diff --git a/Solutions/Box/Analytic Rules/BoxAbnormalUserActivity.yaml b/Solutions/Box/Analytic Rules/BoxAbnormalUserActivity.yaml index 33af0502ef5..c3b4deacd15 100644 --- a/Solutions/Box/Analytic Rules/BoxAbnormalUserActivity.yaml +++ b/Solutions/Box/Analytic Rules/BoxAbnormalUserActivity.yaml @@ -20,11 +20,11 @@ query: | let lbperiod_start = 14d; let lbperiod_end = 24h; let user_actions_1 = BoxEvents - | where TimeGenerated between (ago(lbperiod_start) .. ago(lbperiod_end)) + | where EventEndTime between (ago(lbperiod_start) .. ago(lbperiod_end)) | summarize TotalEvents = count() by SourceName | project TotalEvents, User = SourceName; let user_actions_2 = BoxEvents - | where TimeGenerated between (ago(lbperiod_start) .. ago(lbperiod_end)) + | where EventEndTime between (ago(lbperiod_start) .. ago(lbperiod_end)) | summarize TotalEvents = count() by SrcUserName | project TotalEvents, User = SrcUserName; let TotalActions = (union user_actions_1, user_actions_2) @@ -50,5 +50,5 @@ entityMappings: fieldMappings: - identifier: FullName columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Box/Analytic Rules/BoxInactiveUserLogin.yaml b/Solutions/Box/Analytic Rules/BoxInactiveUserLogin.yaml index 95368db25d5..20fa4096193 100644 --- a/Solutions/Box/Analytic Rules/BoxInactiveUserLogin.yaml +++ b/Solutions/Box/Analytic Rules/BoxInactiveUserLogin.yaml @@ -21,11 +21,11 @@ query: | let lbperiod_end = 7d; let lbtime = 1h; let active_users = BoxEvents - | where TimeGenerated between (ago(lbperiod_end) .. ago(lbtime)) + | where EventEndTime between (ago(lbperiod_end) .. ago(lbtime)) | where EventType =~ 'LOGIN' | summarize makeset(SourceName); let inactive_users = BoxEvents - | where TimeGenerated between (ago(lbperiod_start) .. ago(lbperiod_end)) + | where EventEndTime between (ago(lbperiod_start) .. ago(lbperiod_end)) | where EventType =~ 'LOGIN' | where SourceName !in (active_users) | summarize makeset(SourceName); @@ -38,5 +38,5 @@ entityMappings: fieldMappings: - identifier: FullName columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Box/Analytic Rules/BoxMultipleItemsDeletedByUser.yaml b/Solutions/Box/Analytic Rules/BoxMultipleItemsDeletedByUser.yaml index 46fab48bccc..bf6d2658dad 100644 --- a/Solutions/Box/Analytic Rules/BoxMultipleItemsDeletedByUser.yaml +++ b/Solutions/Box/Analytic Rules/BoxMultipleItemsDeletedByUser.yaml @@ -20,7 +20,7 @@ query: | let threshold = 100; BoxEvents | where EventType =~ 'DELETE' - | summarize deleted_items = dcount(SourceItemName) by SrcUserName, bin(TimeGenerated, 5m) + | summarize deleted_items = dcount(SourceItemName) by SrcUserName, bin(EventEndTime, 5m) | where deleted_items > threshold | extend AccountCustomEntity = SrcUserName entityMappings: @@ -28,5 +28,5 @@ entityMappings: fieldMappings: - identifier: FullName columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Box/Analytic Rules/BoxUserLoginAsAdmin.yaml b/Solutions/Box/Analytic Rules/BoxUserLoginAsAdmin.yaml index 7bc5bd444cf..8d1fede18e8 100644 --- a/Solutions/Box/Analytic Rules/BoxUserLoginAsAdmin.yaml +++ b/Solutions/Box/Analytic Rules/BoxUserLoginAsAdmin.yaml @@ -20,7 +20,7 @@ query: | let lbperiod_start = 14d; let lbperiod_end = 1d; let admins = BoxEvents - | where TimeGenerated between (ago(lbperiod_start) .. ago(lbperiod_end)) + | where EventEndTime between (ago(lbperiod_start) .. ago(lbperiod_end)) | where EventType =~ 'ADMIN_LOGIN' | summarize makeset(SourceLogin); BoxEvents @@ -37,5 +37,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Box/Analytic Rules/BoxUserRoleChangedToOwner.yaml b/Solutions/Box/Analytic Rules/BoxUserRoleChangedToOwner.yaml index 5460e241a6e..650df297d41 100644 --- a/Solutions/Box/Analytic Rules/BoxUserRoleChangedToOwner.yaml +++ b/Solutions/Box/Analytic Rules/BoxUserRoleChangedToOwner.yaml @@ -20,14 +20,14 @@ query: | let lbperiod = 14d; let lbtime = 1h; BoxEvents - | where TimeGenerated between (ago(lbperiod) .. ago(lbtime)) + | where EventEndTime between (ago(lbperiod) .. ago(lbtime)) | where EventType =~ 'COLLABORATION_INVITE' | where AdditionalDetailsRole !~ 'Owner' - | summarize min(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole + | summarize min(EventEndTime) by AccessibleByName, FileDirectory, AdditionalDetailsRole | project AccessibleByName, FileDirectory, InitialRole = AdditionalDetailsRole |join (BoxEvents | where EventType =~ 'COLLABORATION_ROLE_CHANGE' - | summarize max(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole + | summarize max(EventEndTime) by AccessibleByName, FileDirectory, AdditionalDetailsRole | project AccessibleByName, FileDirectory, NewRole = AdditionalDetailsRole ) on FileDirectory, AccessibleByName | where NewRole =~ 'Owner' @@ -38,5 +38,5 @@ entityMappings: fieldMappings: - identifier: FullName columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Box/Data/Solution_Box.json b/Solutions/Box/Data/Solution_Box.json index 802a08f2fed..4143e0b8f71 100644 --- a/Solutions/Box/Data/Solution_Box.json +++ b/Solutions/Box/Data/Solution_Box.json @@ -38,7 +38,7 @@ "Analytic Rules/BoxUserRoleChangedToOwner.yaml" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Box", - "Version": "3.1.0", + "Version": "3.1.2", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/Box/Hunting Queries/BoxAdminIpAddress.yaml b/Solutions/Box/Hunting Queries/BoxAdminIpAddress.yaml index 9f41e28e561..dbeb8f9206b 100644 --- a/Solutions/Box/Hunting Queries/BoxAdminIpAddress.yaml +++ b/Solutions/Box/Hunting Queries/BoxAdminIpAddress.yaml @@ -14,7 +14,7 @@ relevantTechniques: - T1078 query: | BoxEvents - | where TimeGenerated > ago(30d) + | where EventEndTime > ago(30d) | where EventType =~ 'ADMIN_LOGIN' | summarize makeset(SrcIpAddr) by SourceLogin | extend AccountCustomEntity = SourceLogin diff --git a/Solutions/Box/Hunting Queries/BoxDeletedUsers.yaml b/Solutions/Box/Hunting Queries/BoxDeletedUsers.yaml index d06b99c4b2f..65f07cf909a 100644 --- a/Solutions/Box/Hunting Queries/BoxDeletedUsers.yaml +++ b/Solutions/Box/Hunting Queries/BoxDeletedUsers.yaml @@ -13,9 +13,9 @@ relevantTechniques: - T1531 query: | BoxEvents - | where TimeGenerated > ago(24h) + | where EventEndTime > ago(24h) | where EventType =~ 'DELETE_USER' - | project TimeGenerated, SourceName, SourceLogin + | project EventEndTime, SourceName, SourceLogin | extend AccountCustomEntity = SourceLogin entityMappings: - entityType: Account diff --git a/Solutions/Box/Hunting Queries/BoxInactiveAdmins.yaml b/Solutions/Box/Hunting Queries/BoxInactiveAdmins.yaml index 343dc47626b..73189739831 100644 --- a/Solutions/Box/Hunting Queries/BoxInactiveAdmins.yaml +++ b/Solutions/Box/Hunting Queries/BoxInactiveAdmins.yaml @@ -13,20 +13,20 @@ relevantTechniques: - T1078 query: | let active_admins = BoxEvents - | where TimeGenerated between (ago(7d) .. ago(1d)) + | where EventEndTime between (ago(7d) .. ago(1d)) | where EventType =~ 'ADMIN_LOGIN' | summarize makeset(SourceLogin); let inactive_admins = BoxEvents - | where TimeGenerated between (ago(30d) .. ago(7d)) + | where EventEndTime between (ago(30d) .. ago(7d)) | where EventType =~ 'ADMIN_LOGIN' | where SourceLogin !in (active_admins) | summarize makeset(SourceLogin); BoxEvents - | where TimeGenerated > ago(7d) + | where EventEndTime > ago(7d) | where EventType =~ 'ADMIN_LOGIN' | where SourceLogin !in (active_admins) | where SourceLogin in (inactive_admins) - | summarize LastLoginTime = max(TimeGenerated) by SourceLogin + | summarize LastLoginTime = max(EventEndTime) by SourceLogin | project LastLoginTime, SourceLogin | extend AccountCustomEntity = SourceLogin entityMappings: diff --git a/Solutions/Box/Hunting Queries/BoxInactiveUsers.yaml b/Solutions/Box/Hunting Queries/BoxInactiveUsers.yaml index f71e4b74273..1a18372afd7 100644 --- a/Solutions/Box/Hunting Queries/BoxInactiveUsers.yaml +++ b/Solutions/Box/Hunting Queries/BoxInactiveUsers.yaml @@ -13,20 +13,20 @@ relevantTechniques: - T1078 query: | let active_admins = BoxEvents - | where TimeGenerated between (ago(7d) .. ago(1d)) + | where EventEndTime between (ago(7d) .. ago(1d)) | where EventType =~ 'LOGIN' | summarize makeset(SourceLogin); let inactive_admins = BoxEvents - | where TimeGenerated between (ago(30d) .. ago(7d)) + | where EventEndTime between (ago(30d) .. ago(7d)) | where EventType =~ 'LOGIN' | where SourceLogin !in (active_admins) | summarize makeset(SourceLogin); BoxEvents - | where TimeGenerated > ago(7d) + | where EventEndTime > ago(7d) | where EventType =~ 'LOGIN' | where SourceLogin !in (active_admins) | where SourceLogin in (inactive_admins) - | summarize LastLoginTime = max(TimeGenerated) by SourceLogin + | summarize LastLoginTime = max(EventEndTime) by SourceLogin | project LastLoginTime, SourceLogin | extend AccountCustomEntity = SourceLogin entityMappings: diff --git a/Solutions/Box/Hunting Queries/BoxNewUsers.yaml b/Solutions/Box/Hunting Queries/BoxNewUsers.yaml index c1876b24b46..517add67ca6 100644 --- a/Solutions/Box/Hunting Queries/BoxNewUsers.yaml +++ b/Solutions/Box/Hunting Queries/BoxNewUsers.yaml @@ -14,9 +14,9 @@ relevantTechniques: - T1078 query: | BoxEvents - | where TimeGenerated > ago(24h) + | where EventEndTime > ago(24h) | where EventType =~ 'NEW_USER' - | project TimeGenerated, SourceName, SourceLogin + | project EventEndTime, SourceName, SourceLogin | extend AccountCustomEntity = SourceLogin entityMappings: - entityType: Account diff --git a/Solutions/Box/Hunting Queries/BoxSuspiciousFiles.yaml b/Solutions/Box/Hunting Queries/BoxSuspiciousFiles.yaml index 864dedab4f8..3135142de61 100644 --- a/Solutions/Box/Hunting Queries/BoxSuspiciousFiles.yaml +++ b/Solutions/Box/Hunting Queries/BoxSuspiciousFiles.yaml @@ -13,9 +13,9 @@ relevantTechniques: - T1048 query: | BoxEvents - | where TimeGenerated > ago(24h) + | where EventEndTime > ago(24h) | where SourceItemName =~ 'id_rsa' or SourceItemName contains 'password' or SourceItemName contains 'key' or SourceItemName contains '_key' or SourceItemName contains '.ssh' or SourceItemName endswith '.npmrc' or SourceItemName endswith '.muttrc' or SourceItemName contains 'config.json' or SourceItemName contains '.gitconfig' or SourceItemName endswith '.netrc' or SourceItemName endswith 'package.json' or SourceItemName endswith 'Gemfile' or SourceItemName endswith 'bower.json' or SourceItemName endswith 'config.gypi' or SourceItemName endswith 'travis.yml' or SourceItemName endswith '.ps1' or SourceItemName endswith '.bat' or SourceItemName endswith '.scr' or SourceItemName endswith '.sh' or SourceItemName endswith '.exe' or SourceFileName =~ 'id_rsa' or SourceFileName contains 'password' or SourceFileName contains 'key' or SourceFileName contains '_key' or SourceFileName contains '.ssh' or SourceFileName endswith '.npmrc' or SourceFileName endswith '.muttrc' or SourceFileName contains 'config.json' or SourceFileName contains '.gitconfig' or SourceFileName endswith '.netrc' or SourceFileName endswith 'package.json' or SourceFileName endswith 'Gemfile' or SourceFileName contains 'bower.json' or SourceFileName contains 'config.gypi' or SourceFileName contains 'travis.yml' or SourceFileName endswith '.ps1' or SourceFileName endswith '.bat' or SourceFileName endswith '.scr' or SourceFileName endswith '.sh' or SourceFileName endswith '.exe' - | project TimeGenerated, SourceName, SourceLogin + | project EventEndTime, SourceName, SourceLogin | extend AccountCustomEntity = SourceLogin entityMappings: - entityType: Account diff --git a/Solutions/Box/Hunting Queries/BoxUserDownloadsByVolume.yaml b/Solutions/Box/Hunting Queries/BoxUserDownloadsByVolume.yaml index fd35d2a5a21..6691ecd069d 100644 --- a/Solutions/Box/Hunting Queries/BoxUserDownloadsByVolume.yaml +++ b/Solutions/Box/Hunting Queries/BoxUserDownloadsByVolume.yaml @@ -16,7 +16,7 @@ relevantTechniques: - T1530 query: | BoxEvents - | where TimeGenerated > ago(24h) + | where EventEndTime > ago(24h) | where EventType =~ 'DOWNLOAD' | summarize ['DataVolume(Bytes)'] = sum(FileSize) by SrcUserName | project SrcUserName, ['DataVolume(Bytes)'] diff --git a/Solutions/Box/Hunting Queries/BoxUserGroupChanges.yaml b/Solutions/Box/Hunting Queries/BoxUserGroupChanges.yaml index d25ef309119..88abe4dea4c 100644 --- a/Solutions/Box/Hunting Queries/BoxUserGroupChanges.yaml +++ b/Solutions/Box/Hunting Queries/BoxUserGroupChanges.yaml @@ -13,9 +13,9 @@ relevantTechniques: - T1078 query: | BoxEvents - | where TimeGenerated > ago(24h) + | where EventEndTime > ago(24h) | where EventType =~ 'GROUP_ADD_USER' - | project TimeGenerated, SourceName, SourceLogin, AdditionalDetailsGroupName + | project EventEndTime, SourceName, SourceLogin, AdditionalDetailsGroupName | extend AccountCustomEntity = SourceLogin entityMappings: - entityType: Account diff --git a/Solutions/Box/Hunting Queries/BoxUserUploadsByVolume.yaml b/Solutions/Box/Hunting Queries/BoxUserUploadsByVolume.yaml index 89caea649c9..9b637f1f365 100644 --- a/Solutions/Box/Hunting Queries/BoxUserUploadsByVolume.yaml +++ b/Solutions/Box/Hunting Queries/BoxUserUploadsByVolume.yaml @@ -15,7 +15,7 @@ relevantTechniques: - T1537 query: | BoxEvents - | where TimeGenerated > ago(24h) + | where EventEndTime > ago(24h) | where EventType =~ 'UPLOAD' | summarize ['DataVolume(Bytes)'] = sum(FileSize) by SrcUserName | project SrcUserName, ['DataVolume(Bytes)'] diff --git a/Solutions/Box/Hunting Queries/BoxUsersWithOwnerPermissions.yaml b/Solutions/Box/Hunting Queries/BoxUsersWithOwnerPermissions.yaml index f8e2af42903..325820f6f14 100644 --- a/Solutions/Box/Hunting Queries/BoxUsersWithOwnerPermissions.yaml +++ b/Solutions/Box/Hunting Queries/BoxUsersWithOwnerPermissions.yaml @@ -13,10 +13,10 @@ relevantTechniques: - T1078 query: | BoxEvents - | where TimeGenerated > ago(24h) + | where EventEndTime > ago(24h) | where EventType =~ 'COLLABORATION_ROLE_CHANGE' | where AdditionalDetailsRole =~ 'Owner' - | project TimeGenerated, AccessibleByLogin, FileDirectory + | project EventEndTime, AccessibleByLogin, FileDirectory | extend AccountCustomEntity = AccessibleByLogin entityMappings: - entityType: Account diff --git a/Solutions/Box/Package/3.1.2.zip b/Solutions/Box/Package/3.1.2.zip new file mode 100644 index 00000000000..58f751698af Binary files /dev/null and b/Solutions/Box/Package/3.1.2.zip differ diff --git a/Solutions/Box/Package/createUiDefinition.json b/Solutions/Box/Package/createUiDefinition.json index bd8ac841aeb..5d3053ab828 100644 --- a/Solutions/Box/Package/createUiDefinition.json +++ b/Solutions/Box/Package/createUiDefinition.json @@ -67,7 +67,7 @@ "name": "dataconnectors2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This Solution installs the data connector for Box. You can get Box data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This Solution installs the data connector for Box Events (CCP). You can get Box Events (CCP) data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { diff --git a/Solutions/Box/Package/mainTemplate.json b/Solutions/Box/Package/mainTemplate.json index 2a4495bf265..f246de5bb4e 100644 --- a/Solutions/Box/Package/mainTemplate.json +++ b/Solutions/Box/Package/mainTemplate.json @@ -55,10 +55,10 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Box", - "_solutionVersion": "3.1.1", + "_solutionVersion": "3.1.2", "solutionId": "azuresentinel.azure-sentinel-solution-box", "_solutionId": "[variables('solutionId')]", - "workbookVersion1": "1.0.0", + "workbookVersion1": "1.0.1", "workbookContentId1": "BoxWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", @@ -140,11 +140,11 @@ "blanks": "[replace('b', 'b', '')]", "TemplateEmptyObject": "[json('{}')]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.0", + "analyticRuleVersion1": "1.0.1", "_analyticRulecontentId1": "1139230c-cf10-45db-b616-fed0d1415c05", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1139230c-cf10-45db-b616-fed0d1415c05')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1139230c-cf10-45db-b616-fed0d1415c05')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1139230c-cf10-45db-b616-fed0d1415c05','-', '1.0.0')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1139230c-cf10-45db-b616-fed0d1415c05','-', '1.0.1')))]" }, "analyticRuleObject2": { "analyticRuleVersion2": "1.0.0", @@ -161,11 +161,11 @@ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8889e69c-2161-412a-94a6-76c1b2d9daa7','-', '1.0.0')))]" }, "analyticRuleObject4": { - "analyticRuleVersion4": "1.0.0", + "analyticRuleVersion4": "1.0.1", "_analyticRulecontentId4": "edbf38d7-e170-4af2-ad50-1a05b374611b", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'edbf38d7-e170-4af2-ad50-1a05b374611b')]", "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('edbf38d7-e170-4af2-ad50-1a05b374611b')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edbf38d7-e170-4af2-ad50-1a05b374611b','-', '1.0.0')))]" + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edbf38d7-e170-4af2-ad50-1a05b374611b','-', '1.0.1')))]" }, "analyticRuleObject5": { "analyticRuleVersion5": "1.0.0", @@ -175,11 +175,11 @@ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3b803560-f8a6-4db4-89cb-617d89724ba1','-', '1.0.0')))]" }, "analyticRuleObject6": { - "analyticRuleVersion6": "1.0.0", + "analyticRuleVersion6": "1.0.1", "_analyticRulecontentId6": "1b212329-6f2c-46ca-9071-de3464f3d88d", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1b212329-6f2c-46ca-9071-de3464f3d88d')]", "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1b212329-6f2c-46ca-9071-de3464f3d88d')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1b212329-6f2c-46ca-9071-de3464f3d88d','-', '1.0.0')))]" + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1b212329-6f2c-46ca-9071-de3464f3d88d','-', '1.0.1')))]" }, "analyticRuleObject7": { "analyticRuleVersion7": "1.0.0", @@ -196,18 +196,18 @@ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','266746ae-5eaf-4068-a980-5d630f435c46','-', '1.0.0')))]" }, "analyticRuleObject9": { - "analyticRuleVersion9": "1.0.0", + "analyticRuleVersion9": "1.0.1", "_analyticRulecontentId9": "b2197d7f-4731-483c-89de-d48606b872da", "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b2197d7f-4731-483c-89de-d48606b872da')]", "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b2197d7f-4731-483c-89de-d48606b872da')))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2197d7f-4731-483c-89de-d48606b872da','-', '1.0.0')))]" + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2197d7f-4731-483c-89de-d48606b872da','-', '1.0.1')))]" }, "analyticRuleObject10": { - "analyticRuleVersion10": "1.0.0", + "analyticRuleVersion10": "1.0.1", "_analyticRulecontentId10": "174c31c9-22ec-42e5-8226-814391c08200", "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '174c31c9-22ec-42e5-8226-814391c08200')]", "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('174c31c9-22ec-42e5-8226-814391c08200')))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','174c31c9-22ec-42e5-8226-814391c08200','-', '1.0.0')))]" + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','174c31c9-22ec-42e5-8226-814391c08200','-', '1.0.1')))]" }, "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, @@ -221,7 +221,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Box Workbook with template version 3.1.1", + "description": "Box Workbook with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -239,7 +239,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This workbook depends on a parser based on Kusto Function to work as expected [**BoxEvents**](https://aka.ms/sentinel-BoxDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"88aa96e3-fc48-4b04-836e-fc2ec8ebf37f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\" Time Range\",\"type\":4,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":3600000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events over time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"65\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where isnotempty(EventType)\\r\\n| summarize TotalEvents = count() by EventType\",\"size\":3,\"title\":\"Event Types\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventSeverity\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"rowLimit\":7,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventSeverity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"35\",\"name\":\"query - 3\"}]},\"customWidth\":\"80\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let user1 = BoxEvents\\r\\n| where isnotempty(SourceName)\\r\\n| summarize Users = dcount(SourceName) by SourceName\\r\\n| project Users, User = SourceName;\\r\\nlet user2 = BoxEvents\\r\\n| where isnotempty(SrcUserName)\\r\\n| summarize Users = count(SrcUserName) by SrcUserName\\r\\n| project Users, User = SrcUserName;\\r\\nlet user3 = BoxEvents\\r\\n| where isnotempty(AccessibleByName)\\r\\n| summarize Users = dcount(AccessibleByName) by AccessibleByName\\r\\n| project Users, User = AccessibleByName;\\r\\nlet users = union user1, user2, user3;\\r\\nusers\\r\\n| summarize Users = dcount(User)\",\"size\":3,\"title\":\"Unique Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 5\"}]},\"name\":\"group - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize dcount(SrcIpAddr)\\r\\n\",\"size\":3,\"title\":\"Unique IPs\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalEvents\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blueGreen\"}},{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"turquoise\"}}],\"rowLimit\":10,\"labelSettings\":[{\"columnId\":\"TotalEvents\",\"label\":\"Total Events\"},{\"columnId\":\"Trend\"}]},\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 6\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let file1 = BoxEvents\\r\\n| where isnotempty(SourceFileName)\\r\\n| summarize d_files = dcount(SourceFileName);\\r\\nlet file2 = BoxEvents\\r\\n| where isnotempty(SourceItemName)\\r\\n| summarize d_files = dcount(SourceItemName);\\r\\nlet files = union file1, file2;\\r\\nfiles\\r\\n| summarize sum(d_files)\\r\\n\",\"size\":3,\"title\":\"Unique files\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"titleContent\":{\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"}},\"leftContent\":{\"columnMatch\":\"sum_d_files\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"Unique files\",\"columnSettings\":[{\"columnName\":\"sum_d_files\",\"color\":\"blue\"}]}}},\"rightContent\":{\"columnMatch\":\"sum_d_files\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let files_1 = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where isnotempty(SourceFileName)\\r\\n| summarize TotalItems = dcount(SourceFileName) by SourceFileName\\r\\n| project TotalItems, FileName = SourceFileName;\\r\\nlet files_2 = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where isnotempty(SourceItemName)\\r\\n| summarize TotalItems = dcount(SourceItemName) by SourceItemName\\r\\n| project TotalItems, FileName = SourceItemName;\\r\\nlet known_files = (union files_1, files_2)\\r\\n| summarize makeset(FileName);\\r\\nBoxEvents\\r\\n| where TimeGenerated between (ago(24h) .. now())\\r\\n| where isnotempty(SourceFileName) \\r\\n| project FileName = SourceFileName\\r\\n| union (BoxEvents\\r\\n | where TimeGenerated between (ago(24h) .. now())\\r\\n | where isnotempty(SourceItemName)\\r\\n | project FileName = SourceItemName)\\r\\n| where FileName !in (known_files)\\r\\n| summarize dcount(FileName)\\r\\n\\r\\n\",\"size\":3,\"title\":\"New files (last 24h)\",\"noDataMessage\":\"No new files during last 24h\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\"},\"name\":\"query - 3\"}]},\"name\":\"group - 4\"}]},\"customWidth\":\"20\",\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where EventType == 'ADMIN_LOGIN'\\r\\n| summarize Username = dcount(SourceName) by SourceName\\r\\n| project SourceName\\r\\n\",\"size\":3,\"title\":\"Admin users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalEvents\",\"formatter\":8,\"formatOptions\":{\"palette\":\"turquoise\"}},{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SrcDvcHostname\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"textSettings\":{\"style\":\"header\"}},\"customWidth\":\"25\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let admins = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where EventType == 'ADMIN_LOGIN'\\r\\n| summarize makeset(SourceName);\\r\\nlet adm_type1 = BoxEvents\\r\\n| where SourceName in (admins)\\r\\n| summarize TotalActions = count() by SourceName;\\r\\nlet adm_type2 = BoxEvents\\r\\n| where SrcUserName in (admins)\\r\\n| summarize TotalActions = count() by SrcUserName\\r\\n| project TotalActions, SourceName = SrcUserName; \\r\\nlet adm_activity = (union adm_type1, adm_type2);\\r\\nadm_activity\\r\\n| summarize TotalActions = sum(TotalActions) by SourceName\\r\\n| join kind = inner (BoxEvents\\r\\n | where SourceName in (admins) or SrcUserName in (admins)\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\\r\\n on SourceName\\r\\n| project SourceName, TotalActions, Trend\\r\\n| order by TotalActions\\r\\n\",\"size\":3,\"title\":\"Admin users activity\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalActions\",\"formatter\":8,\"formatOptions\":{\"palette\":\"coldHot\"}},{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SourceName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalActions\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"40\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let admins = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where EventType == 'ADMIN_LOGIN'\\r\\n| summarize makeset(SourceName);\\r\\nlet adm_type1 = BoxEvents\\r\\n| where SourceName in (admins)\\r\\n| summarize by EventType, SourceName\\r\\n| project Action = EventType, SourceName;\\r\\nlet adm_type2 = BoxEvents\\r\\n| where SrcUserName in (admins)\\r\\n| summarize max(TimeGenerated) by EventType, SrcUserName\\r\\n| project Action = EventType, SourceName = SrcUserName; \\r\\nlet adm_activity = (union adm_type1, adm_type2);\\r\\nadm_activity\\r\\n\",\"size\":1,\"title\":\"Latest admin activity\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 2\"}]},\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\n| where EventType == 'NEW_USER'\\n| project SourceName\\n\",\"size\":3,\"title\":\"New users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventCategory\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false,\"rowLimit\":10},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"TableName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"nodeIdField\":\"TableName\",\"sourceIdField\":\"TableName\",\"targetIdField\":\"count_\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"staticNodeSize\":100,\"hivesMargin\":5},\"chartSettings\":{\"xSettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}},\"textSettings\":{\"style\":\"header\"}},\"customWidth\":\"15\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'DELETE_USER'\\r\\n| project SourceName\",\"size\":3,\"title\":\"Deleted users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"header\"}},\"customWidth\":\"15\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'LOGIN'\\r\\n| summarize LastLoginTime = max(TimeGenerated) by SourceName\\r\\n| where LastLoginTime > ago(90d)\",\"size\":0,\"title\":\"Inactive users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let user_act1 = BoxEvents\\r\\n| where isnotempty(SourceName)\\r\\n| summarize TotalActions = count() by SourceName;\\r\\nlet user_act2 = BoxEvents\\r\\n| where isnotempty(SrcUserName)\\r\\n| summarize TotalActions = count() by SrcUserName\\r\\n| project TotalActions, SourceName = SrcUserName; \\r\\nlet user_activity = (union user_act1, user_act2);\\r\\nuser_activity\\r\\n| join kind = inner (BoxEvents\\r\\n | where isnotempty(SourceName) or isnotempty(SrcUserName)\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\\r\\n on SourceName\\r\\n| project SourceName, TotalActions, Trend\\r\\n| order by TotalActions\",\"size\":0,\"title\":\"Users activity over time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalActions\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SourceName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalActions\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"35\",\"name\":\"query - 3\"}]},\"name\":\"group - 20\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| summarize Downloads = countif(EventType == \\\"DOWNLOAD\\\"), Uploads = countif(EventType == \\\"UPLOAD\\\") by bin_at(TimeGenerated, 1h, now())\",\"size\":3,\"title\":\"Downloads/Uploads comparison\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'DOWNLOAD'\\r\\n| where isnotempty(SourceItemName)\\r\\n| project FileName = SourceItemName, SrcUserName, TimeGenerated\\r\\n| top 100 by TimeGenerated desc\",\"size\":0,\"title\":\"Latest downloaded items\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"35ch\"}},{\"columnMatch\":\"SrcUserName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}}],\"filter\":true},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'UPLOAD'\\r\\n| where isnotempty(SourceItemName)\\r\\n| project FileName = SourceItemName, SrcUserName, TimeGenerated\\r\\n| top 100 by TimeGenerated desc\",\"size\":0,\"title\":\"Latest uploaded items\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"35ch\"}},{\"columnMatch\":\"SrcUserName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 6\"}],\"fromTemplateId\":\"sentinel-Box\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This workbook depends on a parser based on Kusto Function to work as expected [**BoxEvents**](https://aka.ms/sentinel-BoxDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"88aa96e3-fc48-4b04-836e-fc2ec8ebf37f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\" Time Range\",\"type\":4,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":3600000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| make-series TotalEvents = count() default = 0 on EventEndTime from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events over time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"65\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where isnotempty(EventType)\\r\\n| summarize TotalEvents = count() by EventType\",\"size\":3,\"title\":\"Event Types\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventSeverity\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"rowLimit\":7,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventSeverity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"35\",\"name\":\"query - 3\"}]},\"customWidth\":\"80\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let user1 = BoxEvents\\r\\n| where isnotempty(SourceName)\\r\\n| summarize Users = dcount(SourceName) by SourceName\\r\\n| project Users, User = SourceName;\\r\\nlet user2 = BoxEvents\\r\\n| where isnotempty(SrcUserName)\\r\\n| summarize Users = count(SrcUserName) by SrcUserName\\r\\n| project Users, User = SrcUserName;\\r\\nlet user3 = BoxEvents\\r\\n| where isnotempty(AccessibleByName)\\r\\n| summarize Users = dcount(AccessibleByName) by AccessibleByName\\r\\n| project Users, User = AccessibleByName;\\r\\nlet users = union user1, user2, user3;\\r\\nusers\\r\\n| summarize Users = dcount(User)\",\"size\":3,\"title\":\"Unique Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 5\"}]},\"name\":\"group - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize dcount(SrcIpAddr)\\r\\n\",\"size\":3,\"title\":\"Unique IPs\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalEvents\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blueGreen\"}},{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"turquoise\"}}],\"rowLimit\":10,\"labelSettings\":[{\"columnId\":\"TotalEvents\",\"label\":\"Total Events\"},{\"columnId\":\"Trend\"}]},\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 6\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let file1 = BoxEvents\\r\\n| where isnotempty(SourceFileName)\\r\\n| summarize d_files = dcount(SourceFileName);\\r\\nlet file2 = BoxEvents\\r\\n| where isnotempty(SourceItemName)\\r\\n| summarize d_files = dcount(SourceItemName);\\r\\nlet files = union file1, file2;\\r\\nfiles\\r\\n| summarize sum(d_files)\\r\\n\",\"size\":3,\"title\":\"Unique files\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"titleContent\":{\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"}},\"leftContent\":{\"columnMatch\":\"sum_d_files\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"Unique files\",\"columnSettings\":[{\"columnName\":\"sum_d_files\",\"color\":\"blue\"}]}}},\"rightContent\":{\"columnMatch\":\"sum_d_files\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let files_1 = BoxEvents\\r\\n| where EventEndTime > ago(90d)\\r\\n| where isnotempty(SourceFileName)\\r\\n| summarize TotalItems = dcount(SourceFileName) by SourceFileName\\r\\n| project TotalItems, FileName = SourceFileName;\\r\\nlet files_2 = BoxEvents\\r\\n| where EventEndTime > ago(90d)\\r\\n| where isnotempty(SourceItemName)\\r\\n| summarize TotalItems = dcount(SourceItemName) by SourceItemName\\r\\n| project TotalItems, FileName = SourceItemName;\\r\\nlet known_files = (union files_1, files_2)\\r\\n| summarize makeset(FileName);\\r\\nBoxEvents\\r\\n| where EventEndTime between (ago(24h) .. now())\\r\\n| where isnotempty(SourceFileName) \\r\\n| project FileName = SourceFileName\\r\\n| union (BoxEvents\\r\\n | where EventEndTime between (ago(24h) .. now())\\r\\n | where isnotempty(SourceItemName)\\r\\n | project FileName = SourceItemName)\\r\\n| where FileName !in (known_files)\\r\\n| summarize dcount(FileName)\\r\\n\\r\\n\",\"size\":3,\"title\":\"New files (last 24h)\",\"noDataMessage\":\"No new files during last 24h\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\"},\"name\":\"query - 3\"}]},\"name\":\"group - 4\"}]},\"customWidth\":\"20\",\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventEndTime > ago(90d)\\r\\n| where EventType == 'ADMIN_LOGIN'\\r\\n| summarize Username = dcount(SourceName) by SourceName\\r\\n| project SourceName\\r\\n\",\"size\":3,\"title\":\"Admin users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalEvents\",\"formatter\":8,\"formatOptions\":{\"palette\":\"turquoise\"}},{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SrcDvcHostname\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"textSettings\":{\"style\":\"header\"}},\"customWidth\":\"25\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let admins = BoxEvents\\r\\n| where EventEndTime > ago(90d)\\r\\n| where EventType == 'ADMIN_LOGIN'\\r\\n| summarize makeset(SourceName);\\r\\nlet adm_type1 = BoxEvents\\r\\n| where SourceName in (admins)\\r\\n| summarize TotalActions = count() by SourceName;\\r\\nlet adm_type2 = BoxEvents\\r\\n| where SrcUserName in (admins)\\r\\n| summarize TotalActions = count() by SrcUserName\\r\\n| project TotalActions, SourceName = SrcUserName; \\r\\nlet adm_activity = (union adm_type1, adm_type2);\\r\\nadm_activity\\r\\n| summarize TotalActions = sum(TotalActions) by SourceName\\r\\n| join kind = inner (BoxEvents\\r\\n | where SourceName in (admins) or SrcUserName in (admins)\\r\\n | make-series Trend = count() default = 0 on EventEndTime from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\\r\\n on SourceName\\r\\n| project SourceName, TotalActions, Trend\\r\\n| order by TotalActions\\r\\n\",\"size\":3,\"title\":\"Admin users activity\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalActions\",\"formatter\":8,\"formatOptions\":{\"palette\":\"coldHot\"}},{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SourceName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalActions\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"40\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let admins = BoxEvents\\r\\n| where EventEndTime > ago(90d)\\r\\n| where EventType == 'ADMIN_LOGIN'\\r\\n| summarize makeset(SourceName);\\r\\nlet adm_type1 = BoxEvents\\r\\n| where SourceName in (admins)\\r\\n| summarize by EventType, SourceName\\r\\n| project Action = EventType, SourceName;\\r\\nlet adm_type2 = BoxEvents\\r\\n| where SrcUserName in (admins)\\r\\n| summarize max(EventEndTime) by EventType, SrcUserName\\r\\n| project Action = EventType, SourceName = SrcUserName; \\r\\nlet adm_activity = (union adm_type1, adm_type2);\\r\\nadm_activity\\r\\n\",\"size\":1,\"title\":\"Latest admin activity\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 2\"}]},\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\n| where EventType == 'NEW_USER'\\n| project SourceName\\n\",\"size\":3,\"title\":\"New users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventCategory\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false,\"rowLimit\":10},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"TableName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"nodeIdField\":\"TableName\",\"sourceIdField\":\"TableName\",\"targetIdField\":\"count_\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"staticNodeSize\":100,\"hivesMargin\":5},\"chartSettings\":{\"xSettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}},\"textSettings\":{\"style\":\"header\"}},\"customWidth\":\"15\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'DELETE_USER'\\r\\n| project SourceName\",\"size\":3,\"title\":\"Deleted users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"header\"}},\"customWidth\":\"15\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'LOGIN'\\r\\n| summarize LastLoginTime = max(EventEndTime) by SourceName\\r\\n| where LastLoginTime > ago(90d)\",\"size\":0,\"title\":\"Inactive users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let user_act1 = BoxEvents\\r\\n| where isnotempty(SourceName)\\r\\n| summarize TotalActions = count() by SourceName;\\r\\nlet user_act2 = BoxEvents\\r\\n| where isnotempty(SrcUserName)\\r\\n| summarize TotalActions = count() by SrcUserName\\r\\n| project TotalActions, SourceName = SrcUserName; \\r\\nlet user_activity = (union user_act1, user_act2);\\r\\nuser_activity\\r\\n| join kind = inner (BoxEvents\\r\\n | where isnotempty(SourceName) or isnotempty(SrcUserName)\\r\\n | make-series Trend = count() default = 0 on EventEndTime from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\\r\\n on SourceName\\r\\n| project SourceName, TotalActions, Trend\\r\\n| order by TotalActions\",\"size\":0,\"title\":\"Users activity over time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalActions\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SourceName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalActions\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"35\",\"name\":\"query - 3\"}]},\"name\":\"group - 20\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| summarize Downloads = countif(EventType == \\\"DOWNLOAD\\\"), Uploads = countif(EventType == \\\"UPLOAD\\\") by bin_at(EventEndTime, 1h, now())\",\"size\":3,\"title\":\"Downloads/Uploads comparison\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'DOWNLOAD'\\r\\n| where isnotempty(SourceItemName)\\r\\n| project FileName = SourceItemName, SrcUserName, EventEndTime\\r\\n| top 100 by EventEndTime desc\",\"size\":0,\"title\":\"Latest downloaded items\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"35ch\"}},{\"columnMatch\":\"SrcUserName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"EventEndTime\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}}],\"filter\":true},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'UPLOAD'\\r\\n| where isnotempty(SourceItemName)\\r\\n| project FileName = SourceItemName, SrcUserName, EventEndTime\\r\\n| top 100 by EventEndTime desc\",\"size\":0,\"title\":\"Latest uploaded items\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"35ch\"}},{\"columnMatch\":\"SrcUserName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"EventEndTime\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 6\"}],\"fromTemplateId\":\"sentinel-Box\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -250,7 +250,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "description": "@{workbookKey=BoxWorkbook; logoFileName=box.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Box; templateRelativePath=Box.json; subtitle=; provider=Box}.description", + "description": "@{workbookKey=BoxWorkbook; logoFileName=box.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Box; templateRelativePath=Box.json; subtitle=; provider=Box}.description", "parentId": "[variables('workbookId1')]", "contentId": "[variables('_workbookContentId1')]", "kind": "Workbook", @@ -274,11 +274,11 @@ "operator": "AND", "criteria": [ { - "contentId": "BoxEvents_CL", + "contentId": "BoxEvents", "kind": "DataType" }, { - "contentId": "BoxDataConnector", + "contentId": "BoxEventsCCPDefinition", "kind": "DataConnector" } ] @@ -309,7 +309,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxEvents Data Parser with template version 3.1.1", + "description": "BoxEvents Data Parser with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -441,7 +441,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxAdminIpAddress_HuntingQueries Hunting Query with template version 3.1.1", + "description": "BoxAdminIpAddress_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -457,7 +457,7 @@ "eTag": "*", "displayName": "Box - IP list for admin users", "category": "Hunting Queries", - "query": "BoxEvents\n| where TimeGenerated > ago(30d)\n| where EventType =~ 'ADMIN_LOGIN'\n| summarize makeset(SrcIpAddr) by SourceLogin\n| extend AccountCustomEntity = SourceLogin\n", + "query": "BoxEvents\n| where EventEndTime > ago(30d)\n| where EventType =~ 'ADMIN_LOGIN'\n| summarize makeset(SrcIpAddr) by SourceLogin\n| extend AccountCustomEntity = SourceLogin\n", "version": 2, "tags": [ { @@ -526,7 +526,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxDeletedUsers_HuntingQueries Hunting Query with template version 3.1.1", + "description": "BoxDeletedUsers_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -542,7 +542,7 @@ "eTag": "*", "displayName": "Box - Deleted users", "category": "Hunting Queries", - "query": "BoxEvents\n| where TimeGenerated > ago(24h)\n| where EventType =~ 'DELETE_USER'\n| project TimeGenerated, SourceName, SourceLogin\n| extend AccountCustomEntity = SourceLogin\n", + "query": "BoxEvents\n| where EventEndTime > ago(24h)\n| where EventType =~ 'DELETE_USER'\n| project EventEndTime, SourceName, SourceLogin\n| extend AccountCustomEntity = SourceLogin\n", "version": 2, "tags": [ { @@ -611,7 +611,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxInactiveAdmins_HuntingQueries Hunting Query with template version 3.1.1", + "description": "BoxInactiveAdmins_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -627,7 +627,7 @@ "eTag": "*", "displayName": "Box - Inactive admin users", "category": "Hunting Queries", - "query": "let active_admins = BoxEvents\n| where TimeGenerated between (ago(7d) .. ago(1d))\n| where EventType =~ 'ADMIN_LOGIN'\n| summarize makeset(SourceLogin);\nlet inactive_admins = BoxEvents\n| where TimeGenerated between (ago(30d) .. ago(7d))\n| where EventType =~ 'ADMIN_LOGIN'\n| where SourceLogin !in (active_admins)\n| summarize makeset(SourceLogin);\nBoxEvents\n| where TimeGenerated > ago(7d)\n| where EventType =~ 'ADMIN_LOGIN'\n| where SourceLogin !in (active_admins)\n| where SourceLogin in (inactive_admins)\n| summarize LastLoginTime = max(TimeGenerated) by SourceLogin\n| project LastLoginTime, SourceLogin\n| extend AccountCustomEntity = SourceLogin\n", + "query": "let active_admins = BoxEvents\n| where EventEndTime between (ago(7d) .. ago(1d))\n| where EventType =~ 'ADMIN_LOGIN'\n| summarize makeset(SourceLogin);\nlet inactive_admins = BoxEvents\n| where EventEndTime between (ago(30d) .. ago(7d))\n| where EventType =~ 'ADMIN_LOGIN'\n| where SourceLogin !in (active_admins)\n| summarize makeset(SourceLogin);\nBoxEvents\n| where EventEndTime > ago(7d)\n| where EventType =~ 'ADMIN_LOGIN'\n| where SourceLogin !in (active_admins)\n| where SourceLogin in (inactive_admins)\n| summarize LastLoginTime = max(EventEndTime) by SourceLogin\n| project LastLoginTime, SourceLogin\n| extend AccountCustomEntity = SourceLogin\n", "version": 2, "tags": [ { @@ -696,7 +696,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxInactiveUsers_HuntingQueries Hunting Query with template version 3.1.1", + "description": "BoxInactiveUsers_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -712,7 +712,7 @@ "eTag": "*", "displayName": "Box - Inactive users", "category": "Hunting Queries", - "query": "let active_admins = BoxEvents\n| where TimeGenerated between (ago(7d) .. ago(1d))\n| where EventType =~ 'LOGIN'\n| summarize makeset(SourceLogin);\nlet inactive_admins = BoxEvents\n| where TimeGenerated between (ago(30d) .. ago(7d))\n| where EventType =~ 'LOGIN'\n| where SourceLogin !in (active_admins)\n| summarize makeset(SourceLogin);\nBoxEvents\n| where TimeGenerated > ago(7d)\n| where EventType =~ 'LOGIN'\n| where SourceLogin !in (active_admins)\n| where SourceLogin in (inactive_admins)\n| summarize LastLoginTime = max(TimeGenerated) by SourceLogin\n| project LastLoginTime, SourceLogin\n| extend AccountCustomEntity = SourceLogin\n", + "query": "let active_admins = BoxEvents\n| where EventEndTime between (ago(7d) .. ago(1d))\n| where EventType =~ 'LOGIN'\n| summarize makeset(SourceLogin);\nlet inactive_admins = BoxEvents\n| where EventEndTime between (ago(30d) .. ago(7d))\n| where EventType =~ 'LOGIN'\n| where SourceLogin !in (active_admins)\n| summarize makeset(SourceLogin);\nBoxEvents\n| where EventEndTime > ago(7d)\n| where EventType =~ 'LOGIN'\n| where SourceLogin !in (active_admins)\n| where SourceLogin in (inactive_admins)\n| summarize LastLoginTime = max(EventEndTime) by SourceLogin\n| project LastLoginTime, SourceLogin\n| extend AccountCustomEntity = SourceLogin\n", "version": 2, "tags": [ { @@ -781,7 +781,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxNewUsers_HuntingQueries Hunting Query with template version 3.1.1", + "description": "BoxNewUsers_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -797,7 +797,7 @@ "eTag": "*", "displayName": "Box - New users", "category": "Hunting Queries", - "query": "BoxEvents\n| where TimeGenerated > ago(24h)\n| where EventType =~ 'NEW_USER'\n| project TimeGenerated, SourceName, SourceLogin\n| extend AccountCustomEntity = SourceLogin\n", + "query": "BoxEvents\n| where EventEndTime > ago(24h)\n| where EventType =~ 'NEW_USER'\n| project EventEndTime, SourceName, SourceLogin\n| extend AccountCustomEntity = SourceLogin\n", "version": 2, "tags": [ { @@ -866,7 +866,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxSuspiciousFiles_HuntingQueries Hunting Query with template version 3.1.1", + "description": "BoxSuspiciousFiles_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -882,7 +882,7 @@ "eTag": "*", "displayName": "Box - Suspicious or sensitive files", "category": "Hunting Queries", - "query": "BoxEvents\n| where TimeGenerated > ago(24h)\n| where SourceItemName =~ 'id_rsa' or SourceItemName contains 'password' or SourceItemName contains 'key' or SourceItemName contains '_key' or SourceItemName contains '.ssh' or SourceItemName endswith '.npmrc' or SourceItemName endswith '.muttrc' or SourceItemName contains 'config.json' or SourceItemName contains '.gitconfig' or SourceItemName endswith '.netrc' or SourceItemName endswith 'package.json' or SourceItemName endswith 'Gemfile' or SourceItemName endswith 'bower.json' or SourceItemName endswith 'config.gypi' or SourceItemName endswith 'travis.yml' or SourceItemName endswith '.ps1' or SourceItemName endswith '.bat' or SourceItemName endswith '.scr' or SourceItemName endswith '.sh' or SourceItemName endswith '.exe' or SourceFileName =~ 'id_rsa' or SourceFileName contains 'password' or SourceFileName contains 'key' or SourceFileName contains '_key' or SourceFileName contains '.ssh' or SourceFileName endswith '.npmrc' or SourceFileName endswith '.muttrc' or SourceFileName contains 'config.json' or SourceFileName contains '.gitconfig' or SourceFileName endswith '.netrc' or SourceFileName endswith 'package.json' or SourceFileName endswith 'Gemfile' or SourceFileName contains 'bower.json' or SourceFileName contains 'config.gypi' or SourceFileName contains 'travis.yml' or SourceFileName endswith '.ps1' or SourceFileName endswith '.bat' or SourceFileName endswith '.scr' or SourceFileName endswith '.sh' or SourceFileName endswith '.exe'\n| project TimeGenerated, SourceName, SourceLogin\n| extend AccountCustomEntity = SourceLogin\n", + "query": "BoxEvents\n| where EventEndTime > ago(24h)\n| where SourceItemName =~ 'id_rsa' or SourceItemName contains 'password' or SourceItemName contains 'key' or SourceItemName contains '_key' or SourceItemName contains '.ssh' or SourceItemName endswith '.npmrc' or SourceItemName endswith '.muttrc' or SourceItemName contains 'config.json' or SourceItemName contains '.gitconfig' or SourceItemName endswith '.netrc' or SourceItemName endswith 'package.json' or SourceItemName endswith 'Gemfile' or SourceItemName endswith 'bower.json' or SourceItemName endswith 'config.gypi' or SourceItemName endswith 'travis.yml' or SourceItemName endswith '.ps1' or SourceItemName endswith '.bat' or SourceItemName endswith '.scr' or SourceItemName endswith '.sh' or SourceItemName endswith '.exe' or SourceFileName =~ 'id_rsa' or SourceFileName contains 'password' or SourceFileName contains 'key' or SourceFileName contains '_key' or SourceFileName contains '.ssh' or SourceFileName endswith '.npmrc' or SourceFileName endswith '.muttrc' or SourceFileName contains 'config.json' or SourceFileName contains '.gitconfig' or SourceFileName endswith '.netrc' or SourceFileName endswith 'package.json' or SourceFileName endswith 'Gemfile' or SourceFileName contains 'bower.json' or SourceFileName contains 'config.gypi' or SourceFileName contains 'travis.yml' or SourceFileName endswith '.ps1' or SourceFileName endswith '.bat' or SourceFileName endswith '.scr' or SourceFileName endswith '.sh' or SourceFileName endswith '.exe'\n| project EventEndTime, SourceName, SourceLogin\n| extend AccountCustomEntity = SourceLogin\n", "version": 2, "tags": [ { @@ -951,7 +951,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxUserDownloadsByVolume_HuntingQueries Hunting Query with template version 3.1.1", + "description": "BoxUserDownloadsByVolume_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -967,7 +967,7 @@ "eTag": "*", "displayName": "Box - Downloaded data volume per user", "category": "Hunting Queries", - "query": "BoxEvents\n| where TimeGenerated > ago(24h)\n| where EventType =~ 'DOWNLOAD'\n| summarize ['DataVolume(Bytes)'] = sum(FileSize) by SrcUserName\n| project SrcUserName, ['DataVolume(Bytes)']\n| order by ['DataVolume(Bytes)'] desc\n| extend AccountCustomEntity = SrcUserName\n", + "query": "BoxEvents\n| where EventEndTime > ago(24h)\n| where EventType =~ 'DOWNLOAD'\n| summarize ['DataVolume(Bytes)'] = sum(FileSize) by SrcUserName\n| project SrcUserName, ['DataVolume(Bytes)']\n| order by ['DataVolume(Bytes)'] desc\n| extend AccountCustomEntity = SrcUserName\n", "version": 2, "tags": [ { @@ -1036,7 +1036,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxUserGroupChanges_HuntingQueries Hunting Query with template version 3.1.1", + "description": "BoxUserGroupChanges_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -1052,7 +1052,7 @@ "eTag": "*", "displayName": "Box - New users", "category": "Hunting Queries", - "query": "BoxEvents\n| where TimeGenerated > ago(24h)\n| where EventType =~ 'GROUP_ADD_USER'\n| project TimeGenerated, SourceName, SourceLogin, AdditionalDetailsGroupName\n| extend AccountCustomEntity = SourceLogin\n", + "query": "BoxEvents\n| where EventEndTime > ago(24h)\n| where EventType =~ 'GROUP_ADD_USER'\n| project EventEndTime, SourceName, SourceLogin, AdditionalDetailsGroupName\n| extend AccountCustomEntity = SourceLogin\n", "version": 2, "tags": [ { @@ -1121,7 +1121,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxUserUploadsByVolume_HuntingQueries Hunting Query with template version 3.1.1", + "description": "BoxUserUploadsByVolume_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -1137,7 +1137,7 @@ "eTag": "*", "displayName": "Box - Uploaded data volume per user", "category": "Hunting Queries", - "query": "BoxEvents\n| where TimeGenerated > ago(24h)\n| where EventType =~ 'UPLOAD'\n| summarize ['DataVolume(Bytes)'] = sum(FileSize) by SrcUserName\n| project SrcUserName, ['DataVolume(Bytes)']\n| order by ['DataVolume(Bytes)'] desc\n| extend AccountCustomEntity = SrcUserName\n", + "query": "BoxEvents\n| where EventEndTime > ago(24h)\n| where EventType =~ 'UPLOAD'\n| summarize ['DataVolume(Bytes)'] = sum(FileSize) by SrcUserName\n| project SrcUserName, ['DataVolume(Bytes)']\n| order by ['DataVolume(Bytes)'] desc\n| extend AccountCustomEntity = SrcUserName\n", "version": 2, "tags": [ { @@ -1206,7 +1206,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxUsersWithOwnerPermissions_HuntingQueries Hunting Query with template version 3.1.1", + "description": "BoxUsersWithOwnerPermissions_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -1222,7 +1222,7 @@ "eTag": "*", "displayName": "Box - Users with owner permissions", "category": "Hunting Queries", - "query": "BoxEvents\n| where TimeGenerated > ago(24h)\n| where EventType =~ 'COLLABORATION_ROLE_CHANGE'\n| where AdditionalDetailsRole =~ 'Owner'\n| project TimeGenerated, AccessibleByLogin, FileDirectory\n| extend AccountCustomEntity = AccessibleByLogin\n", + "query": "BoxEvents\n| where EventEndTime > ago(24h)\n| where EventType =~ 'COLLABORATION_ROLE_CHANGE'\n| where AdditionalDetailsRole =~ 'Owner'\n| project EventEndTime, AccessibleByLogin, FileDirectory\n| extend AccountCustomEntity = AccessibleByLogin\n", "version": 2, "tags": [ { @@ -1291,7 +1291,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Box data connector with template version 3.1.1", + "description": "Box data connector with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -2247,24 +2247,22 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorCCPVersion')]", "parameters": { - "clientId": { - "defaultValue": "-NA-", - "type": "securestring", - "minLength": 4 + "guidValue": { + "defaultValue": "[[newGuid()]", + "type": "securestring" }, - "clientSecret": { - "defaultValue": "-NA-", - "type": "securestring", - "minLength": 4 + "innerWorkspace": { + "defaultValue": "[parameters('workspace')]", + "type": "securestring" }, "connectorDefinitionName": { "defaultValue": "Box Events (CCP)", - "type": "string", + "type": "securestring", "minLength": 1 }, "workspace": { "defaultValue": "[parameters('workspace')]", - "type": "string" + "type": "securestring" }, "dcrConfig": { "defaultValue": { @@ -2275,7 +2273,17 @@ }, "boxEnterpriseId": { "defaultValue": "boxEnterpriseId", - "type": "string", + "type": "securestring", + "minLength": 1 + }, + "ClientId": { + "defaultValue": "-NA-", + "type": "securestring", + "minLength": 1 + }, + "ClientSecret": { + "defaultValue": "-NA-", + "type": "securestring", "minLength": 1 }, "AuthorizationCode": { @@ -2315,7 +2323,7 @@ } }, { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'BoxEventsCCPPolling')]", + "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'BoxEventsCCPPolling', parameters('guidValue'))]", "apiVersion": "2023-02-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", @@ -2391,7 +2399,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxAbnormalUserActivity_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "BoxAbnormalUserActivity_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -2408,7 +2416,7 @@ "description": "Detects spikes (deviations from avarage) in user activity.", "displayName": "Box - Abmormal user activity", "enabled": false, - "query": "let lbperiod_start = 14d;\nlet lbperiod_end = 24h;\nlet user_actions_1 = BoxEvents\n| where TimeGenerated between (ago(lbperiod_start) .. ago(lbperiod_end))\n| summarize TotalEvents = count() by SourceName\n| project TotalEvents, User = SourceName;\nlet user_actions_2 = BoxEvents\n| where TimeGenerated between (ago(lbperiod_start) .. ago(lbperiod_end))\n| summarize TotalEvents = count() by SrcUserName\n| project TotalEvents, User = SrcUserName;\nlet TotalActions = (union user_actions_1, user_actions_2)\n| summarize TotalEvents = count() by User\n| extend EventsPerDay = TotalEvents / 29\n| extend k = 1;\nlet actions1_last_h = BoxEvents\n| summarize TotalEventsH = count() by SourceName\n| project TotalEventsH, User = SourceName;\nlet actions2_last_h = BoxEvents\n| summarize TotalEventsH = count() by SourceName\n| project TotalEventsH, User = SourceName;\nlet TotalActionsLastHour = (union actions1_last_h, actions2_last_h)\n| summarize TotalEventsH = sum(TotalEventsH) by User\n| extend k = 1;\nTotalActions\n| join (TotalActionsLastHour) on k\n| where EventsPerDay > TotalEventsH\n| project User\n| extend AccountCustomEntity = User\n", + "query": "let lbperiod_start = 14d;\nlet lbperiod_end = 24h;\nlet user_actions_1 = BoxEvents\n| where EventEndTime between (ago(lbperiod_start) .. ago(lbperiod_end))\n| summarize TotalEvents = count() by SourceName\n| project TotalEvents, User = SourceName;\nlet user_actions_2 = BoxEvents\n| where EventEndTime between (ago(lbperiod_start) .. ago(lbperiod_end))\n| summarize TotalEvents = count() by SrcUserName\n| project TotalEvents, User = SrcUserName;\nlet TotalActions = (union user_actions_1, user_actions_2)\n| summarize TotalEvents = count() by User\n| extend EventsPerDay = TotalEvents / 29\n| extend k = 1;\nlet actions1_last_h = BoxEvents\n| summarize TotalEventsH = count() by SourceName\n| project TotalEventsH, User = SourceName;\nlet actions2_last_h = BoxEvents\n| summarize TotalEventsH = count() by SourceName\n| project TotalEventsH, User = SourceName;\nlet TotalActionsLastHour = (union actions1_last_h, actions2_last_h)\n| summarize TotalEventsH = sum(TotalEventsH) by User\n| extend k = 1;\nTotalActions\n| join (TotalActionsLastHour) on k\n| where EventsPerDay > TotalEventsH\n| project User\n| extend AccountCustomEntity = User\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -2495,7 +2503,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxBinaryFile_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "BoxBinaryFile_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -2599,7 +2607,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxDownloadForbiddenFiles_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "BoxDownloadForbiddenFiles_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -2712,7 +2720,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxInactiveUserLogin_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "BoxInactiveUserLogin_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -2729,7 +2737,7 @@ "description": "Detects user login after long inactivity period.", "displayName": "Box - Inactive user login", "enabled": false, - "query": "let lbperiod_start = 14d;\nlet lbperiod_end = 7d;\nlet lbtime = 1h;\nlet active_users = BoxEvents\n| where TimeGenerated between (ago(lbperiod_end) .. ago(lbtime))\n| where EventType =~ 'LOGIN'\n| summarize makeset(SourceName);\nlet inactive_users = BoxEvents\n| where TimeGenerated between (ago(lbperiod_start) .. ago(lbperiod_end))\n| where EventType =~ 'LOGIN'\n| where SourceName !in (active_users)\n| summarize makeset(SourceName);\nBoxEvents\n| where EventType == 'LOGIN'\n| where SourceName in (inactive_users)\n| extend AccountCustomEntity = SourceName\n", + "query": "let lbperiod_start = 14d;\nlet lbperiod_end = 7d;\nlet lbtime = 1h;\nlet active_users = BoxEvents\n| where EventEndTime between (ago(lbperiod_end) .. ago(lbtime))\n| where EventType =~ 'LOGIN'\n| summarize makeset(SourceName);\nlet inactive_users = BoxEvents\n| where EventEndTime between (ago(lbperiod_start) .. ago(lbperiod_end))\n| where EventType =~ 'LOGIN'\n| where SourceName !in (active_users)\n| summarize makeset(SourceName);\nBoxEvents\n| where EventType == 'LOGIN'\n| where SourceName in (inactive_users)\n| extend AccountCustomEntity = SourceName\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -2816,7 +2824,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxItemSharedToExternalUser_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "BoxItemSharedToExternalUser_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -2920,7 +2928,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxMultipleItemsDeletedByUser_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "BoxMultipleItemsDeletedByUser_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -2937,7 +2945,7 @@ "description": "Detects when a user deletes many items in short period of time.", "displayName": "Box - Many items deleted by user", "enabled": false, - "query": "let threshold = 100;\nBoxEvents\n| where EventType =~ 'DELETE'\n| summarize deleted_items = dcount(SourceItemName) by SrcUserName, bin(TimeGenerated, 5m)\n| where deleted_items > threshold\n| extend AccountCustomEntity = SrcUserName\n", + "query": "let threshold = 100;\nBoxEvents\n| where EventType =~ 'DELETE'\n| summarize deleted_items = dcount(SourceItemName) by SrcUserName, bin(EventEndTime, 5m)\n| where deleted_items > threshold\n| extend AccountCustomEntity = SrcUserName\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -3024,7 +3032,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxNewExternalUser_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "BoxNewExternalUser_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -3138,7 +3146,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxSensitiveFile_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "BoxSensitiveFile_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -3251,7 +3259,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxUserLoginAsAdmin_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "BoxUserLoginAsAdmin_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -3268,7 +3276,7 @@ "description": "Detects when user logged in as admin.", "displayName": "Box - User logged in as admin", "enabled": false, - "query": "let lbperiod_start = 14d;\nlet lbperiod_end = 1d;\nlet admins = BoxEvents\n| where TimeGenerated between (ago(lbperiod_start) .. ago(lbperiod_end))\n| where EventType =~ 'ADMIN_LOGIN'\n| summarize makeset(SourceLogin);\nBoxEvents\n| where EventType =~ 'ADMIN_LOGIN'\n| where SourceLogin !in (admins)\n| extend AccountCustomEntity = SourceLogin\n| extend IPCustomEntity = SrcIpAddr\n", + "query": "let lbperiod_start = 14d;\nlet lbperiod_end = 1d;\nlet admins = BoxEvents\n| where EventEndTime between (ago(lbperiod_start) .. ago(lbperiod_end))\n| where EventType =~ 'ADMIN_LOGIN'\n| summarize makeset(SourceLogin);\nBoxEvents\n| where EventType =~ 'ADMIN_LOGIN'\n| where SourceLogin !in (admins)\n| extend AccountCustomEntity = SourceLogin\n| extend IPCustomEntity = SrcIpAddr\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -3364,7 +3372,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxUserRoleChangedToOwner_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "BoxUserRoleChangedToOwner_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -3381,7 +3389,7 @@ "description": "Detects when user collaboration role is changed to owner.", "displayName": "Box - User role changed to owner", "enabled": false, - "query": "let lbperiod = 14d;\nlet lbtime = 1h;\nBoxEvents\n| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))\n| where EventType =~ 'COLLABORATION_INVITE'\n| where AdditionalDetailsRole !~ 'Owner'\n| summarize min(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole\n| project AccessibleByName, FileDirectory, InitialRole = AdditionalDetailsRole\n|join (BoxEvents\n | where EventType =~ 'COLLABORATION_ROLE_CHANGE'\n | summarize max(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole\n | project AccessibleByName, FileDirectory, NewRole = AdditionalDetailsRole\n ) on FileDirectory, AccessibleByName\n| where NewRole =~ 'Owner'\n| project AccessibleByName, FileDirectory\n| extend AccountCustomEntity = AccessibleByName\n", + "query": "let lbperiod = 14d;\nlet lbtime = 1h;\nBoxEvents\n| where EventEndTime between (ago(lbperiod) .. ago(lbtime))\n| where EventType =~ 'COLLABORATION_INVITE'\n| where AdditionalDetailsRole !~ 'Owner'\n| summarize min(EventEndTime) by AccessibleByName, FileDirectory, AdditionalDetailsRole\n| project AccessibleByName, FileDirectory, InitialRole = AdditionalDetailsRole\n|join (BoxEvents\n | where EventType =~ 'COLLABORATION_ROLE_CHANGE'\n | summarize max(EventEndTime) by AccessibleByName, FileDirectory, AdditionalDetailsRole\n | project AccessibleByName, FileDirectory, NewRole = AdditionalDetailsRole\n ) on FileDirectory, AccessibleByName\n| where NewRole =~ 'Owner'\n| project AccessibleByName, FileDirectory\n| extend AccountCustomEntity = AccessibleByName\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -3464,7 +3472,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.1.1", + "version": "3.1.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Box", diff --git a/Solutions/Box/ReleaseNotes.md b/Solutions/Box/ReleaseNotes.md index 29945246d61..109a517b2f0 100644 --- a/Solutions/Box/ReleaseNotes.md +++ b/Solutions/Box/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.1.2 | 29-10-2025 | Updated KQL queries in Workbook to use EventEndTime instead of TimeGenerated for time-based filtering | | 3.1.1 | 10-02-2025 | Advancing CCP **Data Connector** from Public preview to Global Availability.| | 3.1.0 | 06-12-2024 | Added new CCP **Data Connector** and modified **Parser**. | | 3.0.1 | 18-08-2023 | Added text 'using Azure Functions' in **Data Connector** page. | diff --git a/Solutions/Box/Workbooks/Box.json b/Solutions/Box/Workbooks/Box.json index 7e323fd0eb3..c658ad5945c 100644 --- a/Solutions/Box/Workbooks/Box.json +++ b/Solutions/Box/Workbooks/Box.json @@ -72,7 +72,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "BoxEvents\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};", + "query": "BoxEvents\r\n| make-series TotalEvents = count() default = 0 on EventEndTime from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};", "size": 0, "title": "Events over time", "timeContext": { @@ -315,7 +315,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let files_1 = BoxEvents\r\n| where TimeGenerated > ago(90d)\r\n| where isnotempty(SourceFileName)\r\n| summarize TotalItems = dcount(SourceFileName) by SourceFileName\r\n| project TotalItems, FileName = SourceFileName;\r\nlet files_2 = BoxEvents\r\n| where TimeGenerated > ago(90d)\r\n| where isnotempty(SourceItemName)\r\n| summarize TotalItems = dcount(SourceItemName) by SourceItemName\r\n| project TotalItems, FileName = SourceItemName;\r\nlet known_files = (union files_1, files_2)\r\n| summarize makeset(FileName);\r\nBoxEvents\r\n| where TimeGenerated between (ago(24h) .. now())\r\n| where isnotempty(SourceFileName) \r\n| project FileName = SourceFileName\r\n| union (BoxEvents\r\n | where TimeGenerated between (ago(24h) .. now())\r\n | where isnotempty(SourceItemName)\r\n | project FileName = SourceItemName)\r\n| where FileName !in (known_files)\r\n| summarize dcount(FileName)\r\n\r\n", + "query": "let files_1 = BoxEvents\r\n| where EventEndTime > ago(90d)\r\n| where isnotempty(SourceFileName)\r\n| summarize TotalItems = dcount(SourceFileName) by SourceFileName\r\n| project TotalItems, FileName = SourceFileName;\r\nlet files_2 = BoxEvents\r\n| where EventEndTime > ago(90d)\r\n| where isnotempty(SourceItemName)\r\n| summarize TotalItems = dcount(SourceItemName) by SourceItemName\r\n| project TotalItems, FileName = SourceItemName;\r\nlet known_files = (union files_1, files_2)\r\n| summarize makeset(FileName);\r\nBoxEvents\r\n| where EventEndTime between (ago(24h) .. now())\r\n| where isnotempty(SourceFileName) \r\n| project FileName = SourceFileName\r\n| union (BoxEvents\r\n | where EventEndTime between (ago(24h) .. now())\r\n | where isnotempty(SourceItemName)\r\n | project FileName = SourceItemName)\r\n| where FileName !in (known_files)\r\n| summarize dcount(FileName)\r\n\r\n", "size": 3, "title": "New files (last 24h)", "noDataMessage": "No new files during last 24h", @@ -344,7 +344,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "BoxEvents\r\n| where TimeGenerated > ago(90d)\r\n| where EventType == 'ADMIN_LOGIN'\r\n| summarize Username = dcount(SourceName) by SourceName\r\n| project SourceName\r\n", + "query": "BoxEvents\r\n| where EventEndTime > ago(90d)\r\n| where EventType == 'ADMIN_LOGIN'\r\n| summarize Username = dcount(SourceName) by SourceName\r\n| project SourceName\r\n", "size": 3, "title": "Admin users", "queryType": 0, @@ -400,7 +400,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let admins = BoxEvents\r\n| where TimeGenerated > ago(90d)\r\n| where EventType == 'ADMIN_LOGIN'\r\n| summarize makeset(SourceName);\r\nlet adm_type1 = BoxEvents\r\n| where SourceName in (admins)\r\n| summarize TotalActions = count() by SourceName;\r\nlet adm_type2 = BoxEvents\r\n| where SrcUserName in (admins)\r\n| summarize TotalActions = count() by SrcUserName\r\n| project TotalActions, SourceName = SrcUserName; \r\nlet adm_activity = (union adm_type1, adm_type2);\r\nadm_activity\r\n| summarize TotalActions = sum(TotalActions) by SourceName\r\n| join kind = inner (BoxEvents\r\n | where SourceName in (admins) or SrcUserName in (admins)\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\r\n on SourceName\r\n| project SourceName, TotalActions, Trend\r\n| order by TotalActions\r\n", + "query": "let admins = BoxEvents\r\n| where EventEndTime > ago(90d)\r\n| where EventType == 'ADMIN_LOGIN'\r\n| summarize makeset(SourceName);\r\nlet adm_type1 = BoxEvents\r\n| where SourceName in (admins)\r\n| summarize TotalActions = count() by SourceName;\r\nlet adm_type2 = BoxEvents\r\n| where SrcUserName in (admins)\r\n| summarize TotalActions = count() by SrcUserName\r\n| project TotalActions, SourceName = SrcUserName; \r\nlet adm_activity = (union adm_type1, adm_type2);\r\nadm_activity\r\n| summarize TotalActions = sum(TotalActions) by SourceName\r\n| join kind = inner (BoxEvents\r\n | where SourceName in (admins) or SrcUserName in (admins)\r\n | make-series Trend = count() default = 0 on EventEndTime from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\r\n on SourceName\r\n| project SourceName, TotalActions, Trend\r\n| order by TotalActions\r\n", "size": 3, "title": "Admin users activity", "timeContext": { @@ -464,7 +464,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let admins = BoxEvents\r\n| where TimeGenerated > ago(90d)\r\n| where EventType == 'ADMIN_LOGIN'\r\n| summarize makeset(SourceName);\r\nlet adm_type1 = BoxEvents\r\n| where SourceName in (admins)\r\n| summarize by EventType, SourceName\r\n| project Action = EventType, SourceName;\r\nlet adm_type2 = BoxEvents\r\n| where SrcUserName in (admins)\r\n| summarize max(TimeGenerated) by EventType, SrcUserName\r\n| project Action = EventType, SourceName = SrcUserName; \r\nlet adm_activity = (union adm_type1, adm_type2);\r\nadm_activity\r\n", + "query": "let admins = BoxEvents\r\n| where EventEndTime > ago(90d)\r\n| where EventType == 'ADMIN_LOGIN'\r\n| summarize makeset(SourceName);\r\nlet adm_type1 = BoxEvents\r\n| where SourceName in (admins)\r\n| summarize by EventType, SourceName\r\n| project Action = EventType, SourceName;\r\nlet adm_type2 = BoxEvents\r\n| where SrcUserName in (admins)\r\n| summarize max(EventEndTime) by EventType, SrcUserName\r\n| project Action = EventType, SourceName = SrcUserName; \r\nlet adm_activity = (union adm_type1, adm_type2);\r\nadm_activity\r\n", "size": 1, "title": "Latest admin activity", "timeContext": { @@ -604,7 +604,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "BoxEvents\r\n| where EventType == 'LOGIN'\r\n| summarize LastLoginTime = max(TimeGenerated) by SourceName\r\n| where LastLoginTime > ago(90d)", + "query": "BoxEvents\r\n| where EventType == 'LOGIN'\r\n| summarize LastLoginTime = max(EventEndTime) by SourceName\r\n| where LastLoginTime > ago(90d)", "size": 0, "title": "Inactive users", "timeContext": { @@ -625,7 +625,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let user_act1 = BoxEvents\r\n| where isnotempty(SourceName)\r\n| summarize TotalActions = count() by SourceName;\r\nlet user_act2 = BoxEvents\r\n| where isnotempty(SrcUserName)\r\n| summarize TotalActions = count() by SrcUserName\r\n| project TotalActions, SourceName = SrcUserName; \r\nlet user_activity = (union user_act1, user_act2);\r\nuser_activity\r\n| join kind = inner (BoxEvents\r\n | where isnotempty(SourceName) or isnotempty(SrcUserName)\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\r\n on SourceName\r\n| project SourceName, TotalActions, Trend\r\n| order by TotalActions", + "query": "let user_act1 = BoxEvents\r\n| where isnotempty(SourceName)\r\n| summarize TotalActions = count() by SourceName;\r\nlet user_act2 = BoxEvents\r\n| where isnotempty(SrcUserName)\r\n| summarize TotalActions = count() by SrcUserName\r\n| project TotalActions, SourceName = SrcUserName; \r\nlet user_activity = (union user_act1, user_act2);\r\nuser_activity\r\n| join kind = inner (BoxEvents\r\n | where isnotempty(SourceName) or isnotempty(SrcUserName)\r\n | make-series Trend = count() default = 0 on EventEndTime from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\r\n on SourceName\r\n| project SourceName, TotalActions, Trend\r\n| order by TotalActions", "size": 0, "title": "Users activity over time", "timeContext": { @@ -693,7 +693,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "BoxEvents\r\n| summarize Downloads = countif(EventType == \"DOWNLOAD\"), Uploads = countif(EventType == \"UPLOAD\") by bin_at(TimeGenerated, 1h, now())", + "query": "BoxEvents\r\n| summarize Downloads = countif(EventType == \"DOWNLOAD\"), Uploads = countif(EventType == \"UPLOAD\") by bin_at(EventEndTime, 1h, now())", "size": 3, "title": "Downloads/Uploads comparison", "timeContext": { @@ -713,7 +713,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "BoxEvents\r\n| where EventType == 'DOWNLOAD'\r\n| where isnotempty(SourceItemName)\r\n| project FileName = SourceItemName, SrcUserName, TimeGenerated\r\n| top 100 by TimeGenerated desc", + "query": "BoxEvents\r\n| where EventType == 'DOWNLOAD'\r\n| where isnotempty(SourceItemName)\r\n| project FileName = SourceItemName, SrcUserName, EventEndTime\r\n| top 100 by EventEndTime desc", "size": 0, "title": "Latest downloaded items", "timeContext": { @@ -740,7 +740,7 @@ } }, { - "columnMatch": "TimeGenerated", + "columnMatch": "EventEndTime", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "25ch" @@ -760,7 +760,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "BoxEvents\r\n| where EventType == 'UPLOAD'\r\n| where isnotempty(SourceItemName)\r\n| project FileName = SourceItemName, SrcUserName, TimeGenerated\r\n| top 100 by TimeGenerated desc", + "query": "BoxEvents\r\n| where EventType == 'UPLOAD'\r\n| where isnotempty(SourceItemName)\r\n| project FileName = SourceItemName, SrcUserName, EventEndTime\r\n| top 100 by EventEndTime desc", "size": 0, "title": "Latest uploaded items", "timeContext": { @@ -786,7 +786,7 @@ } }, { - "columnMatch": "TimeGenerated", + "columnMatch": "EventEndTime", "formatter": 0, "formatOptions": { "customColumnWidthSetting": "25ch" diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index a3eb810f098..109797de310 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -4676,10 +4676,10 @@ "logoFileName": "box.svg", "description": "Sets the time name for analysis", "dataTypesDependencies": [ - "BoxEvents_CL" + "BoxEvents" ], "dataConnectorsDependencies": [ - "BoxDataConnector" + "BoxEventsCCPDefinition" ], "previewImagesFileNames": [ "BoxBlack1.png", @@ -4687,7 +4687,7 @@ "BoxBlack2.png", "BoxWhite2.png" ], - "version": "1.0.0", + "version": "1.0.1", "title": "Box", "templateRelativePath": "Box.json", "subtitle": "",