Azure · jlheard · Feb 5, 2026 · Jan 22, 2026 · Jan 30, 2026 · Jan 30, 2026
@@ -37,7 +37,7 @@
 		"Analytic Rules/CiscoDuoUnexpectedAuthFactor.yaml"
 	],
 	"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CiscoDuoSecurity",
-	"Version": "3.0.4",
+	"Version": "3.0.5",
 	"Metadata": "SolutionMetadata.json",
 	"TemplateSpec": true,
 	"Is1Pconnector": false

diff --git a/Solutions/CiscoDuoSecurity/Package/3.0.5.zip b/Solutions/CiscoDuoSecurity/Package/3.0.5.zip
@@ -458,7 +458,7 @@
       }
     ],
     "outputs": {
-      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (item) => equals(item.name, basics('workspace'))), (item) => item.location))]",
       "location": "[location()]",
       "workspace": "[basics('workspace')]"
     }

@@ -8,7 +8,6 @@
   "parameters": {
     "location": {
       "type": "string",
-      "minLength": 1,
       "defaultValue": "[resourceGroup().location]",
       "metadata": {
         "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`.  We instead use the `workspace-location` which is derived from the LA workspace"
@@ -41,7 +40,7 @@
     "email": "support@duosecurity.com",
     "_email": "[variables('email')]",
     "_solutionName": "CiscoDuoSecurity",
-    "_solutionVersion": "3.0.4",
+    "_solutionVersion": "3.0.5",
     "solutionId": "cisco.duo-security-sentinel",
     "_solutionId": "[variables('solutionId')]",
     "workbookVersion1": "1.0.0",
@@ -199,7 +198,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuo Workbook with template version 3.0.4",
+        "description": "CiscoDuo Workbook with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -287,7 +286,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuo Data Parser with template version 3.0.4",
+        "description": "CiscoDuo Data Parser with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -419,7 +418,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoAdmin2FAFailure_HuntingQueries Hunting Query with template version 3.0.4",
+        "description": "CiscoDuoAdmin2FAFailure_HuntingQueries Hunting Query with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -504,7 +503,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoAdminDeleteActions_HuntingQueries Hunting Query with template version 3.0.4",
+        "description": "CiscoDuoAdminDeleteActions_HuntingQueries Hunting Query with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -589,7 +588,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoAdminFailure_HuntingQueries Hunting Query with template version 3.0.4",
+        "description": "CiscoDuoAdminFailure_HuntingQueries Hunting Query with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -674,7 +673,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoAuthenticationErrorEvents_HuntingQueries Hunting Query with template version 3.0.4",
+        "description": "CiscoDuoAuthenticationErrorEvents_HuntingQueries Hunting Query with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -759,7 +758,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoAuthenticationErrorReasons_HuntingQueries Hunting Query with template version 3.0.4",
+        "description": "CiscoDuoAuthenticationErrorReasons_HuntingQueries Hunting Query with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -844,7 +843,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoDeletedUsers_HuntingQueries Hunting Query with template version 3.0.4",
+        "description": "CiscoDuoDeletedUsers_HuntingQueries Hunting Query with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -929,7 +928,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoFraudAuthentication_HuntingQueries Hunting Query with template version 3.0.4",
+        "description": "CiscoDuoFraudAuthentication_HuntingQueries Hunting Query with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -1014,7 +1013,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoNewUsers_HuntingQueries Hunting Query with template version 3.0.4",
+        "description": "CiscoDuoNewUsers_HuntingQueries Hunting Query with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -1099,7 +1098,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoUnpachedAccessDevices_HuntingQueries Hunting Query with template version 3.0.4",
+        "description": "CiscoDuoUnpachedAccessDevices_HuntingQueries Hunting Query with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -1184,7 +1183,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoUnsecuredDevices_HuntingQueries Hunting Query with template version 3.0.4",
+        "description": "CiscoDuoUnsecuredDevices_HuntingQueries Hunting Query with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -1269,7 +1268,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoSecurity data connector with template version 3.0.4",
+        "description": "CiscoDuoSecurity data connector with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -1642,7 +1641,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoADSyncFailed_AnalyticalRules Analytics Rule with template version 3.0.4",
+        "description": "CiscoDuoADSyncFailed_AnalyticalRules Analytics Rule with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -1746,7 +1745,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoAdminDeleted_AnalyticalRules Analytics Rule with template version 3.0.4",
+        "description": "CiscoDuoAdminDeleted_AnalyticalRules Analytics Rule with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -1850,7 +1849,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoAdminMFAFailures_AnalyticalRules Analytics Rule with template version 3.0.4",
+        "description": "CiscoDuoAdminMFAFailures_AnalyticalRules Analytics Rule with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -1954,7 +1953,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoAdminPasswordReset_AnalyticalRules Analytics Rule with template version 3.0.4",
+        "description": "CiscoDuoAdminPasswordReset_AnalyticalRules Analytics Rule with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -2058,7 +2057,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoMultipleUserLoginFailures_AnalyticalRules Analytics Rule with template version 3.0.4",
+        "description": "CiscoDuoMultipleUserLoginFailures_AnalyticalRules Analytics Rule with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -2162,7 +2161,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoMultipleUsersDeleted_AnalyticalRules Analytics Rule with template version 3.0.4",
+        "description": "CiscoDuoMultipleUsersDeleted_AnalyticalRules Analytics Rule with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -2266,7 +2265,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoNewAccessDevice_AnalyticalRules Analytics Rule with template version 3.0.4",
+        "description": "CiscoDuoNewAccessDevice_AnalyticalRules Analytics Rule with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -2379,7 +2378,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoNewAdmin_AnalyticalRules Analytics Rule with template version 3.0.4",
+        "description": "CiscoDuoNewAdmin_AnalyticalRules Analytics Rule with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -2484,7 +2483,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoNewAuthDeviceLocation_AnalyticalRules Analytics Rule with template version 3.0.4",
+        "description": "CiscoDuoNewAuthDeviceLocation_AnalyticalRules Analytics Rule with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -2597,7 +2596,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CiscoDuoUnexpectedAuthFactor_AnalyticalRules Analytics Rule with template version 3.0.4",
+        "description": "CiscoDuoUnexpectedAuthFactor_AnalyticalRules Analytics Rule with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@@ -2706,7 +2705,7 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.4",
+        "version": "3.0.5",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "CiscoDuoSecurity",

diff --git a/Solutions/CiscoDuoSecurity/Package/testParameters.json b/Solutions/CiscoDuoSecurity/Package/testParameters.json
@@ -1,32 +1,18 @@
 {
-  "location": {
-    "type": "string",
-    "minLength": 1,
-    "defaultValue": "[resourceGroup().location]",
-    "metadata": {
-      "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`.  We instead use the `workspace-location` which is derived from the LA workspace"
-    }
-  },
-  "workspace-location": {
-    "type": "string",
-    "defaultValue": "",
-    "metadata": {
-      "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
-    }
-  },
-  "workspace": {
-    "defaultValue": "",
-    "type": "string",
-    "metadata": {
-      "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
-    }
-  },
-  "workbook1-name": {
-    "type": "string",
-    "defaultValue": "CiscoDuoSecurity",
-    "minLength": 1,
-    "metadata": {
-      "description": "Name for the workbook"
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "value": ""
+    },
+    "workspace-location": {
+      "value": "eastus"
+    },
+    "workspace": {
+      "value": "SentinelLogAnalytics"
+    },
+    "workbook1-name": {
+      "value": "CiscoDuoSecurity"
     }
   }
 }
@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                     |
 |-------------|--------------------------------|--------------------------------------------------------|
+|  3.0.5      |  30-01-2026                    | Fixed solution installation via Azure portal by deriving deployment **location** from selected workspace (prevents empty location). |
 |  3.0.4      |  26-09-2025                    | Updated support **Microsoft** to **Partner**                   |
 |  3.0.3      |  02-09-2025                    | Added support for new log endpoints                   |
 |  3.0.2      |  16-04-2024                    | Added Deploy to Azure Goverment button for Government portal in **Dataconnector**<br/> Fixed **Parser** issue for Parser name and ParentID mismatch |