diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_CloudAppEvents_Updated.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_CloudAppEvents_Updated.yaml index ad01e1e2507..fdae2cc1a4f 100644 --- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_CloudAppEvents_Updated.yaml +++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_CloudAppEvents_Updated.yaml @@ -19,8 +19,8 @@ tactics: relevantTechniques: - T1566 query: | - let dt_lookBack = 10d; - let ioc_lookBack = 30d; + let dt_lookBack = 1h; + let ioc_lookBack = 14d; let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$'; ThreatIntelIndicators | where TimeGenerated >= ago(ioc_lookBack) @@ -52,5 +52,5 @@ entityMappings: columnName: User_Id - identifier: UPNSuffix columnName: UPNSuffix -version: 1.0.6 +version: 1.0.7 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Data/Solution_ThreatIntelligenceUpdated.json b/Solutions/Threat Intelligence (NEW)/Data/Solution_ThreatIntelligenceUpdated.json index ba9374907d3..0c8685fbb00 100644 --- a/Solutions/Threat Intelligence (NEW)/Data/Solution_ThreatIntelligenceUpdated.json +++ b/Solutions/Threat Intelligence (NEW)/Data/Solution_ThreatIntelligenceUpdated.json @@ -79,7 +79,7 @@ ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Threat Intelligence (NEW)\\", - "Version": "3.0.7", + "Version": "3.0.9", "TemplateSpec": true, "StaticDataConnectorIds": [ "ThreatIntelligenceTaxii", diff --git a/Solutions/Threat Intelligence (NEW)/Package/3.0.9.zip b/Solutions/Threat Intelligence (NEW)/Package/3.0.9.zip new file mode 100644 index 00000000000..bf5a1f7152b Binary files /dev/null and b/Solutions/Threat Intelligence (NEW)/Package/3.0.9.zip differ diff --git a/Solutions/Threat Intelligence (NEW)/Package/createUiDefinition.json b/Solutions/Threat Intelligence (NEW)/Package/createUiDefinition.json index 531b3881e14..8f87afb1012 100644 --- a/Solutions/Threat Intelligence (NEW)/Package/createUiDefinition.json +++ b/Solutions/Threat Intelligence (NEW)/Package/createUiDefinition.json @@ -162,7 +162,7 @@ } }, { - "name": "dataconnectors-link5", + "name": "dataconnectors-link6", "type": "Microsoft.Common.TextBlock", "options": { "link": { diff --git a/Solutions/Threat Intelligence (NEW)/Package/mainTemplate.json b/Solutions/Threat Intelligence (NEW)/Package/mainTemplate.json index 9183ab65501..fda6d6b56f7 100644 --- a/Solutions/Threat Intelligence (NEW)/Package/mainTemplate.json +++ b/Solutions/Threat Intelligence (NEW)/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Threat Intelligence (NEW)", - "_solutionVersion": "3.0.8", + "_solutionVersion": "3.0.9", "solutionId": "azuresentinel.azure-sentinel-solution-threatintelligence-updated", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "ThreatIntelligenceTaxii", @@ -184,11 +184,11 @@ "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a9a4d1ee-0f52-4a1f-8def-a2fb4462104c','-', '1.2.11')))]" }, "analyticRuleObject12": { - "analyticRuleVersion12": "1.0.6", + "analyticRuleVersion12": "1.0.7", "_analyticRulecontentId12": "0385e99c-ae45-45f4-aecf-00104485cd6b", "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0385e99c-ae45-45f4-aecf-00104485cd6b')]", "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0385e99c-ae45-45f4-aecf-00104485cd6b')))]", - "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0385e99c-ae45-45f4-aecf-00104485cd6b','-', '1.0.6')))]" + "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0385e99c-ae45-45f4-aecf-00104485cd6b','-', '1.0.7')))]" }, "analyticRuleObject13": { "analyticRuleVersion13": "1.0.5", @@ -508,7 +508,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence (NEW) data connector with template version 3.0.8", + "description": "Threat Intelligence (NEW) data connector with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -685,7 +685,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence (NEW) data connector with template version 3.0.8", + "description": "Threat Intelligence (NEW) data connector with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -862,7 +862,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence (NEW) data connector with template version 3.0.8", + "description": "Threat Intelligence (NEW) data connector with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion3')]", @@ -1110,7 +1110,7 @@ "title": "Follow These Steps to Connect to your Threat Intelligence: " }, { - "description": "[concat('To send request to the APIs, you need to acquire Microsoft Entra ID access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n - Notice: Please request Microsoft Entra ID access token with scope value: ', variables('management'), '.default')]", + "description": "[concat('To send request to the APIs, you need to acquire Microsoft Entra ID access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n - Notice: Please request Microsoft Entra ID access token with scope value: ', variables('management'), '.default')]", "title": "1. Get Microsoft Entra ID Access Token" }, { @@ -1131,7 +1131,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence (NEW) data connector with template version 3.0.8", + "description": "Threat Intelligence (NEW) data connector with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion4')]", @@ -1308,7 +1308,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence (NEW) data connector with template version 3.0.8", + "description": "Threat Intelligence (NEW) data connector with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion5')]", @@ -1485,7 +1485,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence (NEW) data connector with template version 3.0.8", + "description": "Threat Intelligence (NEW) data connector with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion6')]", @@ -1740,7 +1740,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ThreatIntelligenceNew Workbook with template version 3.0.8", + "description": "ThreatIntelligenceNew Workbook with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1828,7 +1828,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_CloudAppEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_CloudAppEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -1876,22 +1876,22 @@ ], "entityMappings": [ { + "entityType": "DNS", "fieldMappings": [ { - "columnName": "DomainName", - "identifier": "DomainName" + "identifier": "DomainName", + "columnName": "DomainName" } - ], - "entityType": "DNS" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -1947,7 +1947,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -2001,31 +2001,31 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "PA_Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "PA_Url" } - ], - "entityType": "URL" + ] } ] } @@ -2081,7 +2081,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_DeviceNetworkEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_DeviceNetworkEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -2141,44 +2141,44 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" } - ], - "entityType": "Host" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] }, { + "entityType": "Process", "fieldMappings": [ { - "columnName": "InitiatingProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "InitiatingProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -2234,7 +2234,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -2294,39 +2294,39 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -2382,7 +2382,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_EmailEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_EmailEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -2442,21 +2442,21 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "RecipientEmailAddress", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "RecipientEmailAddress" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -2512,7 +2512,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_EmailUrlInfo_Updated_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_EmailUrlInfo_Updated_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -2572,30 +2572,30 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "RecipientEmailAddress", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "RecipientEmailAddress" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -2651,7 +2651,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -2711,31 +2711,31 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "PA_Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "PA_Url" } - ], - "entityType": "URL" + ] } ] } @@ -2791,7 +2791,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -2851,39 +2851,39 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "HostIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "HostIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -2939,7 +2939,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -3005,31 +3005,31 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IP_addr", - "identifier": "Address" + "identifier": "Address", + "columnName": "IP_addr" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -3085,7 +3085,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -3151,36 +3151,36 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ], "customDetails": { - "IndicatorId": "IndicatorId", "ThreatType": "ThreatType", - "EventTime": "Event_TimeGenerated", + "IoCDescription": "Description", "ActivityGroupNames": "ActivityGroupNames", - "IoCExpirationTime": "ValidUntil", "IoCConfidenceScore": "Confidence", - "IoCDescription": "Description" + "EventTime": "Event_TimeGenerated", + "IoCExpirationTime": "ValidUntil", + "IndicatorId": "IndicatorId" }, "alertDetailsOverride": { - "alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.", - "alertDisplayNameFormat": "A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC" + "alertDisplayNameFormat": "A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC", + "alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator." } } }, @@ -3235,7 +3235,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -3295,39 +3295,39 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Caller", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Caller" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "CallerIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "CallerIpAddress" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -3383,7 +3383,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_CloudAppEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "EmailEntity_CloudAppEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", @@ -3400,7 +3400,7 @@ "description": "Identifies compromises and attacks and detect malicious activities in one's email entity from TI", "displayName": "TI map Email entity to Cloud App Events", "enabled": false, - "query": "let dt_lookBack = 10d;\nlet ioc_lookBack = 30d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelIndicators\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue\n | where IsActive and (ValidUntil > now() or isempty(ValidUntil))\n//extract key part of kv pair\n | extend IndicatorType = replace(@\"\\[|\\]|\\\"\"\", \"\", tostring(split(ObservableKey, \":\", 0)))\n | where IndicatorType == \"email-addr\"\n | extend EmailSenderAddress = ObservableValue\n | extend EmailSourceDomain = substring(EmailSenderAddress, indexof(EmailSenderAddress, \"@\") + 1, strlen(EmailSenderAddress) - indexof(EmailSenderAddress, \"@\") - 1)\n | project-reorder *, EmailSenderAddress, EmailSourceDomain, Type\n | extend IndicatorId = tostring(split(Id, \"--\")[2])\n | join kind=innerunique (CloudAppEvents\n| extend User_Id = tostring(RawEventData.UserId)\n| where isnotempty(User_Id)\n| where TimeGenerated >= ago(dt_lookBack) and isnotempty(Application)\n| extend CloudAppEvents_TimeGenerated = TimeGenerated \n| where User_Id matches regex emailregex) on $left.EmailSenderAddress == $right.User_Id\n| where CloudAppEvents_TimeGenerated < ValidUntil\n| summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, User_Id\n| extend Name = tostring(split(User_Id, '@', 0)[0]), UPNSuffix = tostring(split(User_Id, '@', 1)[0])\n| extend timestamp = CloudAppEvents_TimeGenerated\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelIndicators\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue\n | where IsActive and (ValidUntil > now() or isempty(ValidUntil))\n//extract key part of kv pair\n | extend IndicatorType = replace(@\"\\[|\\]|\\\"\"\", \"\", tostring(split(ObservableKey, \":\", 0)))\n | where IndicatorType == \"email-addr\"\n | extend EmailSenderAddress = ObservableValue\n | extend EmailSourceDomain = substring(EmailSenderAddress, indexof(EmailSenderAddress, \"@\") + 1, strlen(EmailSenderAddress) - indexof(EmailSenderAddress, \"@\") - 1)\n | project-reorder *, EmailSenderAddress, EmailSourceDomain, Type\n | extend IndicatorId = tostring(split(Id, \"--\")[2])\n | join kind=innerunique (CloudAppEvents\n| extend User_Id = tostring(RawEventData.UserId)\n| where isnotempty(User_Id)\n| where TimeGenerated >= ago(dt_lookBack) and isnotempty(Application)\n| extend CloudAppEvents_TimeGenerated = TimeGenerated \n| where User_Id matches regex emailregex) on $left.EmailSenderAddress == $right.User_Id\n| where CloudAppEvents_TimeGenerated < ValidUntil\n| summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, User_Id\n| extend Name = tostring(split(User_Id, '@', 0)[0]), UPNSuffix = tostring(split(User_Id, '@', 1)[0])\n| extend timestamp = CloudAppEvents_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -3431,21 +3431,21 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "DisplayName" + "identifier": "DisplayName", + "columnName": "Name" }, { - "columnName": "User_Id", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "User_Id" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -3501,7 +3501,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_EmailEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "EmailEntity_EmailEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", @@ -3561,21 +3561,21 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "RecipientEmailAddress", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "RecipientEmailAddress" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -3631,7 +3631,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", @@ -3691,39 +3691,39 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "UserId", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserId" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -3779,7 +3779,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", @@ -3839,31 +3839,31 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "DestinationUserID", - "identifier": "Name" + "identifier": "Name", + "columnName": "DestinationUserID" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -3919,7 +3919,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", @@ -3979,30 +3979,30 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "EntityEmail", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "EntityEmail" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -4058,7 +4058,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", @@ -4130,44 +4130,44 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetUserName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetUserName" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IpAddress" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -4223,7 +4223,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", @@ -4289,39 +4289,39 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "UserPrincipalName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserPrincipalName" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -4377,7 +4377,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", @@ -4437,69 +4437,69 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "SourceUserName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "SourceUserName" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { - "columnName": "FileHashValue", - "identifier": "Value" + "identifier": "Value", + "columnName": "FileHashValue" }, { - "columnName": "FileHashType", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "FileHashType" } - ], - "entityType": "FileHash" + ] } ] } @@ -4555,7 +4555,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_DeviceFileEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "FileHashEntity_DeviceFileEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", @@ -4615,43 +4615,43 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "RequestAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "RequestAccountName" }, { - "columnName": "RequestAccountSid", - "identifier": "Sid" + "identifier": "Sid", + "columnName": "RequestAccountSid" }, { - "columnName": "RequestAccountDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "RequestAccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { - "columnName": "FileHashValue", - "identifier": "Value" + "identifier": "Value", + "columnName": "FileHashValue" }, { - "columnName": "FileHashType", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "FileHashType" } - ], - "entityType": "FileHash" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } - ], - "entityType": "Host" + ] } ] } @@ -4707,7 +4707,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", @@ -4779,60 +4779,60 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Account", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Account" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { - "columnName": "FileHashValue", - "identifier": "Value" + "identifier": "Value", + "columnName": "FileHashValue" }, { - "columnName": "FileHashType", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "FileHashType" } - ], - "entityType": "FileHash" + ] } ] } @@ -4888,7 +4888,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", @@ -4948,31 +4948,31 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "UserIdentityUserName", - "identifier": "ObjectGuid" + "identifier": "ObjectGuid", + "columnName": "UserIdentityUserName" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SourceIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIpAddress" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -5028,7 +5028,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", @@ -5082,53 +5082,53 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "CsUsername", - "identifier": "Name" + "identifier": "Name", + "columnName": "CsUsername" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "CIp", - "identifier": "Address" + "identifier": "Address", + "columnName": "CIp" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] }, { + "entityType": "AzureResource", "fieldMappings": [ { - "columnName": "_ResourceId", - "identifier": "ResourceId" + "identifier": "ResourceId", + "columnName": "_ResourceId" } - ], - "entityType": "AzureResource" + ] } ], "alertDetailsOverride": { @@ -5187,7 +5187,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", @@ -5247,57 +5247,57 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Caller", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Caller" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "AadUserId", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "AadUserId" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "CallerIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "CallerIpAddress" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] }, { + "entityType": "AzureResource", "fieldMappings": [ { - "columnName": "ResourceId", - "identifier": "ResourceId" + "identifier": "ResourceId", + "columnName": "ResourceId" } - ], - "entityType": "AzureResource" + ] } ] } @@ -5353,7 +5353,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", @@ -5413,22 +5413,22 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "TI_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "TI_ipEntity" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "TargetUrl", - "identifier": "Url" + "identifier": "Url", + "columnName": "TargetUrl" } - ], - "entityType": "URL" + ] } ] } @@ -5484,7 +5484,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", @@ -5544,22 +5544,22 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "AzureResource", "fieldMappings": [ { - "columnName": "ResourceId", - "identifier": "ResourceId" + "identifier": "ResourceId", + "columnName": "ResourceId" } - ], - "entityType": "AzureResource" + ] } ] } @@ -5615,7 +5615,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", @@ -5669,39 +5669,39 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "TI_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "TI_ipEntity" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -5757,7 +5757,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", @@ -5817,13 +5817,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } - ], - "entityType": "IP" + ] } ] } @@ -5879,7 +5879,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_CloudAppEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_CloudAppEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", @@ -5927,40 +5927,40 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "TI_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "TI_ipEntity" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "NetworkDestinationIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "NetworkDestinationIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "NetworkSourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "NetworkSourceIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "EmailSourceIPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "EmailSourceIPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -6016,7 +6016,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", @@ -6076,22 +6076,22 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "CS_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "CS_ipEntity" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } - ], - "entityType": "IP" + ] } ] } @@ -6147,7 +6147,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DeviceNetworkEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_DeviceNetworkEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", @@ -6207,44 +6207,44 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "TI_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "TI_ipEntity" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "RemoteUrl", - "identifier": "Url" + "identifier": "Url", + "columnName": "RemoteUrl" } - ], - "entityType": "URL" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } - ], - "entityType": "Host" + ] } ] } @@ -6300,7 +6300,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", @@ -6360,39 +6360,39 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -6448,7 +6448,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", @@ -6508,30 +6508,30 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "user_name_s", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "user_name_s" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "access_device_ip_s", - "identifier": "Address" + "identifier": "Address", + "columnName": "access_device_ip_s" } - ], - "entityType": "IP" + ] } ] } @@ -6587,7 +6587,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", @@ -6647,39 +6647,39 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "UserId", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserId" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "TI_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "TI_ipEntity" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -6735,7 +6735,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_SigninLogs_Updated_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_SigninLogs_Updated_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]", @@ -6801,39 +6801,39 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "UserPrincipalName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserPrincipalName" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -6889,7 +6889,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]", @@ -6949,40 +6949,40 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "csUserName", - "identifier": "Name" + "identifier": "Name", + "columnName": "csUserName" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "columnName": "Computer", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "Computer" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "cIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "cIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -7038,7 +7038,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]", @@ -7098,35 +7098,35 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "RemoteIp", - "identifier": "Address" + "identifier": "Address", + "columnName": "RemoteIp" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -7182,7 +7182,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_Workday_Updated_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_Workday_Updated_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]", @@ -7242,30 +7242,30 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "ActorUsername", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "ActorUsername" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "DvcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "DvcIpAddr" } - ], - "entityType": "IP" + ] } ] } @@ -7321,7 +7321,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]", @@ -7466,38 +7466,38 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IoCIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "IoCIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ], - "entityType": "IP" + ] } ], "customDetails": { - "IoCExpirationTime": "ValidUntil", "EventStartTime": "imNWS_mintime", - "IndicatorId": "Id", - "ThreatType": "Type", - "IoCConfidenceScore": "Confidence", + "IoCDescription": "Description", "ActivityGroupNames": "ActivityGroupNames", "IoCIPDirection": "IoCDirection", "EventEndTime": "imNWS_maxtime", - "IoCDescription": "Description" + "IoCConfidenceScore": "Confidence", + "IoCExpirationTime": "ValidUntil", + "ThreatType": "Type", + "IndicatorId": "Id" }, "alertDetailsOverride": { - "alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{Type}}. Consult the threat intelligence blead for more information on the indicator.", - "alertDisplayNameFormat": "A network session {{IoCDirection}} address {{IoCIP}} matched an IoC." + "alertDisplayNameFormat": "A network session {{IoCDirection}} address {{IoCIP}} matched an IoC.", + "alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{Type}}. Consult the threat intelligence blead for more information on the indicator." } } }, @@ -7552,7 +7552,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]", @@ -7618,36 +7618,36 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "DstIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "DstIpAddr" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ], - "entityType": "IP" + ] } ], "customDetails": { - "IndicatorId": "IndicatorId", "ThreatType": "ThreatType", - "EventTime": "imNWS_TimeGenerated", + "IoCDescription": "Description", "ActivityGroupNames": "ActivityGroupNames", - "IoCExpirationTime": "ValidUntil", "IoCConfidenceScore": "Confidence", - "IoCDescription": "Description" + "EventTime": "imNWS_TimeGenerated", + "IoCExpirationTime": "ValidUntil", + "IndicatorId": "IndicatorId" }, "alertDetailsOverride": { - "alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator.", - "alertDisplayNameFormat": "The IP {{SrcIpAddr}} of the web request matches an IP IoC" + "alertDisplayNameFormat": "The IP {{SrcIpAddr}} of the web request matches an IP IoC", + "alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator." } } }, @@ -7702,7 +7702,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intel Matches to GitHub Audit Logs_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "Threat Intel Matches to GitHub Audit Logs_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]", @@ -7756,22 +7756,22 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Actor", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Actor" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPaddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPaddress" } - ], - "entityType": "IP" + ] } ] } @@ -7827,7 +7827,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]", @@ -7887,47 +7887,47 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "userPrincipalName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "userPrincipalName" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "columnName": "TargetResourceDisplayName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "TargetResourceDisplayName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -7983,7 +7983,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_CloudAppEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "URLEntity_CloudAppEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]", @@ -8031,52 +8031,52 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountObjectId", - "identifier": "ObjectGuid" + "identifier": "ObjectGuid", + "columnName": "AccountObjectId" }, { - "columnName": "userPrincipalName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "userPrincipalName" }, { - "columnName": "AccountDisplayName", - "identifier": "DisplayName" + "identifier": "DisplayName", + "columnName": "AccountDisplayName" } - ], - "entityType": "Account" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ], - "entityType": "IP" + ] }, { + "entityType": "CloudApplication", "fieldMappings": [ { - "columnName": "Application", - "identifier": "Name" + "identifier": "Name", + "columnName": "Application" }, { - "columnName": "ApplicationID", - "identifier": "AppId" + "identifier": "AppId", + "columnName": "ApplicationID" } - ], - "entityType": "CloudApplication" + ] } ] } @@ -8132,7 +8132,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_DeviceNetworkEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "URLEntity_DeviceNetworkEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]", @@ -8192,44 +8192,44 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" } - ], - "entityType": "Host" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] }, { + "entityType": "Process", "fieldMappings": [ { - "columnName": "InitiatingProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "InitiatingProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -8285,7 +8285,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_EmailUrlInfo_Updated_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "URLEntity_EmailUrlInfo_Updated_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]", @@ -8345,30 +8345,30 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "RecipientEmailAddress", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "RecipientEmailAddress" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -8424,7 +8424,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]", @@ -8484,31 +8484,31 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "PA_Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "PA_Url" } - ], - "entityType": "URL" + ] } ] } @@ -8564,7 +8564,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]", @@ -8630,22 +8630,22 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "Compromised_Host", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "Compromised_Host" } - ], - "entityType": "Host" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -8701,7 +8701,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject48').analyticRuleVersion48]", @@ -8761,31 +8761,31 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "Computer", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "Computer" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "HostIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "HostIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -8841,7 +8841,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_UrlClickEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "URLEntity_UrlClickEvents_Updated_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject49').analyticRuleVersion49]", @@ -8901,30 +8901,30 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountUpn" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -8980,7 +8980,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "imDns_DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "imDns_DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject50').analyticRuleVersion50]", @@ -9082,61 +9082,61 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "Dvc", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Dvc" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } - ], - "entityType": "URL" + ] }, { + "entityType": "DNS", "fieldMappings": [ { - "columnName": "Domain", - "identifier": "DomainName" + "identifier": "DomainName", + "columnName": "Domain" } - ], - "entityType": "DNS" + ] } ], "customDetails": { + "SourceIPAddress": "SrcIpAddr", + "DnsQuery": "DnsQuery", + "ActivityGroupNames": "ActivityGroupNames", + "ConfidenceScore": "Confidence", "ExpirationDateTime": "ValidUntil", + "DNSRequestTime": "DNS_TimeGenerated", "QueryType": "DnsQueryType", "Description": "Description", - "IndicatorId": "IndicatorId", "LatestIndicatorTime": "LatestIndicatorTime", - "DnsQuery": "DnsQuery", - "ActivityGroupNames": "ActivityGroupNames", - "SourceIPAddress": "SrcIpAddr", - "DNSRequestTime": "DNS_TimeGenerated", - "ConfidenceScore": "Confidence" + "IndicatorId": "IndicatorId" } } }, @@ -9191,7 +9191,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "imDns_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "imDns_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject51').analyticRuleVersion51]", @@ -9293,48 +9293,48 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "Dvc", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Dvc" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "IoC", - "identifier": "Address" + "identifier": "Address", + "columnName": "IoC" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ], - "entityType": "IP" + ] } ], "customDetails": { - "ExpirationDateTime": "ValidUntil", - "Description": "Description", - "IndicatorId": "IndicatorId", + "SourceIPAddress": "SrcIpAddr", "ThreatType": "ThreatType", - "LatestIndicatorTime": "LatestIndicatorTime", - "DnsQuery": "DnsQuery", "ActivityGroupNames": "ActivityGroupNames", - "SourceIPAddress": "SrcIpAddr", + "DnsQuery": "DnsQuery", + "ConfidenceScore": "Confidence", + "ExpirationDateTime": "ValidUntil", "DNSRequestTime": "imDns_mintime", - "ConfidenceScore": "Confidence" + "Description": "Description", + "LatestIndicatorTime": "LatestIndicatorTime", + "IndicatorId": "IndicatorId" }, "alertDetailsOverride": { - "alertDescriptionFormat": "The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.", - "alertDisplayNameFormat": "The response {{IoC}} to DNS query matched an IoC" + "alertDisplayNameFormat": "The response {{IoC}} to DNS query matched an IoC", + "alertDescriptionFormat": "The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator." } } }, @@ -9389,7 +9389,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ThreatIntelIndicatorsv2 Data Parser with template version 3.0.8", + "description": "ThreatIntelIndicatorsv2 Data Parser with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -9521,7 +9521,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.0.8", + "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -9602,7 +9602,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.0.8", + "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -9683,7 +9683,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.0.8", + "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -9764,7 +9764,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.0.8", + "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -9845,7 +9845,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.0.8", + "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -9922,7 +9922,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.8", + "version": "3.0.9", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Threat Intelligence (NEW)", diff --git a/Solutions/Threat Intelligence (NEW)/ReleaseNotes.md b/Solutions/Threat Intelligence (NEW)/ReleaseNotes.md index 865e1d19e01..44859b840f2 100644 --- a/Solutions/Threat Intelligence (NEW)/ReleaseNotes.md +++ b/Solutions/Threat Intelligence (NEW)/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.0.9 | 07-11-2025 | Updated EmailEntity_CloudAppEvents_Updated.yaml to adjust lookback periods to match the query period and frequency. | | 3.0.8 | 18-10-2025 | Update IPEntity_AzureFirewall.yaml to use Resource specific tables rather than AzureDiagnostics | | 3.0.7 | 16-10-2025 | Added new connector for **Threat Intelligence TAXII** export and now available in public preview. | | 3.0.6 | 08-09-2025 | Fixed the problem related to the **Workbook** query |