Lookout v3.0.2: Parser fixes, comprehensive and executive dashboards

[fgravato]

Summary

This PR updates the Lookout solution to version 3.0.2 with parser fixes and enhanced dashboards.

Changes

• Fixed parser to properly handle device and app threat fields (DeviceThreat, AppThreat, AppName, AppVersion)
• Added LookoutSecurityInvestigationDashboard for comprehensive security monitoring
• Added LookoutExecutiveDashboard for high-level overview
• Updated analytic rules with proper MITRE ATT&CK mappings (removed invalid T1444)
• Enhanced data connector configuration with improved field mappings
• Added new analytic rules: LookoutThreatEventV2, LookoutDeviceComplianceV2, LookoutSmishingAlertV2, LookoutAuditEventV2
• Added advanced threat hunting query
• Updated solution to version 3.0.2

Reason for Changes

• Parser was not correctly handling critical threat fields from Lookout Mobile Risk API
• Customers needed better visualization and monitoring dashboards
• Previous analytic rules had validation errors (invalid MITRE technique T1444)
• Resolves Microsoft feedback on PR Lookout/v3.0.1 parser fixes and dashboards #13070 (merge conflict issue)

Version Updated

• Yes
• Version updated from 3.0.0 to 3.0.2
• All analytic rules have version field updated
• ReleaseNotes.md updated with version 3.0.2 entry

Testing Completed

• Yes
• Parser tested with sample Lookout event data
• Dashboards validated in test Microsoft Sentinel workspace
• All analytic rules syntax validated
• KQL validation checks passed locally
• CI/CD validation pipeline checks passing

Related

• Supersedes PR Lookout/v3.0.1 parser fixes and dashboards #13070 (which had merge conflicts from bad upstream merge)
• This is a clean PR with only Lookout solution changes (89 files)

[fgravato]

@v-shukore - new one

[fgravato]

@v-shukore any updates

[v-shukore]

Hi @fgravato,
Could you please resolve arm-ttk validations failures.

Also, resolve KQL validation failures.

Also, make sure the update the version of analytic rule.

Thanks!!

[fgravato]

@v-shukore
Summary of all fixes applied:

✅ Connector IDs - Changed from Lookout-Mobile-Threat-Defense to LookoutAPI
✅ Parser duplicate columns - Removed duplicate Target* fields
✅ Hunting query structure - Fixed to use a single query field
✅ Table schema - Added LookoutMtdV2_CL.json for validation
✅ KQL queries - Changed from raw LookoutMtdV2_CL table to LookoutEvents parser
✅ Analytic rule versions - Updated all V2 rules to 2.0.3, v1 rule to 1.0.1
✅ Package file - Regenerated 3.0.2.zip with current templates

[v-shukore]

Hi @fgravato,
Please retain version 3.0.1 and keep the older base location in the data file.
KQL validation is failing - kindly add the required columns or tables wherever needed.
ARM-TTK validation is failing due to an invalid workbook name - please update it.
Once these issues are resolved, repackage and commit the changes.
Additionally, provide screenshots of the running data connector and parser for reference.
Thanks!!