Merge pull request Azure#13148 from fgravato/lookout/v3.0.1-final

Lookout v3.0.1: Parser fixes, comprehensive and executive dashboards

Author: v-atulyadav

.script/tests/KqlvalidationsTests/CustomTables/LookoutEvents.json

@@ -0,0 +1,36 @@
+{
+  "Name": "LookoutMtdV2_CL",
+  "Properties": [
+    {"Name": "TimeGenerated", "Type": "DateTime"},
+    {"Name": "log_type", "Type": "String"},
+    {"Name": "event_type", "Type": "String"},
+    {"Name": "id", "Type": "String"},
+    {"Name": "change_type", "Type": "String"},
+    {"Name": "enterprise_guid", "Type": "String"},
+    {"Name": "threat", "Type": "dynamic"},
+    {"Name": "device", "Type": "dynamic"},
+    {"Name": "actor", "Type": "dynamic"},
+    {"Name": "target", "Type": "dynamic"},
+    {"Name": "audit", "Type": "dynamic"},
+    {"Name": "smishing_alert", "Type": "dynamic"},
+    {"Name": "device_activation_status", "Type": "String"},
+    {"Name": "device_checkin_time", "Type": "DateTime"},
+    {"Name": "device_activated_at", "Type": "DateTime"},
+    {"Name": "device_deactivated_at", "Type": "DateTime"},
+    {"Name": "device_customer_id", "Type": "String"},
+    {"Name": "device_group_guid", "Type": "String"},
+    {"Name": "client_lookout_sdk_version", "Type": "String"},
+    {"Name": "client_ota_version", "Type": "String"},
+    {"Name": "client_package_name", "Type": "String"},
+    {"Name": "client_package_version", "Type": "String"},
+    {"Name": "mdm_connector_id", "Type": "String"},
+    {"Name": "mdm_connector_uuid", "Type": "String"},
+    {"Name": "mdm_external_id", "Type": "String"},
+    {"Name": "device_permissions", "Type": "dynamic"},
+    {"Name": "device_settings", "Type": "dynamic"},
+    {"Name": "device_vulns", "Type": "dynamic"},
+    {"Name": "risky_config", "Type": "dynamic"},
+    {"Name": "audit_attribute_changes", "Type": "dynamic"},
+    {"Name": "smishing_detections", "Type": "dynamic"}
+  ]
+}

.script/tests/KqlvalidationsTests/CustomTables/LookoutMtdV2_CL.json

@@ -0,0 +1,162 @@
+# Lookout Mobile Risk API v2 Architecture Overview
+
+## Current Architecture
+
+```mermaid
+graph TD
+    A[Lookout Mobile Risk API v2] -->|Server-Sent Events| B[Azure Data Collection Endpoint]
+    B --> C[Data Collection Rule - Basic Transform]
+    C --> D[LookoutMtdV2_CL Table - Limited Fields]
+    D --> E[Legacy Parser - Lookout_CL Target]
+    E --> F[Basic Analytics Rules]
+    E --> G[Simple Workbook]
+    
+    style A fill:#e1f5fe
+    style D fill:#fff3e0
+    style E fill:#ffebee
+```
+
+## Enhanced v2 Architecture
+
+```mermaid
+graph TD
+    A[Lookout Mobile Risk API v2] -->|Enhanced Event Stream| B[Azure Data Collection Endpoint]
+    B --> C[Enhanced DCR - Comprehensive Transform]
+    C --> D[Expanded LookoutMtdV2_CL Table]
+    D --> E[Enhanced Parser - v2 Field Support]
+    E --> F[Legacy Analytics Rules - Backward Compatible]
+    E --> G[Enhanced Threat Detection Rules]
+    E --> H[Advanced Workbook Visualizations]
+    E --> I[Hunting Queries - v2 Fields]
+    
+    J[Event Types] --> A
+    J1[DEVICE Events] --> J
+    J2[THREAT Events] --> J
+    J3[AUDIT Events] --> J
+    J4[SMISHING_ALERT Events] --> J
+    
+    K[Enhanced Field Categories] --> D
+    K1[Device Management] --> K
+    K2[Threat Intelligence] --> K
+    K3[Audit Trail] --> K
+    K4[MDM Integration] --> K
+    K5[Client Information] --> K
+    
+    style A fill:#e8f5e8
+    style C fill:#e8f5e8
+    style D fill:#e8f5e8
+    style E fill:#e8f5e8
+    style G fill:#fff3e0
+    style H fill:#fff3e0
+    style I fill:#fff3e0
+```
+
+## Data Flow Enhancement Details
+
+### Phase 1: Infrastructure Enhancement
+```mermaid
+graph LR
+    A[Current 11 Fields] --> B[Enhanced 50+ Fields]
+    B --> C[Improved DCR Transform]
+    C --> D[Backward Compatible Parser]
+    
+    style B fill:#e8f5e8
+    style C fill:#e8f5e8
+    style D fill:#e8f5e8
+```
+
+### Phase 2: Analytics Enhancement
+```mermaid
+graph LR
+    A[Basic Threat Detection] --> B[Enhanced Threat Classification]
+    B --> C[Device Compliance Monitoring]
+    C --> D[Advanced Correlation Rules]
+    
+    style B fill:#fff3e0
+    style C fill:#fff3e0
+    style D fill:#fff3e0
+```
+
+### Phase 3: Advanced Features
+```mermaid
+graph LR
+    A[Static Workbooks] --> B[Dynamic Visualizations]
+    B --> C[Hunting Queries]
+    C --> D[Threat Intelligence Integration]
+    
+    style B fill:#f3e5f5
+    style C fill:#f3e5f5
+    style D fill:#f3e5f5
+```
+
+## Component Interaction Matrix
+
+| Component | Current State | Enhanced State | Dependencies |
+|-----------|---------------|----------------|--------------|
+| **Table Schema** | 11 basic fields | 50+ comprehensive fields | DCR updates |
+| **DCR Transform** | Basic field mapping | Comprehensive extraction | API v2 understanding |
+| **Parser** | Legacy Lookout_CL target | Dual compatibility | Table schema |
+| **Analytics Rules** | Basic threat detection | Multi-layered detection | Parser updates |
+| **Workbooks** | Simple visualizations | Rich dashboards | Enhanced data |
+| **Hunting Queries** | Limited scope | Comprehensive coverage | All above |
+
+## Security and Compliance Flow
+
+```mermaid
+graph TD
+    A[Raw API Data] --> B[Data Classification]
+    B --> C[Field Validation]
+    C --> D[Transformation Rules]
+    D --> E[Secure Storage]
+    E --> F[Access Control]
+    F --> G[Audit Logging]
+    
+    H[Compliance Requirements] --> B
+    I[Data Retention Policies] --> E
+    J[Privacy Controls] --> F
+    
+    style A fill:#ffebee
+    style E fill:#e8f5e8
+    style G fill:#e3f2fd
+```
+
+## Implementation Phases
+
+### Phase 1: Core Infrastructure (Weeks 1-2)
+- Expand table schema
+- Update DCR transformations
+- Enhance parser compatibility
+
+### Phase 2: Analytics Enhancement (Weeks 3-4)
+- Update existing analytics rules
+- Create new threat detection rules
+- Enhance workbook visualizations
+
+### Phase 3: Advanced Features (Weeks 5-6)
+- Create hunting queries
+- Implement advanced correlation
+- Add comprehensive validation
+
+## Risk Mitigation Strategy
+
+```mermaid
+graph TD
+    A[Backward Compatibility] --> B[Gradual Migration]
+    B --> C[Parallel Testing]
+    C --> D[Rollback Capability]
+    
+    E[Data Validation] --> F[Error Handling]
+    F --> G[Monitoring Alerts]
+    G --> H[Performance Optimization]
+    
+    style A fill:#e8f5e8
+    style E fill:#fff3e0
+```
+
+## Success Metrics
+
+1. **Data Completeness**: 95%+ field population rate
+2. **Performance**: <10% increase in ingestion latency
+3. **Compatibility**: 100% backward compatibility maintained
+4. **Detection Enhancement**: 30%+ improvement in threat detection coverage
+5. **User Adoption**: Analytics rules utilizing new fields within 30 days

Solutions/Lookout/ARCHITECTURE_DIAGRAM.md

@@ -0,0 +1,126 @@
+id: 6b2d4e8a-5f7c-4b9e-8a1d-3c5e7a9b2f4d
+name: Lookout - Critical Audit and Policy Changes (v2)
+description: |
+  'Monitors critical audit events and policy changes from Lookout Mobile Risk API v2. Detects unauthorized configuration changes, policy modifications, security setting adjustments, and administrative actions that could impact mobile security posture. Provides comprehensive audit trail for compliance and security governance.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: LookoutAPI
+    dataTypes:
+      - LookoutEvents
+queryFrequency: 15m
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - DefenseEvasion
+  - Persistence
+  - PrivilegeEscalation
+  - Impact
+relevantTechniques:
+  - T1629
+  - T1626
+query: |
+  LookoutEvents
+  | where EventType == "AUDIT"
+  | where AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE", "USER_MANAGEMENT", "CONFIGURATION_CHANGE")
+  | extend 
+      ChangeImpact = case(
+          AuditType == "POLICY_CHANGE", "High",
+          AuditType == "SECURITY_SETTING_CHANGE", "High",
+          AuditType == "USER_MANAGEMENT", "Medium",
+          AuditType == "CONFIGURATION_CHANGE", "Medium",
+          "Low"
+      ),
+      RiskLevel = case(
+          ActorType == "SYSTEM" and AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE"), "Automated Change",
+          ActorType == "ADMIN_USER" and AuditType == "POLICY_CHANGE", "Administrative Change",
+          ActorType == "USER" and AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE"), "Unauthorized Change",
+          ActorType == "UNKNOWN", "Suspicious Change",
+          "Standard Change"
+      )
+  | extend SecurityImplications = case(
+      AuditAttributeChanges has "threat_response_level" and AuditAttributeChanges has "LOW", "Threat Response Weakened",
+      AuditAttributeChanges has "auto_quarantine_enabled" and AuditAttributeChanges has "false", "Auto-Quarantine Disabled",
+      AuditAttributeChanges has "compliance_enforcement" and AuditAttributeChanges has "false", "Compliance Enforcement Disabled",
+      AuditAttributeChanges has "device_wipe_enabled" and AuditAttributeChanges has "false", "Device Wipe Disabled",
+      AuditAttributeChanges has "admin" or AuditAttributeChanges has "privilege", "Privilege Changes",
+      "Configuration Update"
+  )
+  | extend ComplianceRisk = case(
+      SecurityImplications in ("Threat Response Weakened", "Auto-Quarantine Disabled", "Compliance Enforcement Disabled"), "Critical",
+      SecurityImplications == "Device Wipe Disabled", "High",
+      SecurityImplications == "Privilege Changes", "High",
+      RiskLevel == "Unauthorized Change", "High",
+      RiskLevel == "Suspicious Change", "Medium",
+      "Low"
+  )
+  | extend ChangeDetails = case(
+      isnotempty(AuditAttributeChanges), strcat("Attribute changes: ", tostring(AuditAttributeChanges)),
+      isnotempty(TargetGuid), strcat("Target: ", TargetType, " (", TargetGuid, ")"),
+      "General audit event"
+  )
+  | project
+      TimeGenerated,
+      EventId,
+      AuditType,
+      ChangeImpact,
+      RiskLevel,
+      SecurityImplications,
+      ComplianceRisk,
+      ChangeDetails,
+      AuditAttributeChanges,
+      ActorType,
+      ActorGuid,
+      TargetType,
+      TargetGuid,
+      TargetEmailAddress,
+      ChangeType,
+      EnterpriseGuid
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: ActorGuid
+      - identifier: Name
+        columnName: TargetEmailAddress
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: TargetGuid
+customDetails:
+  AuditType: AuditType
+  ChangeImpact: ChangeImpact
+  RiskLevel: RiskLevel
+  SecurityImpact: SecurityImplications
+  ComplianceRisk: ComplianceRisk
+  ActorType: ActorType
+  TargetType: TargetType
+  ChangeType: ChangeType
+alertDetailsOverride:
+  alertDisplayNameFormat: "Critical Audit Event: {{SecurityImplications}} by {{ActorType}}"
+  alertDescriptionFormat: "{{AuditType}} by {{ActorType}} with {{ComplianceRisk}} risk"
+  alertTacticsColumnName: SecurityImplications
+  alertSeverityColumnName: ComplianceRisk
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: P1D
+    matchingMethod: Selected
+    groupByEntities:
+      - Account
+    groupByAlertDetails:
+      - AuditType
+      - ActorGuid
+    groupByCustomDetails:
+      - SecurityImpact
+      - ComplianceRisk
+      - ActorType
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+suppressionEnabled: false
+suppressionDuration: PT30M
+version: 2.0.3
+kind: Scheduled