - ], - "connectorId": "AzureKeyVault" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -5252,7 +5252,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", @@ -5280,22 +5280,22 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -5394,7 +5394,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", @@ -5422,28 +5422,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "AzureSql", "dataTypes": [ "AzureDiagnostics" - ], - "connectorId": "AzureSql" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -5516,7 +5516,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_CloudAppEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_CloudAppEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", @@ -5544,16 +5544,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "CloudAppEvents" - ], - "connectorId": "MicrosoftThreatProtection" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -5653,7 +5653,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", @@ -5681,28 +5681,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "CEF", "dataTypes": [ "CommonSecurityLog" - ], - "connectorId": "CEF" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -5784,7 +5784,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DeviceNetworkEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_DeviceNetworkEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", @@ -5812,28 +5812,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceNetworkEvents" - ], - "connectorId": "MicrosoftThreatProtection" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -5937,7 +5937,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", @@ -5965,28 +5965,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "DNS", "dataTypes": [ "DnsEvents" - ], - "connectorId": "DNS" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -6085,7 +6085,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", @@ -6113,28 +6113,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "CiscoDuoSecurity", "dataTypes": [ "CiscoDuo" - ], - "connectorId": "CiscoDuoSecurity" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -6224,7 +6224,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", @@ -6252,28 +6252,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "Office365", "dataTypes": [ "OfficeActivity" - ], - "connectorId": "Office365" + ] } ], "tactics": [ @@ -6372,7 +6372,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_SigninLogs_Updated_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_SigninLogs_Updated_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]", @@ -6400,34 +6400,34 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -6526,7 +6526,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]", @@ -6554,28 +6554,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "AzureMonitor(IIS)", "dataTypes": [ "W3CIISLog" - ], - "connectorId": "AzureMonitor(IIS)" + ] } ], "tactics": [ @@ -6675,7 +6675,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]", @@ -6703,28 +6703,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "AzureMonitor(VMInsights)", "dataTypes": [ "VMConnection" - ], - "connectorId": "AzureMonitor(VMInsights)" + ] } ], "tactics": [ @@ -6819,7 +6819,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_Workday_Updated_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_Workday_Updated_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]", @@ -6847,28 +6847,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "Workday", "dataTypes": [ "Workday" - ], - "connectorId": "Workday" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -6958,7 +6958,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]", @@ -6986,113 +6986,113 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AWSS3", "dataTypes": [ "AWSVPCFlow" - ], - "connectorId": "AWSS3" + ] }, { + "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceNetworkEvents" - ], - "connectorId": "MicrosoftThreatProtection" + ] }, { + "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ], - "connectorId": "SecurityEvents" + ] }, { + "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ], - "connectorId": "WindowsForwardedEvents" + ] }, { + "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ], - "connectorId": "Zscaler" + ] }, { + "connectorId": "MicrosoftSysmonForLinux", "dataTypes": [ "Syslog" - ], - "connectorId": "MicrosoftSysmonForLinux" + ] }, { + "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ], - "connectorId": "PaloAltoNetworks" + ] }, { + "connectorId": "AzureMonitor(VMInsights)", "dataTypes": [ "VMConnection" - ], - "connectorId": "AzureMonitor(VMInsights)" + ] }, { + "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics" - ], - "connectorId": "AzureFirewall" + ] }, { + "connectorId": "AzureNSG", "dataTypes": [ "AzureDiagnostics" - ], - "connectorId": "AzureNSG" + ] }, { + "connectorId": "CiscoASA", "dataTypes": [ "CommonSecurityLog" - ], - "connectorId": "CiscoASA" + ] }, { + "connectorId": "Corelight", "dataTypes": [ "Corelight_CL" - ], - "connectorId": "Corelight" + ] }, { + "connectorId": "AIVectraStream", "dataTypes": [ "VectraStream" - ], - "connectorId": "AIVectraStream" + ] }, { + "connectorId": "CheckPoint", "dataTypes": [ "CommonSecurityLog" - ], - "connectorId": "CheckPoint" + ] }, { + "connectorId": "Fortinet", "dataTypes": [ "CommonSecurityLog" - ], - "connectorId": "Fortinet" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "CiscoMeraki", "dataTypes": [ "Syslog", "CiscoMerakiNativePoller" - ], - "connectorId": "CiscoMeraki" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -7122,19 +7122,19 @@ } ], "customDetails": { - "ThreatType": "Type", - "IndicatorId": "Id", + "IoCDescription": "Description", "ActivityGroupNames": "ActivityGroupNames", - "EventEndTime": "imNWS_maxtime", "IoCIPDirection": "IoCDirection", - "IoCConfidenceScore": "Confidence", - "IoCDescription": "Description", + "IoCExpirationTime": "ValidUntil", + "IndicatorId": "Id", "EventStartTime": "imNWS_mintime", - "IoCExpirationTime": "ValidUntil" + "IoCConfidenceScore": "Confidence", + "EventEndTime": "imNWS_maxtime", + "ThreatType": "Type" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "A network session {{IoCDirection}} address {{IoCIP}} matched an IoC.", - "alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{Type}}. Consult the threat intelligence blead for more information on the indicator." + "alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{Type}}. Consult the threat intelligence blead for more information on the indicator.", + "alertDisplayNameFormat": "A network session {{IoCDirection}} address {{IoCIP}} matched an IoC." } } }, @@ -7189,7 +7189,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]", @@ -7217,34 +7217,34 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SquidProxy", "dataTypes": [ "SquidProxy_CL" - ], - "connectorId": "SquidProxy" + ] }, { + "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ], - "connectorId": "Zscaler" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -7274,17 +7274,17 @@ } ], "customDetails": { - "ThreatType": "ThreatType", - "IndicatorId": "IndicatorId", + "IoCDescription": "Description", "ActivityGroupNames": "ActivityGroupNames", + "IoCExpirationTime": "ValidUntil", + "IndicatorId": "IndicatorId", "IoCConfidenceScore": "Confidence", - "IoCDescription": "Description", - "EventTime": "imNWS_TimeGenerated", - "IoCExpirationTime": "ValidUntil" + "ThreatType": "ThreatType", + "EventTime": "imNWS_TimeGenerated" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "The IP {{SrcIpAddr}} of the web request matches an IP IoC", - "alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator." + "alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator.", + "alertDisplayNameFormat": "The IP {{SrcIpAddr}} of the web request matches an IP IoC" } } }, @@ -7339,7 +7339,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intel Matches to GitHub Audit Logs_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "Threat Intel Matches to GitHub Audit Logs_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]", @@ -7367,22 +7367,22 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -7464,7 +7464,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]", @@ -7492,28 +7492,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -7620,7 +7620,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_CloudAppEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "URLEntity_CloudAppEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]", @@ -7648,16 +7648,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "CloudAppEvents" - ], - "connectorId": "MicrosoftThreatProtection" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -7769,7 +7769,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_DeviceNetworkEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "URLEntity_DeviceNetworkEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]", @@ -7797,28 +7797,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceNetworkEvents" - ], - "connectorId": "MicrosoftThreatProtection" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -7922,7 +7922,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_EmailUrlInfo_Updated_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "URLEntity_EmailUrlInfo_Updated_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]", @@ -7950,28 +7950,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EmailUrlInfo" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -8061,7 +8061,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]", @@ -8089,28 +8089,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ], - "connectorId": "PaloAltoNetworks" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -8201,7 +8201,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]", @@ -8229,34 +8229,34 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "MicrosoftCloudAppSecurity", "dataTypes": [ "SecurityAlert" - ], - "connectorId": "MicrosoftCloudAppSecurity" + ] }, { + "connectorId": "AzureSecurityCenter", "dataTypes": [ "SecurityAlert" - ], - "connectorId": "AzureSecurityCenter" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -8338,7 +8338,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject48').analyticRuleVersion48]", @@ -8366,28 +8366,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Syslog", "dataTypes": [ "Syslog" - ], - "connectorId": "Syslog" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -8478,7 +8478,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_UrlClickEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "URLEntity_UrlClickEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject49').analyticRuleVersion49]", @@ -8506,28 +8506,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "UrlClickEvents" - ], - "connectorId": "MicrosoftThreatProtection" + ] }, { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] } ], "tactics": [ @@ -8617,7 +8617,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "imDns_DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "imDns_DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject50').analyticRuleVersion50]", @@ -8645,70 +8645,70 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "DNS", "dataTypes": [ "DnsEvents" - ], - "connectorId": "DNS" + ] }, { + "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics" - ], - "connectorId": "AzureFirewall" + ] }, { + "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ], - "connectorId": "Zscaler" + ] }, { + "connectorId": "InfobloxNIOS", "dataTypes": [ "Syslog" - ], - "connectorId": "InfobloxNIOS" + ] }, { + "connectorId": "GCPDNSDataConnector", "dataTypes": [ "GCP_DNS_CL" - ], - "connectorId": "GCPDNSDataConnector" + ] }, { + "connectorId": "NXLogDnsLogs", "dataTypes": [ "NXLog_DNS_Server_CL" - ], - "connectorId": "NXLogDnsLogs" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "CiscoUmbrellaDataConnector", "dataTypes": [ "Cisco_Umbrella_dns_CL" - ], - "connectorId": "CiscoUmbrellaDataConnector" + ] }, { + "connectorId": "Corelight", "dataTypes": [ "Corelight_CL" - ], - "connectorId": "Corelight" + ] } ], "tactics": [ @@ -8764,16 +8764,16 @@ } ], "customDetails": { + "Description": "Description", + "ExpirationDateTime": "ValidUntil", "ConfidenceScore": "Confidence", + "IndicatorId": "IndicatorId", + "DnsQuery": "DnsQuery", "QueryType": "DnsQueryType", - "LatestIndicatorTime": "LatestIndicatorTime", "ActivityGroupNames": "ActivityGroupNames", - "ExpirationDateTime": "ValidUntil", - "DNSRequestTime": "DNS_TimeGenerated", - "DnsQuery": "DnsQuery", - "Description": "Description", "SourceIPAddress": "SrcIpAddr", - "IndicatorId": "IndicatorId" + "DNSRequestTime": "DNS_TimeGenerated", + "LatestIndicatorTime": "LatestIndicatorTime" } } }, @@ -8828,7 +8828,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "imDns_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "imDns_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject51').analyticRuleVersion51]", @@ -8856,70 +8856,70 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "ThreatIntelligenceTaxii" + "ThreatIntelIndicators" + ] }, { + "connectorId": "DNS", "dataTypes": [ "DnsEvents" - ], - "connectorId": "DNS" + ] }, { + "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics" - ], - "connectorId": "AzureFirewall" + ] }, { + "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ], - "connectorId": "Zscaler" + ] }, { + "connectorId": "InfobloxNIOS", "dataTypes": [ "Syslog" - ], - "connectorId": "InfobloxNIOS" + ] }, { + "connectorId": "GCPDNSDataConnector", "dataTypes": [ "GCP_DNS_CL" - ], - "connectorId": "GCPDNSDataConnector" + ] }, { + "connectorId": "NXLogDnsLogs", "dataTypes": [ "NXLog_DNS_Server_CL" - ], - "connectorId": "NXLogDnsLogs" + ] }, { + "connectorId": "CiscoUmbrellaDataConnector", "dataTypes": [ "Cisco_Umbrella_dns_CL" - ], - "connectorId": "CiscoUmbrellaDataConnector" + ] }, { + "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ], - "connectorId": "MicrosoftDefenderThreatIntelligence" + "ThreatIntelIndicators" + ] }, { + "connectorId": "Corelight", "dataTypes": [ "Corelight_CL" - ], - "connectorId": "Corelight" + ] } ], "tactics": [ @@ -8958,20 +8958,20 @@ } ], "customDetails": { - "ConfidenceScore": "Confidence", - "ThreatType": "ThreatType", - "LatestIndicatorTime": "LatestIndicatorTime", - "ActivityGroupNames": "ActivityGroupNames", "Description": "Description", - "DNSRequestTime": "imDns_mintime", + "ActivityGroupNames": "ActivityGroupNames", + "ConfidenceScore": "Confidence", + "IndicatorId": "IndicatorId", "DnsQuery": "DnsQuery", "SourceIPAddress": "SrcIpAddr", - "IndicatorId": "IndicatorId", - "ExpirationDateTime": "ValidUntil" + "ExpirationDateTime": "ValidUntil", + "DNSRequestTime": "imDns_mintime", + "LatestIndicatorTime": "LatestIndicatorTime", + "ThreatType": "ThreatType" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "The response {{IoC}} to DNS query matched an IoC", - "alertDescriptionFormat": "The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{Type}}. Consult the threat intelligence blade for more information on the indicator." + "alertDescriptionFormat": "The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{Type}}. Consult the threat intelligence blade for more information on the indicator.", + "alertDisplayNameFormat": "The response {{IoC}} to DNS query matched an IoC" } } }, @@ -9026,7 +9026,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ThreatIntelIndicatorsv2 Data Parser with template version 3.0.3", + "description": "ThreatIntelIndicatorsv2 Data Parser with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -9158,7 +9158,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.0.3", + "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -9239,7 +9239,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.0.3", + "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -9320,7 +9320,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.0.3", + "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -9401,7 +9401,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.0.3", + "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -9482,7 +9482,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.0.3", + "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -9559,7 +9559,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.3", + "version": "3.0.4", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Threat Intelligence (NEW)", diff --git a/Solutions/Threat Intelligence (NEW)/ReleaseNotes.md b/Solutions/Threat Intelligence (NEW)/ReleaseNotes.md index 5ecef65be54..5a514fd3dea 100644 --- a/Solutions/Threat Intelligence (NEW)/ReleaseNotes.md +++ b/Solutions/Threat Intelligence (NEW)/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.0.4 | 08-08-2025 | Updated **Data Connectors** and **Analytic Rules** to ensures consistency and likely aligns with updated connector schemas or naming conventions| | 3.0.3 | 25-07-2025 | Added several new **Data Connectors** for Microsoft Sentinel, aimed at enhancing threat intelligence integration capabilities| | 3.0.2 | 10-07-2025 | Improve kql query efficiency and accuracy| | 3.0.1 | 17-04-2025 | Updated entity mappings of **Analytic Rules**|