diff --git a/Solutions/Box/Data/Solution_Box.json b/Solutions/Box/Data/Solution_Box.json index 1812fa16b26..175120ee61f 100644 --- a/Solutions/Box/Data/Solution_Box.json +++ b/Solutions/Box/Data/Solution_Box.json @@ -37,7 +37,7 @@ "Analytic Rules/BoxUserRoleChangedToOwner.yaml" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Box", - "Version": "2.0.0", + "Version": "2.0.2", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/Box/Package/2.0.2.zip b/Solutions/Box/Package/2.0.2.zip new file mode 100644 index 00000000000..e965bfcfe4b Binary files /dev/null and b/Solutions/Box/Package/2.0.2.zip differ diff --git a/Solutions/Box/Package/createUiDefinition.json b/Solutions/Box/Package/createUiDefinition.json index 949b0951b65..269651e75c9 100644 --- a/Solutions/Box/Package/createUiDefinition.json +++ b/Solutions/Box/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Box](https://developer.box.com/guides/events/enterprise-events/for-enterprise/) solution connector provides the capability to ingest [Box enterprise's events](https://developer.box.com/guides/events/#admin-events) into Microsoft Sentinel using the Box REST API \r\n \r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \r\n \r\n b. [Azure Functions ](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Box](https://developer.box.com/guides/events/enterprise-events/for-enterprise/) solution connector provides the capability to ingest [Box enterprise's events](https://developer.box.com/guides/events/#admin-events) into Microsoft Sentinel using the Box REST API \r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \r\n \r\n b. [Azure Functions ](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -107,6 +107,20 @@ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" } } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "Box", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Sets the time name for analysis" + } + } + ] } ] }, @@ -309,7 +323,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows iplist for admin users. You can check for suspicious IPs or new IPs. It depends on the BoxDataConnector data connector and BoxEvents_CL data type and BoxDataConnector parser." + "text": "Query shows iplist for admin users. You can check for suspicious IPs or new IPs. This hunting query depends on BoxDataConnector data connector (BoxEvents_CL Parser or Table)" } } ] @@ -323,7 +337,7 @@ "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows deleted user accounts. It depends on the BoxDataConnector data connector and BoxEvents_CL data type and BoxDataConnector parser." + "text": "Query shows deleted user accounts. This hunting query depends on BoxDataConnector data connector (BoxEvents_CL Parser or Table)" } } ] @@ -337,7 +351,7 @@ "name": "huntingquery3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows inactive admin accounts (admin users which last login time is more than 30 days). It depends on the BoxDataConnector data connector and BoxEvents_CL data type and BoxDataConnector parser." + "text": "Query shows inactive admin accounts (admin users which last login time is more than 30 days). This hunting query depends on BoxDataConnector data connector (BoxEvents_CL Parser or Table)" } } ] @@ -351,7 +365,7 @@ "name": "huntingquery4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows inactive user accounts (users which last login time is more than 30 days). It depends on the BoxDataConnector data connector and BoxEvents_CL data type and BoxDataConnector parser." + "text": "Query shows inactive user accounts (users which last login time is more than 30 days). This hunting query depends on BoxDataConnector data connector (BoxEvents_CL Parser or Table)" } } ] @@ -365,7 +379,7 @@ "name": "huntingquery5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows new user accounts. It depends on the BoxDataConnector data connector and BoxEvents_CL data type and BoxDataConnector parser." + "text": "Query shows new user accounts. This hunting query depends on BoxDataConnector data connector (BoxEvents_CL Parser or Table)" } } ] @@ -379,7 +393,7 @@ "name": "huntingquery6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for potentially suspicious files or files which can contain sensitive information such as passwords, secrets. It depends on the BoxDataConnector data connector and BoxEvents_CL data type and BoxDataConnector parser." + "text": "Query searches for potentially suspicious files or files which can contain sensitive information such as passwords, secrets. This hunting query depends on BoxDataConnector data connector (BoxEvents_CL Parser or Table)" } } ] @@ -393,7 +407,7 @@ "name": "huntingquery7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows downloaded data volume per user. It depends on the BoxDataConnector data connector and BoxEvents_CL data type and BoxDataConnector parser." + "text": "Query shows downloaded data volume per user. This hunting query depends on BoxDataConnector data connector (BoxEvents_CL Parser or Table)" } } ] @@ -407,7 +421,7 @@ "name": "huntingquery8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows user permissions(groups) changes. It depends on the BoxDataConnector data connector and BoxEvents_CL data type and BoxDataConnector parser." + "text": "Query shows user permissions(groups) changes. This hunting query depends on BoxDataConnector data connector (BoxEvents_CL Parser or Table)" } } ] @@ -421,7 +435,7 @@ "name": "huntingquery9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows uploaded data volume per user. It depends on the BoxDataConnector data connector and BoxEvents_CL data type and BoxDataConnector parser." + "text": "Query shows uploaded data volume per user. This hunting query depends on BoxDataConnector data connector (BoxEvents_CL Parser or Table)" } } ] @@ -435,7 +449,7 @@ "name": "huntingquery10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows users with newly added owner permissions. It depends on the BoxDataConnector data connector and BoxEvents_CL data type and BoxDataConnector parser." + "text": "Query shows users with newly added owner permissions. This hunting query depends on BoxDataConnector data connector (BoxEvents_CL Parser or Table)" } } ] diff --git a/Solutions/Box/Package/mainTemplate.json b/Solutions/Box/Package/mainTemplate.json index 502d2f4ddb3..084e9077ab1 100644 --- a/Solutions/Box/Package/mainTemplate.json +++ b/Solutions/Box/Package/mainTemplate.json @@ -42,6 +42,7 @@ "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", + "blanks": "[replace('b', 'b', '')]", "workbookVersion1": "1.0.0", "workbookContentId1": "BoxWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", @@ -168,7 +169,7 @@ "resources": [ { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('workbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "tags": { @@ -182,7 +183,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -193,7 +194,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" ], "properties": { - "description": "BoxWorkbook Workbook with template version 2.0.1", + "description": "BoxWorkbook with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -211,7 +212,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This workbook depends on a parser based on Kusto Function to work as expected [**BoxEvents**](https://aka.ms/sentinel-BoxDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"88aa96e3-fc48-4b04-836e-fc2ec8ebf37f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\" Time Range\",\"type\":4,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":3600000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events over time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"65\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where isnotempty(EventType)\\r\\n| summarize TotalEvents = count() by EventType\",\"size\":3,\"title\":\"Event Types\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventSeverity\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"rowLimit\":7,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventSeverity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"35\",\"name\":\"query - 3\"}]},\"customWidth\":\"80\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let user1 = BoxEvents\\r\\n| where isnotempty(SourceName)\\r\\n| summarize Users = dcount(SourceName) by SourceName\\r\\n| project Users, User = SourceName;\\r\\nlet user2 = BoxEvents\\r\\n| where isnotempty(SrcUserName)\\r\\n| summarize Users = count(SrcUserName) by SrcUserName\\r\\n| project Users, User = SrcUserName;\\r\\nlet user3 = BoxEvents\\r\\n| where isnotempty(AccessibleByName)\\r\\n| summarize Users = dcount(AccessibleByName) by AccessibleByName\\r\\n| project Users, User = AccessibleByName;\\r\\nlet users = union user1, user2, user3;\\r\\nusers\\r\\n| summarize Users = dcount(User)\",\"size\":3,\"title\":\"Unique Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 5\"}]},\"name\":\"group - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize dcount(SrcIpAddr)\\r\\n\",\"size\":3,\"title\":\"Unique IPs\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalEvents\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blueGreen\"}},{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"turquoise\"}}],\"rowLimit\":10,\"labelSettings\":[{\"columnId\":\"TotalEvents\",\"label\":\"Total Events\"},{\"columnId\":\"Trend\"}]},\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 6\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let file1 = BoxEvents\\r\\n| where isnotempty(SourceFileName)\\r\\n| summarize d_files = dcount(SourceFileName);\\r\\nlet file2 = BoxEvents\\r\\n| where isnotempty(SourceItemName)\\r\\n| summarize d_files = dcount(SourceItemName);\\r\\nlet files = union file1, file2;\\r\\nfiles\\r\\n| summarize sum(d_files)\\r\\n\",\"size\":3,\"title\":\"Unique files\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"titleContent\":{\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"}},\"leftContent\":{\"columnMatch\":\"sum_d_files\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"Unique files\",\"columnSettings\":[{\"columnName\":\"sum_d_files\",\"color\":\"blue\"}]}}},\"rightContent\":{\"columnMatch\":\"sum_d_files\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let files_1 = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where isnotempty(SourceFileName)\\r\\n| summarize TotalItems = dcount(SourceFileName) by SourceFileName\\r\\n| project TotalItems, FileName = SourceFileName;\\r\\nlet files_2 = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where isnotempty(SourceItemName)\\r\\n| summarize TotalItems = dcount(SourceItemName) by SourceItemName\\r\\n| project TotalItems, FileName = SourceItemName;\\r\\nlet known_files = (union files_1, files_2)\\r\\n| summarize makeset(FileName);\\r\\nBoxEvents\\r\\n| where TimeGenerated between (ago(24h) .. now())\\r\\n| where isnotempty(SourceFileName) \\r\\n| project FileName = SourceFileName\\r\\n| union (BoxEvents\\r\\n | where TimeGenerated between (ago(24h) .. now())\\r\\n | where isnotempty(SourceItemName)\\r\\n | project FileName = SourceItemName)\\r\\n| where FileName !in (known_files)\\r\\n| summarize dcount(FileName)\\r\\n\\r\\n\",\"size\":3,\"title\":\"New files (last 24h)\",\"noDataMessage\":\"No new files during last 24h\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\"},\"name\":\"query - 3\"}]},\"name\":\"group - 4\"}]},\"customWidth\":\"20\",\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where EventType == 'ADMIN_LOGIN'\\r\\n| summarize Username = dcount(SourceName) by SourceName\\r\\n| project SourceName\\r\\n\",\"size\":3,\"title\":\"Admin users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalEvents\",\"formatter\":8,\"formatOptions\":{\"palette\":\"turquoise\"}},{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SrcDvcHostname\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"textSettings\":{\"style\":\"header\"}},\"customWidth\":\"25\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let admins = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where EventType == 'ADMIN_LOGIN'\\r\\n| summarize makeset(SourceName);\\r\\nlet adm_type1 = BoxEvents\\r\\n| where SourceName in (admins)\\r\\n| summarize TotalActions = count() by SourceName;\\r\\nlet adm_type2 = BoxEvents\\r\\n| where SrcUserName in (admins)\\r\\n| summarize TotalActions = count() by SrcUserName\\r\\n| project TotalActions, SourceName = SrcUserName; \\r\\nlet adm_activity = (union adm_type1, adm_type2);\\r\\nadm_activity\\r\\n| summarize TotalActions = sum(TotalActions) by SourceName\\r\\n| join kind = inner (BoxEvents\\r\\n | where SourceName in (admins) or SrcUserName in (admins)\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\\r\\n on SourceName\\r\\n| project SourceName, TotalActions, Trend\\r\\n| order by TotalActions\\r\\n\",\"size\":3,\"title\":\"Admin users activity\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalActions\",\"formatter\":8,\"formatOptions\":{\"palette\":\"coldHot\"}},{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SourceName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalActions\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"40\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let admins = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where EventType == 'ADMIN_LOGIN'\\r\\n| summarize makeset(SourceName);\\r\\nlet adm_type1 = BoxEvents\\r\\n| where SourceName in (admins)\\r\\n| summarize by EventType, SourceName\\r\\n| project Action = EventType, SourceName;\\r\\nlet adm_type2 = BoxEvents\\r\\n| where SrcUserName in (admins)\\r\\n| summarize max(TimeGenerated) by EventType, SrcUserName\\r\\n| project Action = EventType, SourceName = SrcUserName; \\r\\nlet adm_activity = (union adm_type1, adm_type2);\\r\\nadm_activity\\r\\n\",\"size\":1,\"title\":\"Latest admin activity\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 2\"}]},\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\n| where EventType == 'NEW_USER'\\n| project SourceName\\n\",\"size\":3,\"title\":\"New users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventCategory\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false,\"rowLimit\":10},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"TableName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"nodeIdField\":\"TableName\",\"sourceIdField\":\"TableName\",\"targetIdField\":\"count_\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"staticNodeSize\":100,\"hivesMargin\":5},\"chartSettings\":{\"xSettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}},\"textSettings\":{\"style\":\"header\"}},\"customWidth\":\"15\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'DELETE_USER'\\r\\n| project SourceName\",\"size\":3,\"title\":\"Deleted users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"header\"}},\"customWidth\":\"15\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'LOGIN'\\r\\n| summarize LastLoginTime = max(TimeGenerated) by SourceName\\r\\n| where LastLoginTime > ago(90d)\",\"size\":0,\"title\":\"Inactive users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let user_act1 = BoxEvents\\r\\n| where isnotempty(SourceName)\\r\\n| summarize TotalActions = count() by SourceName;\\r\\nlet user_act2 = BoxEvents\\r\\n| where isnotempty(SrcUserName)\\r\\n| summarize TotalActions = count() by SrcUserName\\r\\n| project TotalActions, SourceName = SrcUserName; \\r\\nlet user_activity = (union user_act1, user_act2);\\r\\nuser_activity\\r\\n| join kind = inner (BoxEvents\\r\\n | where isnotempty(SourceName) or isnotempty(SrcUserName)\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\\r\\n on SourceName\\r\\n| project SourceName, TotalActions, Trend\\r\\n| order by TotalActions\",\"size\":0,\"title\":\"Users activity over time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalActions\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SourceName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalActions\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"35\",\"name\":\"query - 3\"}]},\"name\":\"group - 20\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| summarize Downloads = countif(EventType == \\\"DOWNLOAD\\\"), Uploads = countif(EventType == \\\"UPLOAD\\\") by bin_at(TimeGenerated, 1h, now())\",\"size\":3,\"title\":\"Downloads/Uploads comparison\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'DOWNLOAD'\\r\\n| where isnotempty(SourceItemName)\\r\\n| project FileName = SourceItemName, SrcUserName, TimeGenerated\\r\\n| top 100 by TimeGenerated desc\",\"size\":0,\"title\":\"Latest downloaded items\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"35ch\"}},{\"columnMatch\":\"SrcUserName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}}],\"filter\":true},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'UPLOAD'\\r\\n| where isnotempty(SourceItemName)\\r\\n| project FileName = SourceItemName, SrcUserName, TimeGenerated\\r\\n| top 100 by TimeGenerated desc\",\"size\":0,\"title\":\"Latest uploaded items\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"35ch\"}},{\"columnMatch\":\"SrcUserName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 6\"}],\"fromTemplateId\":\"sentinel-Box\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This workbook depends on a parser based on Kusto Function to work as expected [**BoxEvents**](https://aka.ms/sentinel-BoxDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"88aa96e3-fc48-4b04-836e-fc2ec8ebf37f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\" Time Range\",\"type\":4,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":3600000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events over time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"65\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where isnotempty(EventType)\\r\\n| summarize TotalEvents = count() by EventType\",\"size\":3,\"title\":\"Event Types\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventSeverity\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"rowLimit\":7,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventSeverity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"35\",\"name\":\"query - 3\"}]},\"customWidth\":\"80\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let user1 = BoxEvents\\r\\n| where isnotempty(SourceName)\\r\\n| summarize Users = dcount(SourceName) by SourceName\\r\\n| project Users, User = SourceName;\\r\\nlet user2 = BoxEvents\\r\\n| where isnotempty(SrcUserName)\\r\\n| summarize Users = count(SrcUserName) by SrcUserName\\r\\n| project Users, User = SrcUserName;\\r\\nlet user3 = BoxEvents\\r\\n| where isnotempty(AccessibleByName)\\r\\n| summarize Users = dcount(AccessibleByName) by AccessibleByName\\r\\n| project Users, User = AccessibleByName;\\r\\nlet users = union user1, user2, user3;\\r\\nusers\\r\\n| summarize Users = dcount(User)\",\"size\":3,\"title\":\"Unique Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 5\"}]},\"name\":\"group - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize dcount(SrcIpAddr)\\r\\n\",\"size\":3,\"title\":\"Unique IPs\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalEvents\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blueGreen\"}},{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"turquoise\"}}],\"rowLimit\":10,\"labelSettings\":[{\"columnId\":\"TotalEvents\",\"label\":\"Total Events\"},{\"columnId\":\"Trend\"}]},\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 6\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let file1 = BoxEvents\\r\\n| where isnotempty(SourceFileName)\\r\\n| summarize d_files = dcount(SourceFileName);\\r\\nlet file2 = BoxEvents\\r\\n| where isnotempty(SourceItemName)\\r\\n| summarize d_files = dcount(SourceItemName);\\r\\nlet files = union file1, file2;\\r\\nfiles\\r\\n| summarize sum(d_files)\\r\\n\",\"size\":3,\"title\":\"Unique files\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"titleContent\":{\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"}},\"leftContent\":{\"columnMatch\":\"sum_d_files\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"Unique files\",\"columnSettings\":[{\"columnName\":\"sum_d_files\",\"color\":\"blue\"}]}}},\"rightContent\":{\"columnMatch\":\"sum_d_files\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let files_1 = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where isnotempty(SourceFileName)\\r\\n| summarize TotalItems = dcount(SourceFileName) by SourceFileName\\r\\n| project TotalItems, FileName = SourceFileName;\\r\\nlet files_2 = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where isnotempty(SourceItemName)\\r\\n| summarize TotalItems = dcount(SourceItemName) by SourceItemName\\r\\n| project TotalItems, FileName = SourceItemName;\\r\\nlet known_files = (union files_1, files_2)\\r\\n| summarize makeset(FileName);\\r\\nBoxEvents\\r\\n| where TimeGenerated between (ago(24h) .. now())\\r\\n| where isnotempty(SourceFileName) \\r\\n| project FileName = SourceFileName\\r\\n| union (BoxEvents\\r\\n | where TimeGenerated between (ago(24h) .. now())\\r\\n | where isnotempty(SourceItemName)\\r\\n | project FileName = SourceItemName)\\r\\n| where FileName !in (known_files)\\r\\n| summarize dcount(FileName)\\r\\n\\r\\n\",\"size\":3,\"title\":\"New files (last 24h)\",\"noDataMessage\":\"No new files during last 24h\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\"},\"name\":\"query - 3\"}]},\"name\":\"group - 4\"}]},\"customWidth\":\"20\",\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where EventType == 'ADMIN_LOGIN'\\r\\n| summarize Username = dcount(SourceName) by SourceName\\r\\n| project SourceName\\r\\n\",\"size\":3,\"title\":\"Admin users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalEvents\",\"formatter\":8,\"formatOptions\":{\"palette\":\"turquoise\"}},{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SrcDvcHostname\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"textSettings\":{\"style\":\"header\"}},\"customWidth\":\"25\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let admins = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where EventType == 'ADMIN_LOGIN'\\r\\n| summarize makeset(SourceName);\\r\\nlet adm_type1 = BoxEvents\\r\\n| where SourceName in (admins)\\r\\n| summarize TotalActions = count() by SourceName;\\r\\nlet adm_type2 = BoxEvents\\r\\n| where SrcUserName in (admins)\\r\\n| summarize TotalActions = count() by SrcUserName\\r\\n| project TotalActions, SourceName = SrcUserName; \\r\\nlet adm_activity = (union adm_type1, adm_type2);\\r\\nadm_activity\\r\\n| summarize TotalActions = sum(TotalActions) by SourceName\\r\\n| join kind = inner (BoxEvents\\r\\n | where SourceName in (admins) or SrcUserName in (admins)\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\\r\\n on SourceName\\r\\n| project SourceName, TotalActions, Trend\\r\\n| order by TotalActions\\r\\n\",\"size\":3,\"title\":\"Admin users activity\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalActions\",\"formatter\":8,\"formatOptions\":{\"palette\":\"coldHot\"}},{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SourceName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalActions\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"40\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let admins = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where EventType == 'ADMIN_LOGIN'\\r\\n| summarize makeset(SourceName);\\r\\nlet adm_type1 = BoxEvents\\r\\n| where SourceName in (admins)\\r\\n| summarize by EventType, SourceName\\r\\n| project Action = EventType, SourceName;\\r\\nlet adm_type2 = BoxEvents\\r\\n| where SrcUserName in (admins)\\r\\n| summarize max(TimeGenerated) by EventType, SrcUserName\\r\\n| project Action = EventType, SourceName = SrcUserName; \\r\\nlet adm_activity = (union adm_type1, adm_type2);\\r\\nadm_activity\\r\\n\",\"size\":1,\"title\":\"Latest admin activity\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 2\"}]},\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\n| where EventType == 'NEW_USER'\\n| project SourceName\\n\",\"size\":3,\"title\":\"New users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventCategory\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false,\"rowLimit\":10},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"TableName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"nodeIdField\":\"TableName\",\"sourceIdField\":\"TableName\",\"targetIdField\":\"count_\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"nodeSize\":\"[variables('blanks')]\",\"staticNodeSize\":100,\"colorSettings\":\"[variables('blanks')]\",\"hivesMargin\":5},\"chartSettings\":{\"xSettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}},\"textSettings\":{\"style\":\"header\"}},\"customWidth\":\"15\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'DELETE_USER'\\r\\n| project SourceName\",\"size\":3,\"title\":\"Deleted users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"header\"}},\"customWidth\":\"15\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'LOGIN'\\r\\n| summarize LastLoginTime = max(TimeGenerated) by SourceName\\r\\n| where LastLoginTime > ago(90d)\",\"size\":0,\"title\":\"Inactive users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let user_act1 = BoxEvents\\r\\n| where isnotempty(SourceName)\\r\\n| summarize TotalActions = count() by SourceName;\\r\\nlet user_act2 = BoxEvents\\r\\n| where isnotempty(SrcUserName)\\r\\n| summarize TotalActions = count() by SrcUserName\\r\\n| project TotalActions, SourceName = SrcUserName; \\r\\nlet user_activity = (union user_act1, user_act2);\\r\\nuser_activity\\r\\n| join kind = inner (BoxEvents\\r\\n | where isnotempty(SourceName) or isnotempty(SrcUserName)\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\\r\\n on SourceName\\r\\n| project SourceName, TotalActions, Trend\\r\\n| order by TotalActions\",\"size\":0,\"title\":\"Users activity over time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalActions\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SourceName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalActions\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"35\",\"name\":\"query - 3\"}]},\"name\":\"group - 20\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| summarize Downloads = countif(EventType == \\\"DOWNLOAD\\\"), Uploads = countif(EventType == \\\"UPLOAD\\\") by bin_at(TimeGenerated, 1h, now())\",\"size\":3,\"title\":\"Downloads/Uploads comparison\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'DOWNLOAD'\\r\\n| where isnotempty(SourceItemName)\\r\\n| project FileName = SourceItemName, SrcUserName, TimeGenerated\\r\\n| top 100 by TimeGenerated desc\",\"size\":0,\"title\":\"Latest downloaded items\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"35ch\"}},{\"columnMatch\":\"SrcUserName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}}],\"filter\":true},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'UPLOAD'\\r\\n| where isnotempty(SourceItemName)\\r\\n| project FileName = SourceItemName, SrcUserName, TimeGenerated\\r\\n| top 100 by TimeGenerated desc\",\"size\":0,\"title\":\"Latest uploaded items\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"35ch\"}},{\"columnMatch\":\"SrcUserName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 6\"}],\"fromTemplateId\":\"sentinel-Box\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -263,7 +264,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('parserTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "tags": { @@ -277,7 +278,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -288,7 +289,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]" ], "properties": { - "description": "BoxEvents Data Parser with template version 2.0.1", + "description": "BoxEvents Data Parser with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion1')]", @@ -350,7 +351,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2021-06-01", + "apiVersion": "2022-10-01", "name": "[variables('_parserName1')]", "location": "[parameters('workspace-location')]", "properties": { @@ -394,7 +395,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('huntingQueryTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "tags": { @@ -408,7 +409,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -419,7 +420,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]" ], "properties": { - "description": "BoxAdminIpAddress_HuntingQueries Hunting Query with template version 2.0.1", + "description": "BoxAdminIpAddress_HuntingQueries Hunting Query with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion1')]", @@ -435,7 +436,7 @@ "eTag": "*", "displayName": "Box - IP list for admin users", "category": "Hunting Queries", - "query": "BoxEvents\n| where TimeGenerated > ago(30d)\n| where EventType =~ 'ADMIN_LOGIN'\n| summarize makeset(SrcIpAddr) by SourceLogin;\n| extend AccountCustomEntity = SourceLogin\n", + "query": "BoxEvents\n| where TimeGenerated > ago(30d)\n| where EventType =~ 'ADMIN_LOGIN'\n| summarize makeset(SrcIpAddr) by SourceLogin\n| extend AccountCustomEntity = SourceLogin\n", "version": 2, "tags": [ { @@ -486,7 +487,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('huntingQueryTemplateSpecName2')]", "location": "[parameters('workspace-location')]", "tags": { @@ -500,7 +501,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('huntingQueryTemplateSpecName2'),'/',variables('huntingQueryVersion2'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -511,7 +512,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]" ], "properties": { - "description": "BoxDeletedUsers_HuntingQueries Hunting Query with template version 2.0.1", + "description": "BoxDeletedUsers_HuntingQueries Hunting Query with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion2')]", @@ -578,7 +579,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('huntingQueryTemplateSpecName3')]", "location": "[parameters('workspace-location')]", "tags": { @@ -592,7 +593,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('huntingQueryTemplateSpecName3'),'/',variables('huntingQueryVersion3'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -603,7 +604,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]" ], "properties": { - "description": "BoxInactiveAdmins_HuntingQueries Hunting Query with template version 2.0.1", + "description": "BoxInactiveAdmins_HuntingQueries Hunting Query with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion3')]", @@ -670,7 +671,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('huntingQueryTemplateSpecName4')]", "location": "[parameters('workspace-location')]", "tags": { @@ -684,7 +685,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('huntingQueryTemplateSpecName4'),'/',variables('huntingQueryVersion4'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -695,7 +696,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]" ], "properties": { - "description": "BoxInactiveUsers_HuntingQueries Hunting Query with template version 2.0.1", + "description": "BoxInactiveUsers_HuntingQueries Hunting Query with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion4')]", @@ -762,7 +763,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('huntingQueryTemplateSpecName5')]", "location": "[parameters('workspace-location')]", "tags": { @@ -776,7 +777,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('huntingQueryTemplateSpecName5'),'/',variables('huntingQueryVersion5'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -787,7 +788,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]" ], "properties": { - "description": "BoxNewUsers_HuntingQueries Hunting Query with template version 2.0.1", + "description": "BoxNewUsers_HuntingQueries Hunting Query with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion5')]", @@ -854,7 +855,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('huntingQueryTemplateSpecName6')]", "location": "[parameters('workspace-location')]", "tags": { @@ -868,7 +869,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('huntingQueryTemplateSpecName6'),'/',variables('huntingQueryVersion6'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -879,7 +880,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName6'))]" ], "properties": { - "description": "BoxSuspiciousFiles_HuntingQueries Hunting Query with template version 2.0.1", + "description": "BoxSuspiciousFiles_HuntingQueries Hunting Query with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion6')]", @@ -946,7 +947,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('huntingQueryTemplateSpecName7')]", "location": "[parameters('workspace-location')]", "tags": { @@ -960,7 +961,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('huntingQueryTemplateSpecName7'),'/',variables('huntingQueryVersion7'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -971,7 +972,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName7'))]" ], "properties": { - "description": "BoxUserDownloadsByVolume_HuntingQueries Hunting Query with template version 2.0.1", + "description": "BoxUserDownloadsByVolume_HuntingQueries Hunting Query with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion7')]", @@ -1038,7 +1039,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('huntingQueryTemplateSpecName8')]", "location": "[parameters('workspace-location')]", "tags": { @@ -1052,7 +1053,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('huntingQueryTemplateSpecName8'),'/',variables('huntingQueryVersion8'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -1063,7 +1064,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName8'))]" ], "properties": { - "description": "BoxUserGroupChanges_HuntingQueries Hunting Query with template version 2.0.1", + "description": "BoxUserGroupChanges_HuntingQueries Hunting Query with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion8')]", @@ -1130,7 +1131,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('huntingQueryTemplateSpecName9')]", "location": "[parameters('workspace-location')]", "tags": { @@ -1144,7 +1145,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('huntingQueryTemplateSpecName9'),'/',variables('huntingQueryVersion9'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -1155,7 +1156,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName9'))]" ], "properties": { - "description": "BoxUserUploadsByVolume_HuntingQueries Hunting Query with template version 2.0.1", + "description": "BoxUserUploadsByVolume_HuntingQueries Hunting Query with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion9')]", @@ -1222,7 +1223,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('huntingQueryTemplateSpecName10')]", "location": "[parameters('workspace-location')]", "tags": { @@ -1236,7 +1237,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('huntingQueryTemplateSpecName10'),'/',variables('huntingQueryVersion10'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -1247,7 +1248,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName10'))]" ], "properties": { - "description": "BoxUsersWithOwnerPermissions_HuntingQueries Hunting Query with template version 2.0.1", + "description": "BoxUsersWithOwnerPermissions_HuntingQueries Hunting Query with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion10')]", @@ -1314,7 +1315,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "tags": { @@ -1328,7 +1329,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -1339,7 +1340,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" ], "properties": { - "description": "Box data connector with template version 2.0.1", + "description": "Box data connector with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -1355,7 +1356,7 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId1')]", - "title": "Box (using Azure Function)", + "title": "Box (using Azure Functions)", "publisher": "Box", "descriptionMarkdown": "The Box data connector provides the capability to ingest [Box enterprise's events](https://developer.box.com/guides/events/#admin-events) into Microsoft Sentinel using the Box REST API. Refer to [Box documentation](https://developer.box.com/guides/events/enterprise-events/for-enterprise/) for more information.", "additionalRequirementBanner": "This connector depends on a parser based on Kusto Function to work as expected [**BoxEvents**](https://aka.ms/sentinel-BoxDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.", @@ -1435,7 +1436,7 @@ "description": ">**NOTE:** This connector depends on a parser based on Kusto Function to work as expected [**BoxEvents**](https://aka.ms/sentinel-BoxDataConnector-parser) which is deployed with the Microsoft Sentinel Solution." }, { - "description": "**STEP 1 - Configuration of the Box events collection**\n\nSee documentation to [setup JWT authentication](https://developer.box.com/guides/applications/custom-apps/jwt-setup/) and [obtain JSON file with credentials](https://developer.box.com/guides/authentication/jwt/with-sdk/#prerequisites)." + "description": "**STEP 1 - Configuration of the Box events collection**\n\nSee documentation to [setup JWT authentication](https://developer.box.com/guides/authentication/jwt/jwt-setup/) and [obtain JSON file with credentials](https://developer.box.com/guides/authentication/jwt/with-sdk/#prerequisites)." }, { "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Box data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Box JSON configuration file, readily available.", @@ -1546,7 +1547,7 @@ "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "Box (using Azure Function)", + "title": "Box (using Azure Functions)", "publisher": "Box", "descriptionMarkdown": "The Box data connector provides the capability to ingest [Box enterprise's events](https://developer.box.com/guides/events/#admin-events) into Microsoft Sentinel using the Box REST API. Refer to [Box documentation](https://developer.box.com/guides/events/enterprise-events/for-enterprise/) for more information.", "graphQueries": [ @@ -1625,7 +1626,7 @@ "description": ">**NOTE:** This connector depends on a parser based on Kusto Function to work as expected [**BoxEvents**](https://aka.ms/sentinel-BoxDataConnector-parser) which is deployed with the Microsoft Sentinel Solution." }, { - "description": "**STEP 1 - Configuration of the Box events collection**\n\nSee documentation to [setup JWT authentication](https://developer.box.com/guides/applications/custom-apps/jwt-setup/) and [obtain JSON file with credentials](https://developer.box.com/guides/authentication/jwt/with-sdk/#prerequisites)." + "description": "**STEP 1 - Configuration of the Box events collection**\n\nSee documentation to [setup JWT authentication](https://developer.box.com/guides/authentication/jwt/jwt-setup/) and [obtain JSON file with credentials](https://developer.box.com/guides/authentication/jwt/with-sdk/#prerequisites)." }, { "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Box data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Box JSON configuration file, readily available.", @@ -1672,7 +1673,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('analyticRuleTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "tags": { @@ -1686,7 +1687,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -1697,7 +1698,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]" ], "properties": { - "description": "BoxAbnormalUserActivity_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "BoxAbnormalUserActivity_AnalyticalRules Analytics Rule with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion1')]", @@ -1725,15 +1726,18 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BoxDataConnector", "dataTypes": [ "BoxEvents_CL" - ] + ], + "connectorId": "BoxDataConnector" } ], "tactics": [ "Collection" ], + "techniques": [ + "T1530" + ], "entityMappings": [ { "fieldMappings": [ @@ -1780,7 +1784,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('analyticRuleTemplateSpecName2')]", "location": "[parameters('workspace-location')]", "tags": { @@ -1794,7 +1798,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -1805,7 +1809,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]" ], "properties": { - "description": "BoxBinaryFile_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "BoxBinaryFile_AnalyticalRules Analytics Rule with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion2')]", @@ -1833,15 +1837,18 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BoxDataConnector", "dataTypes": [ "BoxEvents_CL" - ] + ], + "connectorId": "BoxDataConnector" } ], "tactics": [ "InitialAccess" ], + "techniques": [ + "T1189" + ], "entityMappings": [ { "fieldMappings": [ @@ -1888,7 +1895,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('analyticRuleTemplateSpecName3')]", "location": "[parameters('workspace-location')]", "tags": { @@ -1902,7 +1909,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -1913,7 +1920,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]" ], "properties": { - "description": "BoxDownloadForbiddenFiles_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "BoxDownloadForbiddenFiles_AnalyticalRules Analytics Rule with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion3')]", @@ -1941,15 +1948,18 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BoxDataConnector", "dataTypes": [ "BoxEvents_CL" - ] + ], + "connectorId": "BoxDataConnector" } ], "tactics": [ "InitialAccess" ], + "techniques": [ + "T1189" + ], "entityMappings": [ { "fieldMappings": [ @@ -2005,7 +2015,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('analyticRuleTemplateSpecName4')]", "location": "[parameters('workspace-location')]", "tags": { @@ -2019,7 +2029,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -2030,7 +2040,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]" ], "properties": { - "description": "BoxInactiveUserLogin_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "BoxInactiveUserLogin_AnalyticalRules Analytics Rule with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion4')]", @@ -2058,15 +2068,18 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BoxDataConnector", "dataTypes": [ "BoxEvents_CL" - ] + ], + "connectorId": "BoxDataConnector" } ], "tactics": [ "InitialAccess" ], + "techniques": [ + "T1078" + ], "entityMappings": [ { "fieldMappings": [ @@ -2113,7 +2126,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('analyticRuleTemplateSpecName5')]", "location": "[parameters('workspace-location')]", "tags": { @@ -2127,7 +2140,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -2138,7 +2151,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]" ], "properties": { - "description": "BoxItemSharedToExternalUser_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "BoxItemSharedToExternalUser_AnalyticalRules Analytics Rule with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion5')]", @@ -2166,15 +2179,18 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BoxDataConnector", "dataTypes": [ "BoxEvents_CL" - ] + ], + "connectorId": "BoxDataConnector" } ], "tactics": [ "Exfiltration" ], + "techniques": [ + "T1537" + ], "entityMappings": [ { "fieldMappings": [ @@ -2221,7 +2237,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('analyticRuleTemplateSpecName6')]", "location": "[parameters('workspace-location')]", "tags": { @@ -2235,7 +2251,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -2246,7 +2262,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]" ], "properties": { - "description": "BoxMultipleItemsDeletedByUser_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "BoxMultipleItemsDeletedByUser_AnalyticalRules Analytics Rule with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion6')]", @@ -2274,15 +2290,18 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BoxDataConnector", "dataTypes": [ "BoxEvents_CL" - ] + ], + "connectorId": "BoxDataConnector" } ], "tactics": [ "Impact" ], + "techniques": [ + "T1485" + ], "entityMappings": [ { "fieldMappings": [ @@ -2329,7 +2348,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('analyticRuleTemplateSpecName7')]", "location": "[parameters('workspace-location')]", "tags": { @@ -2343,7 +2362,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -2354,7 +2373,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]" ], "properties": { - "description": "BoxNewExternalUser_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "BoxNewExternalUser_AnalyticalRules Analytics Rule with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion7')]", @@ -2382,16 +2401,19 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BoxDataConnector", "dataTypes": [ "BoxEvents_CL" - ] + ], + "connectorId": "BoxDataConnector" } ], "tactics": [ "InitialAccess", "Persistence" ], + "techniques": [ + "T1078" + ], "entityMappings": [ { "fieldMappings": [ @@ -2447,7 +2469,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('analyticRuleTemplateSpecName8')]", "location": "[parameters('workspace-location')]", "tags": { @@ -2461,7 +2483,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -2472,7 +2494,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]" ], "properties": { - "description": "BoxSensitiveFile_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "BoxSensitiveFile_AnalyticalRules Analytics Rule with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion8')]", @@ -2500,15 +2522,18 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BoxDataConnector", "dataTypes": [ "BoxEvents_CL" - ] + ], + "connectorId": "BoxDataConnector" } ], "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { "fieldMappings": [ @@ -2564,7 +2589,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('analyticRuleTemplateSpecName9')]", "location": "[parameters('workspace-location')]", "tags": { @@ -2578,7 +2603,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -2589,7 +2614,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]" ], "properties": { - "description": "BoxUserLoginAsAdmin_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "BoxUserLoginAsAdmin_AnalyticalRules Analytics Rule with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion9')]", @@ -2617,15 +2642,18 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BoxDataConnector", "dataTypes": [ "BoxEvents_CL" - ] + ], + "connectorId": "BoxDataConnector" } ], "tactics": [ "PrivilegeEscalation" ], + "techniques": [ + "T1078" + ], "entityMappings": [ { "fieldMappings": [ @@ -2681,7 +2709,7 @@ }, { "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[variables('analyticRuleTemplateSpecName10')]", "location": "[parameters('workspace-location')]", "tags": { @@ -2695,7 +2723,7 @@ }, { "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", + "apiVersion": "2022-02-01", "name": "[concat(variables('analyticRuleTemplateSpecName10'),'/',variables('analyticRuleVersion10'))]", "location": "[parameters('workspace-location')]", "tags": { @@ -2706,7 +2734,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]" ], "properties": { - "description": "BoxUserRoleChangedToOwner_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "BoxUserRoleChangedToOwner_AnalyticalRules Analytics Rule with template version 2.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion10')]", @@ -2734,15 +2762,18 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "BoxDataConnector", "dataTypes": [ "BoxEvents_CL" - ] + ], + "connectorId": "BoxDataConnector" } ], "tactics": [ "PrivilegeEscalation" ], + "techniques": [ + "T1078" + ], "entityMappings": [ { "fieldMappings": [ @@ -2792,7 +2823,7 @@ "apiVersion": "2022-01-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.1", + "version": "2.0.2", "kind": "Solution", "contentSchemaVersion": "2.0.0", "contentId": "[variables('_solutionId')]",