![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\"){kind=logo}
",
- "Description": "The [Cisco Duo Security](https://duo.com/) solution allows you to ingest [authentication logs](https://duo.com/docs/adminapi#authentication-logs), [administrator logs](https://duo.com/docs/adminapi#administrator-logs), [telephony logs](https://duo.com/docs/adminapi#telephony-logs), [offline enrolment logs](https://duo.com/docs/adminapi#offline-enrollment-logs) and [Trust Monitor events](https://duo.com/docs/adminapi#trust-monitor) into Microsoft Sentinel using the Cisco Duo Admin API. Refer to [API documentation](https://duo.com/docs/adminapi) for more information.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n \r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n",
+ "Description": "The [Cisco Duo Security](https://duo.com/) solution allows you to ingest [authentication logs](https://duo.com/docs/adminapi#authentication-logs), [activity logs](https://duo.com/docs/adminapi#activity-logs), [administrator logs](https://duo.com/docs/adminapi#administrator-logs), [telephony logs](https://duo.com/docs/adminapi#telephony-logs), [offline enrolment logs](https://duo.com/docs/adminapi#offline-enrollment-logs) and [Trust Monitor events](https://duo.com/docs/adminapi#trust-monitor) into Microsoft Sentinel using the Cisco Duo Admin API. Refer to [API documentation](https://duo.com/docs/adminapi) for more information.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n \r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n",
"Workbooks": [
"Workbooks/CiscoDuo.json"
],
@@ -37,7 +37,7 @@
"Analytic Rules/CiscoDuoUnexpectedAuthFactor.yaml"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CiscoDuoSecurity",
- "Version": "3.0.4",
+ "Version": "3.1.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
diff --git a/Solutions/CiscoDuoSecurity/Package/3.1.0.zip b/Solutions/CiscoDuoSecurity/Package/3.1.0.zip
new file mode 100644
index 00000000000..fb306e337da
Binary files /dev/null and b/Solutions/CiscoDuoSecurity/Package/3.1.0.zip differ
diff --git a/Solutions/CiscoDuoSecurity/Package/createUiDefinition.json b/Solutions/CiscoDuoSecurity/Package/createUiDefinition.json
index 97ff2aa63bb..b98e545ef1e 100644
--- a/Solutions/CiscoDuoSecurity/Package/createUiDefinition.json
+++ b/Solutions/CiscoDuoSecurity/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CiscoDuoSecurity/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Cisco Duo Security](https://duo.com/) solution allows you to ingest [authentication logs](https://duo.com/docs/adminapi#authentication-logs), [administrator logs](https://duo.com/docs/adminapi#administrator-logs), [telephony logs](https://duo.com/docs/adminapi#telephony-logs), [offline enrolment logs](https://duo.com/docs/adminapi#offline-enrollment-logs) and [Trust Monitor events](https://duo.com/docs/adminapi#trust-monitor) into Microsoft Sentinel using the Cisco Duo Admin API. Refer to [API documentation](https://duo.com/docs/adminapi) for more information.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n \r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CiscoDuoSecurity/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Cisco Duo Security](https://duo.com/) solution allows you to ingest [authentication logs](https://duo.com/docs/adminapi#authentication-logs), [activity logs](https://duo.com/docs/adminapi#activity-logs), [administrator logs](https://duo.com/docs/adminapi#administrator-logs), [telephony logs](https://duo.com/docs/adminapi#telephony-logs), [offline enrolment logs](https://duo.com/docs/adminapi#offline-enrollment-logs) and [Trust Monitor events](https://duo.com/docs/adminapi#trust-monitor) into Microsoft Sentinel using the Cisco Duo Admin API. Refer to [API documentation](https://duo.com/docs/adminapi) for more information.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n \r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -71,7 +71,7 @@
}
},
{
- "name": "dataconnectors-link2",
+ "name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
diff --git a/Solutions/CiscoDuoSecurity/Package/mainTemplate.json b/Solutions/CiscoDuoSecurity/Package/mainTemplate.json
index 702963d2eeb..f0142f779fa 100644
--- a/Solutions/CiscoDuoSecurity/Package/mainTemplate.json
+++ b/Solutions/CiscoDuoSecurity/Package/mainTemplate.json
@@ -2,7 +2,7 @@
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
- "author": "Cisco - support@duosecurity.com",
+ "author": "CiscoDuoSecurity - support@duosecurity.com",
"comments": "Solution template for CiscoDuoSecurity"
},
"parameters": {
@@ -41,7 +41,7 @@
"email": "support@duosecurity.com",
"_email": "[variables('email')]",
"_solutionName": "CiscoDuoSecurity",
- "_solutionVersion": "3.0.4",
+ "_solutionVersion": "3.1.0",
"solutionId": "cisco.duo-security-sentinel",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
@@ -52,8 +52,8 @@
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"parserObject1": {
- "_parserName1": "[concat(parameters('workspace'),'/','CiscoDuoSecurity Data Parser')]",
- "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoDuoSecurity Data Parser')]",
+ "_parserName1": "[concat(parameters('workspace'),'/','CiscoDuo')]",
+ "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoDuo')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('CiscoDuo-Parser')))]",
"parserVersion1": "1.0.0",
"parserContentId1": "CiscoDuo-Parser"
@@ -199,7 +199,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuo Workbook with template version 3.0.4",
+ "description": "CiscoDuo Workbook with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -217,7 +217,7 @@
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **CiscoDuo** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-ciscoduo-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoDuo\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"color\":\"greenDark\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"40\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoDuo\\n| summarize count() by SrcGeoCountry\",\"size\":0,\"title\":\"Countries summary\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tot_dvc = CiscoDuo\\r\\n| summarize e_count=dcount(SrcHostname)\\r\\n| extend Title='Authentication Devices';\\r\\nlet tot_usr = CiscoDuo\\r\\n| where EventType =~ 'authentication'\\r\\n| where EventResult =~ 'success'\\r\\n| summarize e_count=dcount(DstUserName)\\r\\n| extend Title='Total Users';\\r\\nlet tot_adm = CiscoDuo\\r\\n| where EventType =~ 'administrator'\\r\\n| summarize e_count=dcount(DstUserName)\\r\\n| extend Title='Admin users';\\r\\nunion isfuzzy=true tot_dvc, tot_usr, tot_adm\\r\\n| order by e_count\",\"size\":3,\"title\":\"Summary\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"e_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoDuo\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize count() by SrcIpAddr\",\"size\":3,\"title\":\"Source Addresses\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoDuo\\r\\n| where isnotempty(DstUserName)\\r\\n| summarize count() by DstUserName\\r\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoDuo\\n| where EventType =~ 'authentication'\\n| where EventResult =~ 'success'\\n| summarize e_count = count() by SrcDvcOs\\n| project-rename DeviceOS=SrcDvcOs\",\"size\":0,\"title\":\"Device OS Types\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"User\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalMailsReceived\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"30\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoDuo\\r\\n| where DvcAction in~ ('admin_login', 'admin_login_error')\\r\\n| project TimeGenerated, DstUserName, Result=strcat(iff(DvcAction =~ 'admin_login_error', '❌', '✅'))\\r\\n\",\"size\":3,\"title\":\"Admin login status\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"34\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoDuo\\r\\n| where EventType =~ 'authentication'\\r\\n| project TimeGenerated, DstUserName, Result=strcat(iff(EventResult =~ 'success', '✅', '❌'))\",\"size\":0,\"title\":\"User authentication status\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":50,\"filter\":true}},\"customWidth\":\"40\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"33\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoDuo\\n| where DvcAction =~ 'user_create'\\n| project SrcUserName\",\"size\":0,\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Title\"},\"subtitleContent\":{\"columnMatch\":\"SrcIpAddr\",\"formatter\":12,\"formatOptions\":{\"palette\":\"purpleDark\"}},\"showBorder\":false,\"rowLimit\":25},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"15\",\"name\":\"query - 10\"}],\"fromTemplateId\":\"sentinel-CiscoDuoWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **CiscoDuo** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-ciscoduo-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoDuo\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"color\":\"greenDark\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"40\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoDuo\\n| summarize count() by SrcGeoCountry\",\"size\":0,\"title\":\"Countries summary\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tot_dvc = CiscoDuo\\r\\n| summarize e_count=dcount(SrcHostname)\\r\\n| extend Title='Authentication Devices';\\r\\nlet tot_usr = CiscoDuo\\r\\n| where EventType =~ 'authentication'\\r\\n| where EventResult =~ 'success'\\r\\n| summarize e_count=dcount(DstUserName)\\r\\n| extend Title='Total Users';\\r\\nlet tot_adm = CiscoDuo\\r\\n| where EventType =~ 'administrator'\\r\\n| summarize e_count=dcount(DstUserName)\\r\\n| extend Title='Admin users';\\r\\nunion isfuzzy=true tot_dvc, tot_usr, tot_adm\\r\\n| order by e_count\",\"size\":3,\"title\":\"Summary\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"e_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoDuo\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize count() by SrcIpAddr\",\"size\":3,\"title\":\"Source Addresses\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoDuo\\r\\n| where isnotempty(DstUserName)\\r\\n| summarize count() by DstUserName\\r\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoDuo\\n| where EventType =~ 'authentication'\\n| where EventResult =~ 'success'\\n| summarize e_count = count() by SrcDvcOs\\n| project-rename DeviceOS=SrcDvcOs\",\"size\":0,\"title\":\"Device OS Types\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"User\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalMailsReceived\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"30\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoDuo\\r\\n| where DvcAction in~ ('admin_login', 'admin_login_error')\\r\\n| project TimeGenerated, DstUserName, Result=strcat(iff(DvcAction =~ 'admin_login_error', '❌', '✅'))\\r\\n\",\"size\":3,\"title\":\"Admin login status\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"34\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoDuo\\r\\n| where EventType =~ 'authentication'\\r\\n| project TimeGenerated, DstUserName, Result=strcat(iff(EventResult =~ 'success', '✅', '❌'))\",\"size\":0,\"title\":\"User authentication status\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":50,\"filter\":true}},\"customWidth\":\"40\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"33\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoDuo\\n| where DvcAction =~ 'user_create'\\n| project SrcUserName\",\"size\":0,\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Title\"},\"subtitleContent\":{\"columnMatch\":\"SrcIpAddr\",\"formatter\":12,\"formatOptions\":{\"palette\":\"purpleDark\"}},\"showBorder\":false,\"rowLimit\":25},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"15\",\"name\":\"query - 10\"}],\"fromTemplateId\":\"sentinel-CiscoDuoWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -239,7 +239,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -287,7 +287,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuo Data Parser with template version 3.0.4",
+ "description": "CiscoDuo Data Parser with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -301,7 +301,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
- "displayName": "CiscoDuoSecurity Data Parser",
+ "displayName": "Parser for CiscoDuo",
"category": "Microsoft Sentinel Parser",
"functionAlias": "CiscoDuo",
"query": "CiscoDuo_CL\n| extend EventVendor = 'Cisco'\n| extend EventProduct = 'Duo Security'\n| extend parse_json(description_s)\n| extend SrcDvcType=description_s['device'],\n SrcIpAddr=iff(isnotempty(description_s), description_s['ip_address'], access_device_ip_s),\n DstUserName=iff(isnotempty(username_s), username_s, user_name_s),\n SrcUserName=object_s,\n EventType=iff(isnotempty(eventtype_s), eventtype_s, event_type_s),\n EventEndTime=unixtime_seconds_todatetime(tolong(timestamp_d)),\n HttpUserAgentOriginal = description_s['user_agent']\n| extend AccessDvcSecurityAgents=column_ifexists( \"access_device_security_agents_s\" , \"\")\n\t , TrustedEndpointStatus=column_ifexists( \"trusted_endpoint_status_s\", \"\")\n\t , SurfacedAuthAccessDeviceSecurityAgents=column_ifexists( \"surfaced_auth_access_device_security_agents_s\", \"\")\n\t , SrcDvcOs=column_ifexists( \"access_device_os_s\", \"\")\n\t , DstGeoRegion=column_ifexists( \"state_s\", \"\")\n\t , AccessDvcBrowser=column_ifexists( \"access_device_browser_s\", \"\")\n\t , AccessDvcBrowserVersion=column_ifexists( \"access_device_browser_version_s\", \"\")\n\t , AccessDvcFlashVersion=column_ifexists( \"access_device_flash_version_s\", \"\")\n\t , AccessDvcEncryptionEnabled=column_ifexists( \"access_device_is_encryption_enabled_s\", \"\")\n\t , AccessDvcFirewallEnabled=column_ifexists( \"access_device_is_firewall_enabled_s\", \"\")\n\t , AccessDvcPasswordSet=column_ifexists( \"access_device_is_password_set_s\", \"\")\n\t , AccessDvcJavaVersion=column_ifexists( \"access_device_java_version_s\", \"\")\n\t , AccessDvcOsVersion=column_ifexists( \"access_device_os_version_s\", \"\")\n\t , Explanations=column_ifexists( \"explanations_s\", \"\")\n\t , FromCommonNetblock=column_ifexists( \"from_common_netblock_b\", \"\")\n\t , FromNewUser=column_ifexists( \"from_new_user_b\", \"\")\n\t , SrcRiskLevel=column_ifexists( \"low_risk_ip_b\", \"\")\n\t , PriorityEvent=column_ifexists( \"priority_event_b\", \"\")\n\t , PriorityReasons=column_ifexists( \"priority_reasons_s\", \"\")\n\t , Sekey=column_ifexists( \"sekey_s\", \"\")\n\t , SurfacedAuthAccessDeviceBrowser=column_ifexists( \"surfaced_auth_access_device_browser_s\", \"\")\n\t , SurfacedAuthAccessDeviceBrowserVersion=column_ifexists( \"surfaced_auth_access_device_browser_version_s\", \"\")\n\t , SurfacedAuthAccessDeviceIp=column_ifexists( \"surfaced_auth_access_device_ip_s\", \"\")\n\t , SurfacedAuthAccessDeviceEncryptionEnabled=column_ifexists( \"surfaced_auth_access_device_is_encryption_enabled_s\", \"\")\n\t , SurfacedAuthAccessDeviceFirewallEnabled=column_ifexists( \"surfaced_auth_access_device_is_firewall_enabled_s\", \"\")\n\t , SurfacedAuthAccessDevicePasswordSet=column_ifexists( \"surfaced_auth_access_device_is_password_set_s\", \"\")\n\t , SurfacedAuthAccessDeviceLocationCity=column_ifexists( \"surfaced_auth_access_device_location_city_s\", \"\")\n\t , SurfacedAuthAccessDeviceLocationCountry=column_ifexists( \"surfaced_auth_access_device_location_country_s\", \"\")\n\t , SurfacedAuthAccessDeviceLocationState=column_ifexists( \"surfaced_auth_access_device_location_state_s\", \"\")\n\t , SurfacedAuthAccessDeviceOs=column_ifexists( \"surfaced_auth_access_device_os_s\", \"\")\n\t , SurfacedAuthAccessDeviceOsVersion_s=column_ifexists( \"surfaced_auth_access_device_os_version_s\", \"\")\n\t , SurfacedAuthAlias=column_ifexists( \"surfaced_auth_alias_s\", \"\")\n\t , SurfacedAuthApplicationKey=column_ifexists( \"surfaced_auth_application_key_s\", \"\")\n\t , SurfacedAuthApplicationName=column_ifexists( \"surfaced_auth_application_name_s\", \"\")\n\t , SurfacedAuthEmail=column_ifexists( \"surfaced_auth_email_s\", \"\")\n\t , SurfacedAuthFactor=column_ifexists( \"surfaced_auth_factor_s\", \"\")\n\t , SurfacedAuthIsotimestamp=column_ifexists( \"surfaced_auth_isotimestamp_t\", \"\")\n\t , SurfacedAuthOodSoftware_s=column_ifexists( \"surfaced_auth_ood_software_s\", \"\")\n\t , SurfacedAuthReason=column_ifexists( \"surfaced_auth_reason_s\", \"\")\n\t , SurfacedAuthResult=column_ifexists( \"surfaced_auth_result_s\", \"\")\n\t , SurfacedAuthTimestamp=column_ifexists( \"surfaced_auth_timestamp_d\", \"\")\n\t , SurfacedAuthTransactionId=column_ifexists( \"surfaced_auth_txid_g\", \"\")\n\t , SurfacedAuthUserGroups=column_ifexists( \"surfaced_auth_user_groups_s\", \"\")\n\t , SurfacedAuthUserKey=column_ifexists( \"surfaced_auth_user_key_s\", \"\")\n\t , SurfacedAuthUserName=column_ifexists( \"surfaced_auth_user_name_s\", \"\")\n\t , SurfacedTimestamp=column_ifexists( \"surfaced_timestamp_d\", \"\")\n\t , EventUid=column_ifexists( \"triage_event_uri_s\", \"\")\n , context_s=column_ifexists( \"context_s\", \"\")\n , phone_s=column_ifexists( \"phone_s\", \"\")\n , type_s=column_ifexists ( \"type_s\", \"\")\n\t , TriagedAsInteresting=column_ifexists( \"triaged_as_interesting_b\", \"\")\n\t , Credits=column_ifexists( \"credits_d\", \"\")\n| project-rename DvcAction=action_s,\n DvcHostname=host_s,\n SrcGeoCountry=access_device_location_country_s,\n SrcGeoCity=access_device_location_city_s,\n EventResult=result_s,\n EventResultDetails=reason_s,\n AuthDeviceCountry=auth_device_location_country_s,\n AuthFactor=factor_s,\n AccessDvcIpAddr=access_device_ip_s,\n AccessDvcLocationState=access_device_location_state_s,\n Alias=alias_s,\n User=email_s,\n SrcAppId=application_key_s,\n SrcAppName=application_name_s,\n DvcIpAddr=auth_device_ip_s,\n AuthDeviceCity=auth_device_location_city_s,\n AuthDeviceState=auth_device_location_state_s,\n SrcHostname=auth_device_name_s,\n TransactionId=txid_g,\n UserGroups=user_groups_s,\n SrcUserId=user_key_s,\n Context=context_s,\n IsoTimestamp=isotimestamp_t,\n Phone=phone_s,\n SrcDomainType=type_s\n",
@@ -323,7 +323,7 @@
"[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoDuoSecurity Data Parser')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoDuo')]",
"contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
"version": "[variables('parserObject1').parserVersion1]",
@@ -333,7 +333,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -353,7 +353,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
- "displayName": "CiscoDuoSecurity Data Parser",
+ "displayName": "Parser for CiscoDuo",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
"version": "[variables('parserObject1').parserVersion1]"
@@ -366,7 +366,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
- "displayName": "CiscoDuoSecurity Data Parser",
+ "displayName": "Parser for CiscoDuo",
"category": "Microsoft Sentinel Parser",
"functionAlias": "CiscoDuo",
"query": "CiscoDuo_CL\n| extend EventVendor = 'Cisco'\n| extend EventProduct = 'Duo Security'\n| extend parse_json(description_s)\n| extend SrcDvcType=description_s['device'],\n SrcIpAddr=iff(isnotempty(description_s), description_s['ip_address'], access_device_ip_s),\n DstUserName=iff(isnotempty(username_s), username_s, user_name_s),\n SrcUserName=object_s,\n EventType=iff(isnotempty(eventtype_s), eventtype_s, event_type_s),\n EventEndTime=unixtime_seconds_todatetime(tolong(timestamp_d)),\n HttpUserAgentOriginal = description_s['user_agent']\n| extend AccessDvcSecurityAgents=column_ifexists( \"access_device_security_agents_s\" , \"\")\n\t , TrustedEndpointStatus=column_ifexists( \"trusted_endpoint_status_s\", \"\")\n\t , SurfacedAuthAccessDeviceSecurityAgents=column_ifexists( \"surfaced_auth_access_device_security_agents_s\", \"\")\n\t , SrcDvcOs=column_ifexists( \"access_device_os_s\", \"\")\n\t , DstGeoRegion=column_ifexists( \"state_s\", \"\")\n\t , AccessDvcBrowser=column_ifexists( \"access_device_browser_s\", \"\")\n\t , AccessDvcBrowserVersion=column_ifexists( \"access_device_browser_version_s\", \"\")\n\t , AccessDvcFlashVersion=column_ifexists( \"access_device_flash_version_s\", \"\")\n\t , AccessDvcEncryptionEnabled=column_ifexists( \"access_device_is_encryption_enabled_s\", \"\")\n\t , AccessDvcFirewallEnabled=column_ifexists( \"access_device_is_firewall_enabled_s\", \"\")\n\t , AccessDvcPasswordSet=column_ifexists( \"access_device_is_password_set_s\", \"\")\n\t , AccessDvcJavaVersion=column_ifexists( \"access_device_java_version_s\", \"\")\n\t , AccessDvcOsVersion=column_ifexists( \"access_device_os_version_s\", \"\")\n\t , Explanations=column_ifexists( \"explanations_s\", \"\")\n\t , FromCommonNetblock=column_ifexists( \"from_common_netblock_b\", \"\")\n\t , FromNewUser=column_ifexists( \"from_new_user_b\", \"\")\n\t , SrcRiskLevel=column_ifexists( \"low_risk_ip_b\", \"\")\n\t , PriorityEvent=column_ifexists( \"priority_event_b\", \"\")\n\t , PriorityReasons=column_ifexists( \"priority_reasons_s\", \"\")\n\t , Sekey=column_ifexists( \"sekey_s\", \"\")\n\t , SurfacedAuthAccessDeviceBrowser=column_ifexists( \"surfaced_auth_access_device_browser_s\", \"\")\n\t , SurfacedAuthAccessDeviceBrowserVersion=column_ifexists( \"surfaced_auth_access_device_browser_version_s\", \"\")\n\t , SurfacedAuthAccessDeviceIp=column_ifexists( \"surfaced_auth_access_device_ip_s\", \"\")\n\t , SurfacedAuthAccessDeviceEncryptionEnabled=column_ifexists( \"surfaced_auth_access_device_is_encryption_enabled_s\", \"\")\n\t , SurfacedAuthAccessDeviceFirewallEnabled=column_ifexists( \"surfaced_auth_access_device_is_firewall_enabled_s\", \"\")\n\t , SurfacedAuthAccessDevicePasswordSet=column_ifexists( \"surfaced_auth_access_device_is_password_set_s\", \"\")\n\t , SurfacedAuthAccessDeviceLocationCity=column_ifexists( \"surfaced_auth_access_device_location_city_s\", \"\")\n\t , SurfacedAuthAccessDeviceLocationCountry=column_ifexists( \"surfaced_auth_access_device_location_country_s\", \"\")\n\t , SurfacedAuthAccessDeviceLocationState=column_ifexists( \"surfaced_auth_access_device_location_state_s\", \"\")\n\t , SurfacedAuthAccessDeviceOs=column_ifexists( \"surfaced_auth_access_device_os_s\", \"\")\n\t , SurfacedAuthAccessDeviceOsVersion_s=column_ifexists( \"surfaced_auth_access_device_os_version_s\", \"\")\n\t , SurfacedAuthAlias=column_ifexists( \"surfaced_auth_alias_s\", \"\")\n\t , SurfacedAuthApplicationKey=column_ifexists( \"surfaced_auth_application_key_s\", \"\")\n\t , SurfacedAuthApplicationName=column_ifexists( \"surfaced_auth_application_name_s\", \"\")\n\t , SurfacedAuthEmail=column_ifexists( \"surfaced_auth_email_s\", \"\")\n\t , SurfacedAuthFactor=column_ifexists( \"surfaced_auth_factor_s\", \"\")\n\t , SurfacedAuthIsotimestamp=column_ifexists( \"surfaced_auth_isotimestamp_t\", \"\")\n\t , SurfacedAuthOodSoftware_s=column_ifexists( \"surfaced_auth_ood_software_s\", \"\")\n\t , SurfacedAuthReason=column_ifexists( \"surfaced_auth_reason_s\", \"\")\n\t , SurfacedAuthResult=column_ifexists( \"surfaced_auth_result_s\", \"\")\n\t , SurfacedAuthTimestamp=column_ifexists( \"surfaced_auth_timestamp_d\", \"\")\n\t , SurfacedAuthTransactionId=column_ifexists( \"surfaced_auth_txid_g\", \"\")\n\t , SurfacedAuthUserGroups=column_ifexists( \"surfaced_auth_user_groups_s\", \"\")\n\t , SurfacedAuthUserKey=column_ifexists( \"surfaced_auth_user_key_s\", \"\")\n\t , SurfacedAuthUserName=column_ifexists( \"surfaced_auth_user_name_s\", \"\")\n\t , SurfacedTimestamp=column_ifexists( \"surfaced_timestamp_d\", \"\")\n\t , EventUid=column_ifexists( \"triage_event_uri_s\", \"\")\n , context_s=column_ifexists( \"context_s\", \"\")\n , phone_s=column_ifexists( \"phone_s\", \"\")\n , type_s=column_ifexists ( \"type_s\", \"\")\n\t , TriagedAsInteresting=column_ifexists( \"triaged_as_interesting_b\", \"\")\n\t , Credits=column_ifexists( \"credits_d\", \"\")\n| project-rename DvcAction=action_s,\n DvcHostname=host_s,\n SrcGeoCountry=access_device_location_country_s,\n SrcGeoCity=access_device_location_city_s,\n EventResult=result_s,\n EventResultDetails=reason_s,\n AuthDeviceCountry=auth_device_location_country_s,\n AuthFactor=factor_s,\n AccessDvcIpAddr=access_device_ip_s,\n AccessDvcLocationState=access_device_location_state_s,\n Alias=alias_s,\n User=email_s,\n SrcAppId=application_key_s,\n SrcAppName=application_name_s,\n DvcIpAddr=auth_device_ip_s,\n AuthDeviceCity=auth_device_location_city_s,\n AuthDeviceState=auth_device_location_state_s,\n SrcHostname=auth_device_name_s,\n TransactionId=txid_g,\n UserGroups=user_groups_s,\n SrcUserId=user_key_s,\n Context=context_s,\n IsoTimestamp=isotimestamp_t,\n Phone=phone_s,\n SrcDomainType=type_s\n",
@@ -389,7 +389,7 @@
"[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoDuoSecurity Data Parser')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoDuo')]",
"contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
"version": "[variables('parserObject1').parserVersion1]",
@@ -399,14 +399,14 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
- "name": "Cisco Systems, Inc.",
+ "name": "Cisco Systems",
"email": "support@duosecurity.com",
"tier": "Partner",
- "link": "https://support.cisco.com"
+ "link": "https://duo.com/support"
}
}
},
@@ -419,7 +419,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoAdmin2FAFailure_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "CiscoDuoAdmin2FAFailure_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -469,7 +469,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -504,7 +504,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoAdminDeleteActions_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "CiscoDuoAdminDeleteActions_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -554,7 +554,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -589,7 +589,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoAdminFailure_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "CiscoDuoAdminFailure_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -639,7 +639,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -674,7 +674,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoAuthenticationErrorEvents_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "CiscoDuoAuthenticationErrorEvents_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -724,7 +724,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -759,7 +759,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoAuthenticationErrorReasons_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "CiscoDuoAuthenticationErrorReasons_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -809,7 +809,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -844,7 +844,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoDeletedUsers_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "CiscoDuoDeletedUsers_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -894,7 +894,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -929,7 +929,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoFraudAuthentication_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "CiscoDuoFraudAuthentication_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -979,7 +979,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -1014,7 +1014,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoNewUsers_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "CiscoDuoNewUsers_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -1064,7 +1064,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -1099,7 +1099,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoUnpachedAccessDevices_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "CiscoDuoUnpachedAccessDevices_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -1149,7 +1149,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -1184,7 +1184,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoUnsecuredDevices_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "CiscoDuoUnsecuredDevices_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -1234,7 +1234,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -1269,7 +1269,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoSecurity data connector with template version 3.0.4",
+ "description": "CiscoDuoSecurity data connector with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -1434,7 +1434,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -1479,14 +1479,14 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
- "name": "Cisco Systems, Inc.",
+ "name": "Cisco Systems",
"email": "support@duosecurity.com",
"tier": "Partner",
- "link": "https://support.cisco.com"
+ "link": "https://duo.com/support"
}
}
},
@@ -1642,7 +1642,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoADSyncFailed_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "CiscoDuoADSyncFailed_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -1670,10 +1670,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CiscoDuoSecurity",
"dataTypes": [
"CiscoDuo"
- ]
+ ],
+ "connectorId": "CiscoDuoSecurity"
}
],
"tactics": [
@@ -1686,8 +1686,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -1711,7 +1711,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -1746,7 +1746,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoAdminDeleted_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "CiscoDuoAdminDeleted_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -1774,10 +1774,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CiscoDuoSecurity",
"dataTypes": [
"CiscoDuo"
- ]
+ ],
+ "connectorId": "CiscoDuoSecurity"
}
],
"tactics": [
@@ -1790,8 +1790,8 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
],
"entityType": "Account"
@@ -1815,7 +1815,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -1850,7 +1850,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoAdminMFAFailures_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "CiscoDuoAdminMFAFailures_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -1878,10 +1878,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CiscoDuoSecurity",
"dataTypes": [
"CiscoDuo"
- ]
+ ],
+ "connectorId": "CiscoDuoSecurity"
}
],
"tactics": [
@@ -1894,8 +1894,8 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
],
"entityType": "Account"
@@ -1919,7 +1919,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -1954,7 +1954,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoAdminPasswordReset_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "CiscoDuoAdminPasswordReset_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -1982,10 +1982,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CiscoDuoSecurity",
"dataTypes": [
"CiscoDuo"
- ]
+ ],
+ "connectorId": "CiscoDuoSecurity"
}
],
"tactics": [
@@ -1998,8 +1998,8 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
],
"entityType": "Account"
@@ -2023,7 +2023,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -2058,7 +2058,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoMultipleUserLoginFailures_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "CiscoDuoMultipleUserLoginFailures_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -2086,10 +2086,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CiscoDuoSecurity",
"dataTypes": [
"CiscoDuo"
- ]
+ ],
+ "connectorId": "CiscoDuoSecurity"
}
],
"tactics": [
@@ -2102,8 +2102,8 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
],
"entityType": "Account"
@@ -2127,7 +2127,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -2162,7 +2162,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoMultipleUsersDeleted_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "CiscoDuoMultipleUsersDeleted_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -2190,10 +2190,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CiscoDuoSecurity",
"dataTypes": [
"CiscoDuo"
- ]
+ ],
+ "connectorId": "CiscoDuoSecurity"
}
],
"tactics": [
@@ -2206,8 +2206,8 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
],
"entityType": "Account"
@@ -2231,7 +2231,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -2266,7 +2266,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoNewAccessDevice_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "CiscoDuoNewAccessDevice_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -2294,10 +2294,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CiscoDuoSecurity",
"dataTypes": [
"CiscoDuo"
- ]
+ ],
+ "connectorId": "CiscoDuoSecurity"
}
],
"tactics": [
@@ -2310,8 +2310,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -2319,8 +2319,8 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
],
"entityType": "Account"
@@ -2344,7 +2344,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -2379,7 +2379,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoNewAdmin_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "CiscoDuoNewAdmin_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -2407,10 +2407,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CiscoDuoSecurity",
"dataTypes": [
"CiscoDuo"
- ]
+ ],
+ "connectorId": "CiscoDuoSecurity"
}
],
"tactics": [
@@ -2424,8 +2424,8 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
],
"entityType": "Account"
@@ -2449,7 +2449,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -2484,7 +2484,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoNewAuthDeviceLocation_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "CiscoDuoNewAuthDeviceLocation_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -2512,10 +2512,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CiscoDuoSecurity",
"dataTypes": [
"CiscoDuo"
- ]
+ ],
+ "connectorId": "CiscoDuoSecurity"
}
],
"tactics": [
@@ -2528,8 +2528,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -2537,8 +2537,8 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
],
"entityType": "Account"
@@ -2562,7 +2562,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -2597,7 +2597,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoDuoUnexpectedAuthFactor_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "CiscoDuoUnexpectedAuthFactor_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@@ -2625,10 +2625,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CiscoDuoSecurity",
"dataTypes": [
"CiscoDuo"
- ]
+ ],
+ "connectorId": "CiscoDuoSecurity"
}
],
"tactics": [
@@ -2641,8 +2641,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -2650,8 +2650,8 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
],
"entityType": "Account"
@@ -2675,7 +2675,7 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft",
+ "name": "CiscoDuoSecurity",
"email": "[variables('_email')]"
},
"support": {
@@ -2706,12 +2706,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.4",
+ "version": "3.1.0",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "CiscoDuoSecurity",
- "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Cisco Duo Security solution allows you to ingest authentication logs, administrator logs, telephony logs, offline enrolment logs and Trust Monitor events into Microsoft Sentinel using the Cisco Duo Admin API. Refer to API documentation for more information.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "publisherDisplayName": "Cisco Systems", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Cisco Duo Security solution allows you to ingest authentication logs, activity logs, administrator logs, telephony logs, offline enrolment logs and Trust Monitor events into Microsoft Sentinel using the Cisco Duo Admin API. Refer to API documentation for more information.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2724,14 +2724,14 @@ "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Microsoft", + "name": "CiscoDuoSecurity", "email": "[variables('_email')]" }, "support": { - "name": "Cisco Systems, Inc.", + "name": "Cisco Systems", "email": "support@duosecurity.com", "tier": "Partner", - "link": "https://support.cisco.com" + "link": "https://duo.com/support" }, "dependencies": { "operator": "AND", diff --git a/Solutions/CiscoDuoSecurity/ReleaseNotes.md b/Solutions/CiscoDuoSecurity/ReleaseNotes.md index 2fd0d9fc30a..176103c5c16 100644 --- a/Solutions/CiscoDuoSecurity/ReleaseNotes.md +++ b/Solutions/CiscoDuoSecurity/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------| +| 3.1.0 | 03-02-2026 | Python runtime compatibility fix (breaking for connector deployments running on Python 3.11). Fixed solution installation via Azure portal by deriving deployment **location** from selected workspace (prevents empty location). | | 3.0.4 | 26-09-2025 | Updated support **Microsoft** to **Partner** | | 3.0.3 | 02-09-2025 | Added support for new log endpoints | | 3.0.2 | 16-04-2024 | Added Deploy to Azure Goverment button for Government portal in **Dataconnector**