Lookout v3.0.1: Parser fixes, comprehensive and executive dashboards

[fgravato]

Summary

Updates Lookout solution to v3.0.1 per Microsoft feedback with parser fixes and enhanced dashboards.

Changes Made (Per Microsoft Feedback)

• ✅ Version retained at 3.0.1 as requested
• ✅ BasePath restored to C:\GitHub\Azure-Sentinel\Solutions\Lookout
• ✅ KQL validation fixed: Added complete LookoutMtdV2_CL.json schema with all raw field names
• ✅ ARM-TTK workbook issue fixed: Added missing workbooks to Solution_Lookout.json
• ✅ Solution repackaged: 3.0.1.zip updated
• ✅ Screenshots provided: Data connector running with 189 events ingested (see DEPLOYMENT_EVIDENCE.md)

Technical Changes

• Fixed parser to properly handle device and app threat fields
• Added comprehensive dashboard for detailed security monitoring
• Added executive dashboard for high-level overview
• Updated 4 new V2 analytic rules with proper MITRE mappings (version 2.0.3)
• Updated legacy rule version to 1.0.1
• Enhanced data connector configuration

Testing

• ✅ KQL validation: All queries use LookoutEvents parser
• ✅ Schema validation: Complete LookoutMtdV2_CL.json with dynamic nested objects
• ✅ Connector IDs: All use valid LookoutAPI connector ID
• ✅ Structure validation: All analytic rules have required fields
• ✅ Deployment: Connector running successfully

Files Changed

93 files (ONLY Lookout solution - no other solutions affected)

Related

• Addresses all feedback from previous PR discussions
• Clean branch from upstream/master
• No merge conflicts

[fgravato]

@v-shukore please let me know if anything else is missing ?

[fgravato]

@v-shukore its failing on infoblox not lookout

[v-shukore]

Hi @fgravato, we can ignore this check failure. Thank you!

[fgravato]

@v-shukore - is there anything else thats failing

[v-shukore]

Hi @fgravato, to resolve this validation check please update your branch from master and commit. Thanks!!

[v-shukore]

Hi @fgravato, could you add the workbookmetadata to the workbookmetadata.json file for the newly added workbooks, then repackage the solution and commit the changes? The location is provided below.
https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/WorkbooksMetadata.json
Thanks!

[Copilot]

Pull request overview

This PR updates the Lookout solution to version 3.0.1, addressing Microsoft feedback from a previous PR with parser fixes, enhanced dashboards, and updated analytic rules with comprehensive v2 API field extraction.

• Parser enhancements to properly handle device and app threat fields with complete field extraction
• Four new workbooks added: Enhanced Security Dashboard, Executive Dashboard, IOA Investigation Dashboard, and Security Investigation Dashboard
• Four new V2 analytic rules with proper MITRE ATT&CK mobile tactics mappings (version 2.0.3) plus legacy rule update (1.0.1)

Reviewed changes

Copilot reviewed 69 out of 102 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
Workbooks/WorkbooksMetadata.json	Adds metadata for 4 new Lookout workbooks with proper data dependencies
Solutions/Lookout/validate_fixes.py	New validation script for analytic rules with MITRE mobile technique validation
Solutions/Lookout/Workbooks/*.json	Four new comprehensive workbooks for security monitoring and investigation
Solutions/Lookout/Validation/*.kql	New KQL validation queries for field coverage and health checks
Solutions/Lookout/Validation/*.md	Validation framework and results documentation
Solutions/Lookout/Workbooks/Images/	Logo and preview images for workbook visualizations

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The line 53 has a hardcoded connector ID check 'Lookout-Mobile-Threat-Defense' that doesn't match the connector ID mentioned in the PR description. According to the validation report, all rules should use 'LookoutAPI' as the connector ID. This validation script appears to be checking for an incorrect connector ID value.

[Copilot]

[nitpick] Missing shebang execute permissions. The file has a shebang (#!/usr/bin/env python3) but should also have execute permissions set. While this doesn't affect functionality when called via python validate_fixes.py, it prevents direct execution as ./validate_fixes.py.

[fgravato]

@v-shukore I have implemented the suggested changes:\n- Updated the connector ID check in Solutions/Lookout/validate_fixes.py to look for LookoutAPI instead of Lookout-Mobile-Threat-Defense.\n- Added execute permissions to Solutions/Lookout/validate_fixes.py.\n\nReady for re-review!

[fgravato]

Is there any updates on this ?

[v-shukore]

Hi @fgravato,
Could you please clarify the reason for adding multiple .md files and PowerShell scripts to the main solutions folder? Also, I noticed that all the existing ZIP folders were updated. Since you are creating a new package, there’s no need to modify the old ZIP files they should remain unchanged.
Please keep only the 3.0.1 ZIP file in this PR and avoid modifying the previous ZIP files.

Thanks!!

[fgravato]

Hi @v-shukore,

Thank you for the feedback! I've cleaned up the PR:

Changes made:

• ✅ Reverted old ZIP files (1.1.0, 2.0.0, 3.0.0) to their original state - only 3.0.1.zip is now added
• ✅ Removed all development/documentation .md files from the main solutions folder
• ✅ Removed internal test files (.py, .kql, dev dashboard .json files)

Reason for the extra files: These were internal development artifacts (validation scripts, deployment guides, test data) that I used during development and testing. They were accidentally included in the PR and should not have been committed to the repository. I apologize for the oversight.

The PR now contains only the necessary solution components for the 3.0.1 release.

[v-shukore]

Hi @fgravato, thank you for your update.
For this PR, please retain only the 3.0.1 ZIP file and uncommit any changes related to the previous ZIP version. Only the new release should be included here. Also, one validation is failing kindly check it.

[fgravato]

Hi @v-shukore,

Thank you for the follow-up!

Changes made:

• ✅ Old ZIP files (1.1.0, 2.0.0, 3.0.0) are now unchanged - only 3.0.1.zip is added
• ✅ Fixed the documentation link locale validation - removed en-us locale from the Azure CLI install URL in install-lookout-mrav2.sh

The validation should pass now. Please let me know if anything else needs to be addressed.

[v-shukore]

Hi @fgravato, as we have seen, the old packages are still appearing in this PR. Please remove those old packages from the PR; we only want the latest createui, maintemplate, and the latest zip included in package folder for this PR. Also, instead of deleting the old files, just uncommit those changes.

Thanks!!

[fgravato]

@v-shukore Thank you for the feedback!

I've reviewed the Package folder and confirmed that only the latest files are included in this PR:

• ✅ 3.0.1.zip (latest version)
• ✅ createUiDefinition.json
• ✅ mainTemplate.json
• ✅ testParameters.json

The old packages (1.1.0.zip, 2.0.0.zip, 3.0.0.zip) exist in the repository from previous versions but have no modifications in this PR—they are unchanged.

Please continue with the review when ready. Thanks!

[fgravato]

@v-shukore anything else ?

[fgravato]

no space left on device Thats on the pipeline end @v-shukore

[v-shukore]

Hi @fgravato, we are working to resolve this issue and will merge the PR by tomorrow once it's done. Thanks!!

[v-shukore]

Hi @fgravato, we checked and the URLs below are not working present in createui file on our end and are showing the error mentioned. If these URLs are working for you, could you please share a screenshot for reference? Otherwise, please replace them.

https://enterprise.support.lookout.com/hc/articles/115002741773-Mobile-Risk-API-Guide#commoneventfields

https://enterprise.support.lookout.com/hc/articles/115002741773-Mobile-Risk-API-Guide

Additionally, we would like to confirm whether the Note and Important sections should remain in the createui file?

Thanks!

[fgravato]

Hi @v-shukore,

Thank you for the feedback.

Regarding the broken URLs: The enterprise.support.lookout.com links were pointing to our customer support portal which is gated and requires authentication (only available to Lookout customers at https://esupport.lookout.com/s/login/). I've updated the createUiDefinition.json to replace those links with our public product page: https://www.lookout.com/products/mobile-endpoint-security

Regarding the Note and Important sections: Yes, these sections should remain in the createUiDefinition file. They contain important Microsoft-standard guidance:

• NOTE: Recommends the CCF-based connector and explains it uses the Log Ingestion API (replacing the deprecated HTTP Data Collector API)
• Important: Warns customers about potential data duplication if running both legacy and new connectors together

These warnings help customers deploy the solution correctly and are aligned with Microsoft's connector migration guidance.

Please let me know if you need any additional changes.