diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Netclean_Incidents_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Netclean_Incidents_CL.json index b504aec6fd7..cda78d933c1 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/Netclean_Incidents_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/Netclean_Incidents_CL.json @@ -1,189 +1,265 @@ { "Name": "Netclean_Incidents_CL", "Properties": [ - { - "Name": "TenantId", - "type": "string" - }, - { - "Name": "SourceSystem", - "type": "string" - }, - { - "Name": "MG", - "type": "Guid" - }, - { - "Name": "ManagementGroupName", - "type": "string" - }, - { - "Name": "TimeGenerated", - "type": "datetime" - }, - { - "Name": "Computer", - "type": "string" - }, - { - "Name": "RawData", - "type": "string" - }, - { - "Name": "Hostname_s", - "type": "string" - }, - { - "Name": "agentType_s", - "type": "string" - }, - { - "Name": "Identifier_g", - "type": "string" - }, - { - "Name": "type_s", - "type": "string" - }, - { - "Name": "version_s", - "type": "string" - }, - { - "Name": "foundTime_t", - "type": "datetime" - }, - { - "Name": "detectionMethod_s", - "type": "string" - }, - { - "Name": "agentInformatonIdentifier_s", - "type": "string" - }, - { - "Name": "osVersion_s", - "type": "string" - }, - { - "Name": "machineName_s", - "type": "string" - }, - { - "Name": "microsoftCultureId_s", - "type": "string" - }, - { - "Name": "timeZoneId_s", - "type": "string" - }, - { - "Name": "microsoftGeoId_s", - "type": "string" - }, - { - "Name": "domainname_s", - "type": "string" - }, - { - "Name": "Agentversion_s", - "type": "string" - }, - { - "Name": "Agentidentifier_g", - "type": "string" - }, - { - "Name": "loggedOnUsers_s", - "type": "string" - }, - { - "Name": "size_s", - "type": "string" - }, - { - "Name": "creationTime_t", - "type": "datetime" - }, - { - "Name": "lastAccessTime_t", - "type": "datetime" - }, - { - "Name": "lastWriteTime_t", - "type": "datetime" - }, - { - "Name": "sha1_s", - "type": "string" - }, - { - "Name": "nearbyFiles_sha1_s", - "type": "string" - }, - { - "Name": "externalIP_s", - "type": "string" - }, - { - "Name": "domain_s", - "type": "string" - }, - { - "Name": "hasCollectedNearbyFiles_s", - "type": "string" - }, - { - "Name": "filePath_s", - "type": "string" - }, - { - "Name": "m365WebUrl_s", - "type": "string" - }, - { - "Name": "m365CreatedBymail_s", - "type": "string" - }, - { - "Name": "m365LastModifiedByMail_s", - "type": "string" - }, - { - "Name": "m365LibraryId_s", - "type": "string" - }, - { - "Name": "m365LibraryDisplayName_s", - "type": "string" - }, - { - "Name": "m365Librarytype_s", - "type": "string" - }, - { - "Name": "m365siteid_s", - "type": "string" - }, - { - "Name": "m365sitedisplayName_s", - "type": "string" - }, - { - "Name": "m365sitename_s", - "type": "string" - }, - { - "Name": "countOfAllNearByFiles_s", - "type": "string" - }, - { - "Name": "Type", - "type": "string" - }, - { - "Name": "_ResourceId", - "type": "string" - } -] -} + { + "Name": "TenantId", + "type": "string" + }, + { + "Name": "SourceSystem", + "type": "string" + }, + { + "Name": "MG", + "type": "Guid" + }, + { + "Name": "ManagementGroupName", + "type": "string" + }, + { + "Name": "TimeGenerated", + "type": "datetime" + }, + { + "Name": "Computer", + "type": "string" + }, + { + "Name": "RawData", + "type": "string" + }, + { + "Name": "value_file_createdBy_graphIdentity_user_s", + "type": "string" + }, + { + "Name": "value_file_createdBy_graphIdentity_application_s", + "type": "string" + }, + { + "Name": "value_file_lastModifiedBy_graphIdentity_user_s", + "type": "string" + }, + { + "Name": "value_file_lastModifiedBy_graphIdentity_application_s", + "type": "string" + }, + { + "Name": "value_file_microsoft365_id_s", + "type": "string" + }, + { + "Name": "value_file_microsoft365_name_s", + "type": "string" + }, + { + "Name": "value_file_microsoft365_mimeType_s", + "type": "string" + }, + { + "Name": "value_file_microsoft365_parent_id_s", + "type": "string" + }, + { + "Name": "value_file_microsoft365_parent_name_s", + "type": "string" + }, + { + "Name": "value_file_microsoft365_parent_path_s", + "type": "string" + }, + { + "Name": "value_file_microsoft365_webUrl_s", + "type": "string" + }, + { + "Name": "value_file_microsoft365_library_id_s", + "type": "string" + }, + { + "Name": "value_file_microsoft365_library_displayName_s", + "type": "string" + }, + { + "Name": "value_file_microsoft365_library_type_s", + "type": "string" + }, + { + "Name": "value_file_microsoft365_site_id_s", + "type": "string" + }, + { + "Name": "value_file_microsoft365_site_displayName_s", + "type": "string" + }, + { + "Name": "value_file_microsoft365_site_name_s", + "type": "string" + }, + { + "Name": "value_file_owner_computerUser_username_s", + "type": "string" + }, + { + "Name": "value_file_owner_computerUser_domain_s", + "type": "string" + }, + { + "Name": "schemaVersion_s", + "type": "string" + }, + { + "Name": "key_type_s", + "type": "string" + }, + { + "Name": "key_identifier_g", + "type": "string" + }, + { + "Name": "value_foundTime_t", + "type": "string" + }, + { + "Name": "value_identifier_g", + "type": "string" + }, + { + "Name": "value_incidentVersion_d", + "type": "number" + }, + { + "Name": "value_device_identifier_d", + "type": "string" + }, + { + "Name": "value_device_operatingSystem_s", + "type": "string" + }, + { + "Name": "value_device_operatingSystemVersion_s", + "type": "string" + }, + { + "Name": "value_device_machineName_s", + "type": "string" + }, + { + "Name": "value_device_microsoftCultureId_d", + "type": "string" + }, + { + "Name": "value_device_microsoftGeoId_d", + "type": "string" + }, + { + "Name": "value_device_timeZoneName_s", + "type": "string" + }, + { + "Name": "value_device_networkInterfaces_s", + "type": "string" + }, + { + "Name": "value_device_loggedOnUsers_s", + "type": "string" + }, + { + "Name": "value_device_accessingProcesses_s", + "type": "string" + }, + { + "Name": "value_agent_type_s", + "type": "string" + }, + { + "Name": "value_agent_version_s", + "type": "string" + }, + { + "Name": "value_file_path_s", + "type": "string" + }, + { + "Name": "value_file_size_d", + "type": "number" + }, + { + "Name": "value_file_creationTime_t", + "type": "datetime" + }, + { + "Name": "value_file_lastAccessTime_t", + "type": "datetime" + }, + { + "Name": "value_file_lastModifiedTime_t", + "type": "datetime" + }, + { + "Name": "value_file_calculatedHashes_sha1_s", + "type": "string" + }, + { + "Name": "value_file_calculatedHashes_pdna_s", + "type": "string" + }, + { + "Name": "value_file_diskDrive_diskType_s", + "type": "string" + }, + { + "Name": "value_file_diskDrive_diskModelNumber_s", + "type": "string" + }, + { + "Name": "value_file_diskDrive_diskSerialNumber_s", + "type": "string" + }, + { + "Name": "value_file_diskDrive_volumeSerialNumber_s", + "type": "string" + }, + { + "Name": "value_file_diskDrive_mountPoint_s", + "type": "string" + }, + { + "Name": "value_file_signature_hashes_sha1_s", + "type": "string" + }, + { + "Name": "value_file_signature_hashes_md5_s", + "type": "string" + }, + { + "Name": "value_file_signature_hashes_pdna_s", + "type": "string" + }, + { + "Name": "value_file_nearbyFiles_s", + "type": "array" + }, + { + "Name": "value_detectionHashType_s", + "type": "string" + }, + { + "Name": "value_incidentType_source_s", + "type": "string" + }, + { + "Name": "value_incidentType_isDemo_b", + "type": "boolean" + }, + { + "Name": "Type", + "type": "string" + }, + { + "Name": "_ResourceId", + "type": "string" + } + ] +} \ No newline at end of file diff --git a/Sample Data/Custom/Netclean_Incidents_CL.json b/Sample Data/Custom/Netclean_Incidents_CL.json index bf39d1c36c9..fa882824a82 100644 --- a/Sample Data/Custom/Netclean_Incidents_CL.json +++ b/Sample Data/Custom/Netclean_Incidents_CL.json @@ -1,2162 +1,279 @@ [ - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:54:34.306 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": 8, - "sha1_s": "9dd32ac721317d5b8122f8e729dd1cdcaba25629", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img2.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "9dd32ac721317d5b8122f8e729dd1cdcaba25629,f81bb3cd3cf07934a48cca4e855039f969ec9ef6,1d32c57f7130bdd80be9e4566381627dfd3ef3fe,e173d7ee8648bdfcca20cbcfc0688ea61e76276b,", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": "True", - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "75980766-7430-4cd0-a078-72f977b5cc6d", - "type_s": "demoIncident", - "version_s": 12, - "foundTime_t [UTC]": "3/21/2023, 8:59:54.236 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "75980766-7430-4cd0-a078-72f977b5cc6d", - "loggedOnUsers_s": "UMFD-0'@'Font Driver Host|DWM-2'@'Window Manager|DWM-2'@'Window Manager|UMFD-1'@'Font Driver Host|DWM-1'@'Window Manager|Administrator'@'HOST1|HOST1$'@'WORKGROUP|LOCAL SERVICE'@'NT AUTHORITY|UMFD-2'@'Font Driver Host|Administrator'@'HOST1|DWM-1'@'Window Manager|", - "size_s": 210444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 8:57:57.415 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.958 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 7:36:18.056 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img3.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "f81bb3cd3cf07934a48cca4e855039f969ec9ef6,,e173d7ee8648bdfcca20cbcfc0688ea61e76276b,9dd32ac721317d5b8122f8e729dd1cdcaba25629,,,1d32c57f7130bdd80be9e4566381627dfd3ef3fe,,", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": "True", - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "bdef228d-80fa-40c8-a602-f836346274f8", - "type_s": "demoIncident", - "version_s": 12, - "foundTime_t [UTC]": "3/20/2023, 8:08:08.935 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "bdef228d-80fa-40c8-a602-f836346274f8", - "loggedOnUsers_s": "Administrator'@'HOST1|HOST1$'@'WORKGROUP|DWM-2'@'Window Manager|UMFD-2'@'Font Driver Host|LOCAL SERVICE'@'NT AUTHORITY|DWM-1'@'Window Manager|DWM-1'@'Window Manager|UMFD-0'@'Font Driver Host|DWM-2'@'Window Manager|Administrator'@'HOST1|UMFD-1'@'Font Driver Host|", - "size_s": 200444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 7:57:38.458 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.970 PM", - "md5_s": "b2d75d006dd52e19bc0be7571f9c500ddfa64094", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 8:14:22.405 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "f81bb3cd3cf07934a48cca4e855039f969ec9ef6", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img3.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "e173d7ee8648bdfcca20cbcfc0688ea61e76276b,f81bb3cd3cf07934a48cca4e855039f969ec9ef6,9dd32ac721317d5b8122f8e729dd1cdcaba25629,1d32c57f7130bdd80be9e4566381627dfd3ef3fe,,,,,", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": "True", - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "bdef228d-80fa-40c8-a602-f836346274f8", - "type_s": "demoIncident", - "version_s": 12, - "foundTime_t [UTC]": "3/20/2023, 8:08:08.935 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "bdef228d-80fa-40c8-a602-f836346274f8", - "loggedOnUsers_s": "DWM-1'@'Window Manager|HOST1$'@'WORKGROUP|Administrator'@'HOST1|DWM-2'@'Window Manager|LOCAL SERVICE'@'NT AUTHORITY|UMFD-2'@'Font Driver Host|UMFD-1'@'Font Driver Host|DWM-2'@'Window Manager|UMFD-0'@'Font Driver Host|Administrator'@'HOST1|DWM-1'@'Window Manager|", - "size_s": 200444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 7:57:38.458 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.970 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 8:15:43.039 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "e173d7ee8648bdfcca20cbcfc0688ea61e76276b", - "m365filePath_s": "", - "m365WebUrl_s": "https://DEMO-my.sharepoint.com/personal/DEMO_DEMO_onmicrosoft_com/Documents/bilder/IMG1.jpg", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "b!iX-86uc3QkqYPC_eb22843801f7b20d197911613680a9167a17666b", - "m365LibraryDisplayName_s": "OneDrive", - "m365Librarytype_s": "user", - "m365siteid_s": "DEMO-my.sharepoint.com,e48fabbd84177996c9c1419cdea4b21dc4899925", - "m365sitedisplayName_s": "DEMO DEMO", - "m365sitename_s": "", - "filePath_s": "/drives/b!iX-86uc3QkqYPC_eb22843801f7b20d197911613680a9167a17666b/root:/bilder/IMG1.jpg", - "agentType_s": "microsoft365", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": "", - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "", - "domainName_s": "", - "hasCollectedNearbyFiles_s": "", - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "microsoft365", - "Identifier_g": "ebcd8124-27b4-416c-8ca7-45011691b9dc", - "type_s": "demoIncident", - "version_s": 1, - "foundTime_t [UTC]": "3/21/2023, 7:58:08.922 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "", - "machineName_s": "microsoft365", - "microsoftCultureId_s": "", - "timeZoneId_s": "", - "microsoftGeoId_s": "", - "domainname_s": "", - "Agentversion_s": "22.4.0.0", - "Agentidentifier_g": "ebcd8124-27b4-416c-8ca7-45011691b9dc", - "loggedOnUsers_s": "", - "size_s": 230341, - "creationTime_t [UTC]": "2/3/2023, 2:29:10.000 PM", - "lastAccessTime_t [UTC]": "", - "lastWriteTime_t [UTC]": "3/21/2023, 7:56:07.000 AM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:00:32.610 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "e173d7ee8648bdfcca20cbcfc0688ea61e76276b", - "m365filePath_s": "", - "m365WebUrl_s": "https://DEMO-my.sharepoint.com/personal/DEMO_DEMO_onmicrosoft_com/Documents/bilder/IMG1.jpg", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "b!iX-86uc3QkqYPC_eb22843801f7b20d197911613680a9167a17666b", - "m365LibraryDisplayName_s": "OneDrive", - "m365Librarytype_s": "user", - "m365siteid_s": "DEMO-my.sharepoint.com,e48fabbd84177996c9c1419cdea4b21dc4899925", - "m365sitedisplayName_s": "DEMO DEMO", - "m365sitename_s": "", - "filePath_s": "/drives/b!iX-86uc3QkqYPC_eb22843801f7b20d197911613680a9167a17666b/root:/bilder/IMG1.jpg", - "agentType_s": "microsoft365", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": "", - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "microsoft365", - "Identifier_g": "ebcd8124-27b4-416c-8ca7-45011691b9dc", - "type_s": "demoIncident", - "version_s": 1, - "foundTime_t [UTC]": "3/21/2023, 7:58:08.922 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "", - "machineName_s": "microsoft365", - "microsoftCultureId_s": "", - "timeZoneId_s": "", - "microsoftGeoId_s": "", - "domainname_s": "", - "Agentversion_s": "22.4.0.0", - "Agentidentifier_g": "ebcd8124-27b4-416c-8ca7-45011691b9dc", - "loggedOnUsers_s": "", - "size_s": 230341, - "creationTime_t [UTC]": "2/3/2023, 2:29:10.000 PM", - "lastAccessTime_t [UTC]": "", - "lastWriteTime_t [UTC]": "3/21/2023, 7:56:07.000 AM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:02:26.672 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "9dd32ac721317d5b8122f8e729dd1cdcaba25629", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img2.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "type_s": "demoIncident", - "version_s": 2, - "foundTime_t [UTC]": "3/21/2023, 8:57:47.344 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "loggedOnUsers_s": "UMFD-1'@'Font Driver Host|DWM-2'@'Window Manager|DWM-1'@'Window Manager|UMFD-2'@'Font Driver Host|Administrator'@'HOST1|Administrator'@'HOST1|LOCAL SERVICE'@'NT AUTHORITY|HOST1$'@'WORKGROUP|DWM-1'@'Window Manager|DWM-2'@'Window Manager|UMFD-0'@'Font Driver Host|", - "size_s": 210444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 8:57:57.415 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.958 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:03:31.402 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "9dd32ac721317d5b8122f8e729dd1cdcaba25629", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img2.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "type_s": "demoIncident", - "version_s": 2, - "foundTime_t [UTC]": "3/21/2023, 8:57:47.344 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "loggedOnUsers_s": "DWM-1'@'Window Manager|DWM-2'@'Window Manager|UMFD-1'@'Font Driver Host|DWM-2'@'Window Manager|Administrator'@'HOST1|UMFD-0'@'Font Driver Host|Administrator'@'HOST1|HOST1$'@'WORKGROUP|LOCAL SERVICE'@'NT AUTHORITY|DWM-1'@'Window Manager|UMFD-2'@'Font Driver Host|", - "size_s": 210444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 8:57:57.415 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.958 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:03:34.589 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "9dd32ac721317d5b8122f8e729dd1cdcaba25629", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img2.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "type_s": "demoIncident", - "version_s": 2, - "foundTime_t [UTC]": "3/21/2023, 8:57:47.344 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "loggedOnUsers_s": "Administrator'@'HOST1|HOST1$'@'WORKGROUP|UMFD-0'@'Font Driver Host|DWM-2'@'Window Manager|DWM-2'@'Window Manager|Administrator'@'HOST1|UMFD-2'@'Font Driver Host|LOCAL SERVICE'@'NT AUTHORITY|UMFD-1'@'Font Driver Host|DWM-1'@'Window Manager|DWM-1'@'Window Manager|", - "size_s": 210444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 8:57:57.415 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.958 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:03:42.038 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "9dd32ac721317d5b8122f8e729dd1cdcaba25629", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img2.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "type_s": "demoIncident", - "version_s": 2, - "foundTime_t [UTC]": "3/21/2023, 8:57:47.344 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "loggedOnUsers_s": "LOCAL SERVICE'@'NT AUTHORITY|DWM-1'@'Window Manager|UMFD-2'@'Font Driver Host|Administrator'@'HOST1|DWM-2'@'Window Manager|HOST1$'@'WORKGROUP|UMFD-1'@'Font Driver Host|UMFD-0'@'Font Driver Host|DWM-1'@'Window Manager|Administrator'@'HOST1|DWM-2'@'Window Manager|", - "size_s": 210444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 8:57:57.415 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.958 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:03:42.288 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "9dd32ac721317d5b8122f8e729dd1cdcaba25629", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img2.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "type_s": "demoIncident", - "version_s": 2, - "foundTime_t [UTC]": "3/21/2023, 8:57:47.344 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "loggedOnUsers_s": "DWM-1'@'Window Manager|UMFD-1'@'Font Driver Host|DWM-2'@'Window Manager|DWM-1'@'Window Manager|HOST1$'@'WORKGROUP|DWM-2'@'Window Manager|Administrator'@'HOST1|LOCAL SERVICE'@'NT AUTHORITY|Administrator'@'HOST1|UMFD-2'@'Font Driver Host|UMFD-0'@'Font Driver Host|", - "size_s": 210444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 8:57:57.415 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.958 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:03:42.964 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "9dd32ac721317d5b8122f8e729dd1cdcaba25629", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img2.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "type_s": "demoIncident", - "version_s": 2, - "foundTime_t [UTC]": "3/21/2023, 8:57:47.344 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "loggedOnUsers_s": "LOCAL SERVICE'@'NT AUTHORITY|UMFD-0'@'Font Driver Host|Administrator'@'HOST1|HOST1$'@'WORKGROUP|UMFD-1'@'Font Driver Host|UMFD-2'@'Font Driver Host|DWM-2'@'Window Manager|DWM-1'@'Window Manager|DWM-1'@'Window Manager|DWM-2'@'Window Manager|Administrator'@'HOST1|", - "size_s": 210444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 8:57:57.415 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.958 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:03:43.182 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "9dd32ac721317d5b8122f8e729dd1cdcaba25629", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img2.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "type_s": "demoIncident", - "version_s": 1, - "foundTime_t [UTC]": "3/21/2023, 8:57:47.344 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "", - "machineName_s": "HOST1", - "microsoftCultureId_s": "", - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": "", - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "loggedOnUsers_s": "Administrator'@'HOST1|UMFD-1'@'Font Driver Host|DWM-1'@'Window Manager|LOCAL SERVICE'@'NT AUTHORITY|UMFD-0'@'Font Driver Host|DWM-1'@'Window Manager|Administrator'@'HOST1|DWM-2'@'Window Manager|UMFD-2'@'Font Driver Host|HOST1$'@'WORKGROUP|DWM-2'@'Window Manager|", - "size_s": 210444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 8:57:57.415 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.958 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:03:44.054 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "9dd32ac721317d5b8122f8e729dd1cdcaba25629", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img2.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "type_s": "demoIncident", - "version_s": 2, - "foundTime_t [UTC]": "3/21/2023, 8:57:47.344 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "loggedOnUsers_s": "HOST1$'@'WORKGROUP|Administrator'@'HOST1|UMFD-2'@'Font Driver Host|Administrator'@'HOST1|UMFD-0'@'Font Driver Host|LOCAL SERVICE'@'NT AUTHORITY|UMFD-1'@'Font Driver Host|DWM-1'@'Window Manager|DWM-2'@'Window Manager|DWM-1'@'Window Manager|DWM-2'@'Window Manager|", - "size_s": 210444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 8:57:57.415 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.958 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:03:44.461 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "9dd32ac721317d5b8122f8e729dd1cdcaba25629", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img2.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "type_s": "demoIncident", - "version_s": 2, - "foundTime_t [UTC]": "3/21/2023, 8:57:47.344 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "loggedOnUsers_s": "DWM-2'@'Window Manager|DWM-1'@'Window Manager|DWM-2'@'Window Manager|UMFD-1'@'Font Driver Host|LOCAL SERVICE'@'NT AUTHORITY|DWM-1'@'Window Manager|UMFD-0'@'Font Driver Host|UMFD-2'@'Font Driver Host|HOST1$'@'WORKGROUP|Administrator'@'HOST1|Administrator'@'HOST1|", - "size_s": 210444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 8:57:57.415 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.958 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 8:15:03.665 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "e173d7ee8648bdfcca20cbcfc0688ea61e76276b", - "m365filePath_s": "", - "m365WebUrl_s": "https://DEMO-my.sharepoint.com/personal/DEMO_DEMO_onmicrosoft_com/Documents/bilder/IMG1.jpg", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "b!iX-86uc3QkqYPC_eb22843801f7b20d197911613680a9167a17666b", - "m365LibraryDisplayName_s": "OneDrive", - "m365Librarytype_s": "user", - "m365siteid_s": "DEMO-my.sharepoint.com,e48fabbd84177996c9c1419cdea4b21dc4899925", - "m365sitedisplayName_s": "DEMO DEMO", - "m365sitename_s": "", - "filePath_s": "/drives/b!iX-86uc3QkqYPC_eb22843801f7b20d197911613680a9167a17666b/root:/bilder/IMG1.jpg", - "agentType_s": "microsoft365", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": "", - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "", - "domainName_s": "", - "hasCollectedNearbyFiles_s": "", - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "demoIncident", - "Identifier_g": "ebcd8124-27b4-416c-8ca7-45011691b9dc", - "type_s": "demoIncident", - "version_s": 1, - "foundTime_t [UTC]": "3/21/2023, 7:58:08.922 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "", - "machineName_s": "demoIncident", - "microsoftCultureId_s": "", - "timeZoneId_s": "", - "microsoftGeoId_s": "", - "domainname_s": "", - "Agentversion_s": "22.4.0.0", - "Agentidentifier_g": "ebcd8124-27b4-416c-8ca7-45011691b9dc", - "loggedOnUsers_s": "", - "size_s": 230341, - "creationTime_t [UTC]": "2/3/2023, 2:29:10.000 PM", - "lastAccessTime_t [UTC]": "", - "lastWriteTime_t [UTC]": "3/21/2023, 7:56:07.000 AM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:43:00.175 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "9dd32ac721317d5b8122f8e729dd1cdcaba25629", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img2.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": "True", - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "75980766-7430-4cd0-a078-72f977b5cc6d", - "type_s": "demoIncident", - "version_s": 12, - "foundTime_t [UTC]": "3/21/2023, 8:59:54.236 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "75980766-7430-4cd0-a078-72f977b5cc6d", - "loggedOnUsers_s": "UMFD-0'@'Font Driver Host|DWM-1'@'Window Manager|DWM-1'@'Window Manager|Administrator'@'HOST1|UMFD-2'@'Font Driver Host|Administrator'@'HOST1|DWM-2'@'Window Manager|DWM-2'@'Window Manager|UMFD-1'@'Font Driver Host|HOST1$'@'WORKGROUP|LOCAL SERVICE'@'NT AUTHORITY|", - "size_s": 210444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 8:57:57.415 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.958 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 10:02:32.116 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": 8, - "sha1_s": "f81bb3cd3cf07934a48cca4e855039f969ec9ef6", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img3.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "f81bb3cd3cf07934a48cca4e855039f969ec9ef6,e173d7ee8648bdfcca20cbcfc0688ea61e76276b,9dd32ac721317d5b8122f8e729dd1cdcaba25629,1d32c57f7130bdd80be9e4566381627dfd3ef3fe,", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": "True", - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "00fdc39d-c6d6-465a-ad70-58976c927756", - "type_s": "demoIncident", - "version_s": 12, - "foundTime_t [UTC]": "3/21/2023, 10:00:40.236 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "00fdc39d-c6d6-465a-ad70-58976c927756", - "loggedOnUsers_s": "HOST1$'@'WORKGROUP|UMFD-1'@'Font Driver Host|LOCAL SERVICE'@'NT AUTHORITY|DWM-2'@'Window Manager|DWM-2'@'Window Manager|DWM-1'@'Window Manager|DWM-1'@'Window Manager|UMFD-0'@'Font Driver Host|Administrator'@'HOST1|Administrator'@'HOST1|UMFD-2'@'Font Driver Host|", - "size_s": 200444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 7:57:38.458 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.970 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:03:46.613 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "9dd32ac721317d5b8122f8e729dd1cdcaba25629", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img2.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "type_s": "demoIncident", - "version_s": 2, - "foundTime_t [UTC]": "3/21/2023, 8:57:47.344 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "loggedOnUsers_s": "UMFD-1'@'Font Driver Host|UMFD-0'@'Font Driver Host|DWM-1'@'Window Manager|Administrator'@'HOST1|Administrator'@'HOST1|DWM-1'@'Window Manager|HOST1$'@'WORKGROUP|DWM-2'@'Window Manager|UMFD-2'@'Font Driver Host|LOCAL SERVICE'@'NT AUTHORITY|DWM-2'@'Window Manager|", - "size_s": 210444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 8:57:57.415 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.958 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:45:11.955 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "9dd32ac721317d5b8122f8e729dd1cdcaba25629", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img2.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "f81bb3cd3cf07934a48cca4e855039f969ec9ef6,e173d7ee8648bdfcca20cbcfc0688ea61e76276b,9dd32ac721317d5b8122f8e729dd1cdcaba25629,1d32c57f7130bdd80be9e4566381627dfd3ef3fe,", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": "True", - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "75980766-7430-4cd0-a078-72f977b5cc6d", - "type_s": "demoIncident", - "version_s": 12, - "foundTime_t [UTC]": "3/21/2023, 8:59:54.236 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "75980766-7430-4cd0-a078-72f977b5cc6d", - "loggedOnUsers_s": "Administrator'@'HOST1|DWM-2'@'Window Manager|LOCAL SERVICE'@'NT AUTHORITY|DWM-2'@'Window Manager|DWM-1'@'Window Manager|UMFD-0'@'Font Driver Host|UMFD-1'@'Font Driver Host|HOST1$'@'WORKGROUP|DWM-1'@'Window Manager|UMFD-2'@'Font Driver Host|Administrator'@'HOST1|", - "size_s": 210444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 8:57:57.415 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.958 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:03:48.583 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "9dd32ac721317d5b8122f8e729dd1cdcaba25629", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img2.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "75980766-7430-4cd0-a078-72f977b5cc6d", - "type_s": "demoIncident", - "version_s": 1, - "foundTime_t [UTC]": "3/21/2023, 8:59:54.236 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "75980766-7430-4cd0-a078-72f977b5cc6d", - "loggedOnUsers_s": "DWM-2'@'Window Manager|UMFD-1'@'Font Driver Host|UMFD-2'@'Font Driver Host|HOST1$'@'WORKGROUP|Administrator'@'HOST1|DWM-1'@'Window Manager|DWM-2'@'Window Manager|LOCAL SERVICE'@'NT AUTHORITY|DWM-1'@'Window Manager|UMFD-0'@'Font Driver Host|Administrator'@'HOST1|", - "size_s": 210444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 8:57:57.415 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.958 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:03:48.269 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "f81bb3cd3cf07934a48cca4e855039f969ec9ef6", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img3.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "ce37f581-c410-49bd-a8c6-a88fe085cb71", - "type_s": "demoIncident", - "version_s": 1, - "foundTime_t [UTC]": "3/21/2023, 8:59:53.945 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "ce37f581-c410-49bd-a8c6-a88fe085cb71", - "loggedOnUsers_s": "DWM-2'@'Window Manager|UMFD-1'@'Font Driver Host|Administrator'@'HOST1|DWM-2'@'Window Manager|Administrator'@'HOST1|HOST1$'@'WORKGROUP|UMFD-2'@'Font Driver Host|DWM-1'@'Window Manager|DWM-1'@'Window Manager|UMFD-0'@'Font Driver Host|LOCAL SERVICE'@'NT AUTHORITY|", - "size_s": 200444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 7:57:38.458 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.970 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 1:59:15.435 PM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": 0, - "sha1_s": "e173d7ee8648bdfcca20cbcfc0688ea61e76276b", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img4.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "f301c00d-b8f3-4659-bdb3-581b5b747eca", - "type_s": "demoIncident", - "version_s": 1, - "foundTime_t [UTC]": "3/21/2023, 1:58:58.282 PM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "f301c00d-b8f3-4659-bdb3-581b5b747eca", - "loggedOnUsers_s": "DWM-2'@'Window Manager|UMFD-2'@'Font Driver Host|Administrator'@'HOST1|HOST1$'@'WORKGROUP|Administrator'@'HOST1|DWM-2'@'Window Manager|LOCAL SERVICE'@'NT AUTHORITY|UMFD-0'@'Font Driver Host|DWM-1'@'Window Manager|DWM-1'@'Window Manager|UMFD-1'@'Font Driver Host|", - "size_s": 230341, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/21/2022, 10:16:37.106 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.970 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:03:50.536 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "9dd32ac721317d5b8122f8e729dd1cdcaba25629", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img2.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "75980766-7430-4cd0-a078-72f977b5cc6d", - "type_s": "demoIncident", - "version_s": 2, - "foundTime_t [UTC]": "3/21/2023, 8:59:54.236 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "75980766-7430-4cd0-a078-72f977b5cc6d", - "loggedOnUsers_s": "UMFD-2'@'Font Driver Host|DWM-1'@'Window Manager|Administrator'@'HOST1|DWM-1'@'Window Manager|DWM-2'@'Window Manager|DWM-2'@'Window Manager|Administrator'@'HOST1|HOST1$'@'WORKGROUP|UMFD-1'@'Font Driver Host|UMFD-0'@'Font Driver Host|LOCAL SERVICE'@'NT AUTHORITY|", - "size_s": 210444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 8:57:57.415 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.958 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 1:59:16.387 PM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": 0, - "sha1_s": "e173d7ee8648bdfcca20cbcfc0688ea61e76276b", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img4.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "f301c00d-b8f3-4659-bdb3-581b5b747eca", - "type_s": "demoIncident", - "version_s": 2, - "foundTime_t [UTC]": "3/21/2023, 1:58:58.282 PM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "f301c00d-b8f3-4659-bdb3-581b5b747eca", - "loggedOnUsers_s": "UMFD-0'@'Font Driver Host|UMFD-2'@'Font Driver Host|UMFD-1'@'Font Driver Host|Administrator'@'HOST1|DWM-2'@'Window Manager|HOST1$'@'WORKGROUP|DWM-1'@'Window Manager|Administrator'@'HOST1|DWM-2'@'Window Manager|DWM-1'@'Window Manager|LOCAL SERVICE'@'NT AUTHORITY|", - "size_s": 230341, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/21/2022, 10:16:37.106 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.970 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:03:53.688 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "9dd32ac721317d5b8122f8e729dd1cdcaba25629", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img2.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "e173d7ee8648bdfcca20cbcfc0688ea61e76276b,1d32c57f7130bdd80be9e4566381627dfd3ef3fe,9dd32ac721317d5b8122f8e729dd1cdcaba25629,,,,f81bb3cd3cf07934a48cca4e855039f969ec9ef6,,", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": "True", - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "type_s": "demoIncident", - "version_s": 12, - "foundTime_t [UTC]": "3/21/2023, 8:57:47.344 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "8ed00029-910b-4f3c-8301-1c8cf048e2c3", - "loggedOnUsers_s": "DWM-2'@'Window Manager|DWM-2'@'Window Manager|DWM-1'@'Window Manager|DWM-1'@'Window Manager|UMFD-0'@'Font Driver Host|UMFD-1'@'Font Driver Host|Administrator'@'HOST1|Administrator'@'HOST1|HOST1$'@'WORKGROUP|UMFD-2'@'Font Driver Host|LOCAL SERVICE'@'NT AUTHORITY|", - "size_s": 210444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 8:57:57.415 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.958 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:03:54.780 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "f81bb3cd3cf07934a48cca4e855039f969ec9ef6", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img3.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": ",f81bb3cd3cf07934a48cca4e855039f969ec9ef6,1d32c57f7130bdd80be9e4566381627dfd3ef3fe,e173d7ee8648bdfcca20cbcfc0688ea61e76276b,,9dd32ac721317d5b8122f8e729dd1cdcaba25629,,,", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": "True", - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "ce37f581-c410-49bd-a8c6-a88fe085cb71", - "type_s": "demoIncident", - "version_s": 12, - "foundTime_t [UTC]": "3/21/2023, 8:59:53.945 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "ce37f581-c410-49bd-a8c6-a88fe085cb71", - "loggedOnUsers_s": "DWM-1'@'Window Manager|HOST1$'@'WORKGROUP|Administrator'@'HOST1|DWM-2'@'Window Manager|UMFD-1'@'Font Driver Host|UMFD-0'@'Font Driver Host|DWM-1'@'Window Manager|UMFD-2'@'Font Driver Host|LOCAL SERVICE'@'NT AUTHORITY|DWM-2'@'Window Manager|Administrator'@'HOST1|", - "size_s": 200444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 7:57:38.458 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.970 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 1:59:32.903 PM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": 8, - "sha1_s": "e173d7ee8648bdfcca20cbcfc0688ea61e76276b", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img4.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "e173d7ee8648bdfcca20cbcfc0688ea61e76276b,1d32c57f7130bdd80be9e4566381627dfd3ef3fe,9dd32ac721317d5b8122f8e729dd1cdcaba25629,f81bb3cd3cf07934a48cca4e855039f969ec9ef6,", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": "True", - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "f301c00d-b8f3-4659-bdb3-581b5b747eca", - "type_s": "demoIncident", - "version_s": 12, - "foundTime_t [UTC]": "3/21/2023, 1:58:58.282 PM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "f301c00d-b8f3-4659-bdb3-581b5b747eca", - "loggedOnUsers_s": "DWM-1'@'Window Manager|LOCAL SERVICE'@'NT AUTHORITY|UMFD-2'@'Font Driver Host|UMFD-1'@'Font Driver Host|DWM-2'@'Window Manager|UMFD-0'@'Font Driver Host|HOST1$'@'WORKGROUP|DWM-2'@'Window Manager|DWM-1'@'Window Manager|Administrator'@'HOST1|Administrator'@'HOST1|", - "size_s": 230341, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/21/2022, 10:16:37.106 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.970 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:03:55.086 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "f81bb3cd3cf07934a48cca4e855039f969ec9ef6", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img3.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "ce37f581-c410-49bd-a8c6-a88fe085cb71", - "type_s": "demoIncident", - "version_s": 2, - "foundTime_t [UTC]": "3/21/2023, 8:59:53.945 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "ce37f581-c410-49bd-a8c6-a88fe085cb71", - "loggedOnUsers_s": "DWM-2'@'Window Manager|UMFD-0'@'Font Driver Host|LOCAL SERVICE'@'NT AUTHORITY|HOST1$'@'WORKGROUP|Administrator'@'HOST1|UMFD-1'@'Font Driver Host|UMFD-2'@'Font Driver Host|Administrator'@'HOST1|DWM-1'@'Window Manager|DWM-1'@'Window Manager|DWM-2'@'Window Manager|", - "size_s": 200444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 7:57:38.458 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.970 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 9:03:57.989 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": "", - "sha1_s": "9dd32ac721317d5b8122f8e729dd1cdcaba25629", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img2.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": ",,1d32c57f7130bdd80be9e4566381627dfd3ef3fe,9dd32ac721317d5b8122f8e729dd1cdcaba25629,,e173d7ee8648bdfcca20cbcfc0688ea61e76276b,,f81bb3cd3cf07934a48cca4e855039f969ec9ef6,", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": "True", - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "75980766-7430-4cd0-a078-72f977b5cc6d", - "type_s": "demoIncident", - "version_s": 12, - "foundTime_t [UTC]": "3/21/2023, 8:59:54.236 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "75980766-7430-4cd0-a078-72f977b5cc6d", - "loggedOnUsers_s": "UMFD-1'@'Font Driver Host|DWM-1'@'Window Manager|Administrator'@'HOST1|DWM-2'@'Window Manager|DWM-2'@'Window Manager|UMFD-0'@'Font Driver Host|HOST1$'@'WORKGROUP|DWM-1'@'Window Manager|LOCAL SERVICE'@'NT AUTHORITY|Administrator'@'HOST1|UMFD-2'@'Font Driver Host|", - "size_s": 210444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 8:57:57.415 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.958 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 10:02:18.544 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": 0, - "sha1_s": "f81bb3cd3cf07934a48cca4e855039f969ec9ef6", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img3.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "00fdc39d-c6d6-465a-ad70-58976c927756", - "type_s": "demoIncident", - "version_s": 1, - "foundTime_t [UTC]": "3/21/2023, 10:00:40.236 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "00fdc39d-c6d6-465a-ad70-58976c927756", - "loggedOnUsers_s": "DWM-1'@'Window Manager|DWM-1'@'Window Manager|UMFD-0'@'Font Driver Host|DWM-2'@'Window Manager|UMFD-2'@'Font Driver Host|Administrator'@'HOST1|Administrator'@'HOST1|UMFD-1'@'Font Driver Host|HOST1$'@'WORKGROUP|LOCAL SERVICE'@'NT AUTHORITY|DWM-2'@'Window Manager|", - "size_s": 200444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 7:57:38.458 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.970 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 10:02:19.918 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": 0, - "sha1_s": "f81bb3cd3cf07934a48cca4e855039f969ec9ef6", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img3.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "00fdc39d-c6d6-465a-ad70-58976c927756", - "type_s": "demoIncident", - "version_s": 1, - "foundTime_t [UTC]": "3/21/2023, 10:00:40.236 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "00fdc39d-c6d6-465a-ad70-58976c927756", - "loggedOnUsers_s": "DWM-1'@'Window Manager|LOCAL SERVICE'@'NT AUTHORITY|DWM-2'@'Window Manager|DWM-2'@'Window Manager|DWM-1'@'Window Manager|UMFD-0'@'Font Driver Host|HOST1$'@'WORKGROUP|Administrator'@'HOST1|Administrator'@'HOST1|UMFD-2'@'Font Driver Host|UMFD-1'@'Font Driver Host|", - "size_s": 200444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 7:57:38.458 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.970 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 10:02:23.043 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": 0, - "sha1_s": "f81bb3cd3cf07934a48cca4e855039f969ec9ef6", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img3.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "00fdc39d-c6d6-465a-ad70-58976c927756", - "type_s": "demoIncident", - "version_s": 1, - "foundTime_t [UTC]": "3/21/2023, 10:00:40.236 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "00fdc39d-c6d6-465a-ad70-58976c927756", - "loggedOnUsers_s": "Administrator'@'HOST1|UMFD-1'@'Font Driver Host|DWM-1'@'Window Manager|UMFD-0'@'Font Driver Host|DWM-1'@'Window Manager|UMFD-2'@'Font Driver Host|DWM-2'@'Window Manager|HOST1$'@'WORKGROUP|Administrator'@'HOST1|DWM-2'@'Window Manager|LOCAL SERVICE'@'NT AUTHORITY|", - "size_s": 200444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 7:57:38.458 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.970 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 10:02:23.997 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": 0, - "sha1_s": "f81bb3cd3cf07934a48cca4e855039f969ec9ef6", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img3.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "00fdc39d-c6d6-465a-ad70-58976c927756", - "type_s": "demoIncident", - "version_s": 2, - "foundTime_t [UTC]": "3/21/2023, 10:00:40.236 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "00fdc39d-c6d6-465a-ad70-58976c927756", - "loggedOnUsers_s": "Administrator'@'HOST1|Administrator'@'HOST1|UMFD-1'@'Font Driver Host|DWM-1'@'Window Manager|DWM-2'@'Window Manager|LOCAL SERVICE'@'NT AUTHORITY|UMFD-2'@'Font Driver Host|UMFD-0'@'Font Driver Host|DWM-1'@'Window Manager|DWM-2'@'Window Manager|HOST1$'@'WORKGROUP|", - "size_s": 200444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 7:57:38.458 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.970 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/21/2023, 10:02:21.963 AM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": 0, - "sha1_s": "f81bb3cd3cf07934a48cca4e855039f969ec9ef6", - "m365filePath_s": "", - "m365WebUrl_s": "", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "", - "m365LibraryDisplayName_s": "", - "m365Librarytype_s": "", - "m365siteid_s": "", - "m365sitedisplayName_s": "", - "m365sitename_s": "", - "filePath_s": "C:\\Users\\Administrator\\Downloads\\test-images\\img3.jpg", - "agentType_s": "computer", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": 1, - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "BUILTIN", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "HOST1", - "Identifier_g": "00fdc39d-c6d6-465a-ad70-58976c927756", - "type_s": "demoIncident", - "version_s": 1, - "foundTime_t [UTC]": "3/21/2023, 10:00:40.236 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "Windows Server 2022 Standard 2009", - "machineName_s": "HOST1", - "microsoftCultureId_s": 1033, - "timeZoneId_s": "Pacific Standard Time", - "microsoftGeoId_s": 244, - "domainname_s": "BUILTIN", - "Agentversion_s": "22.1.1.0", - "Agentidentifier_g": "00fdc39d-c6d6-465a-ad70-58976c927756", - "loggedOnUsers_s": "DWM-2'@'Window Manager|UMFD-2'@'Font Driver Host|UMFD-0'@'Font Driver Host|Administrator'@'HOST1|UMFD-1'@'Font Driver Host|Administrator'@'HOST1|DWM-1'@'Window Manager|DWM-1'@'Window Manager|DWM-2'@'Window Manager|LOCAL SERVICE'@'NT AUTHORITY|HOST1$'@'WORKGROUP|", - "size_s": 200444, - "creationTime_t [UTC]": "4/5/2019, 9:36:38.000 PM", - "lastAccessTime_t [UTC]": "11/1/2022, 7:57:38.458 AM", - "lastWriteTime_t [UTC]": "10/31/2022, 2:14:25.970 PM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/22/2023, 12:50:32.877 PM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": 0, - "sha1_s": "e173d7ee8648bdfcca20cbcfc0688ea61e76276b", - "m365filePath_s": "", - "m365WebUrl_s": "https://DEMO-my.sharepoint.com/personal/DEMO_DEMO_onmicrosoft_com/Documents/bilder/IMG1.jpg", - "m365CreatedBymail_s": "sanitized@sanitized.com", - "m365LastModifiedByMail_s": "sanitized@sanitized.com", - "m365LibraryId_s": "b!iX-86uc3QkqYPC_eb22843801f7b20d197911613680a9167a17666b", - "m365LibraryDisplayName_s": "OneDrive", - "m365Librarytype_s": "user", - "m365siteid_s": "DEMO-my.sharepoint.com,e48fabbd84177996c9c1419cdea4b21dc4899925", - "m365sitedisplayName_s": "DEMO DEMO", - "m365sitename_s": "", - "filePath_s": "/drives/b!iX-86uc3QkqYPC_eb22843801f7b20d197911613680a9167a17666b/root:/bilder/IMG1.jpg", - "agentType_s": "microsoft365", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": "", - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "OneDrive", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "microsoft365", - "Identifier_g": "ebcd8124-27b4-416c-8ca7-45011691b9dc", - "type_s": "demoIncident", - "version_s": 1, - "foundTime_t [UTC]": "3/21/2023, 7:58:08.922 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "", - "machineName_s": "microsoft365", - "microsoftCultureId_s": "", - "timeZoneId_s": "", - "microsoftGeoId_s": "", - "domainname_s": "OneDrive", - "Agentversion_s": "22.4.0.0", - "Agentidentifier_g": "ebcd8124-27b4-416c-8ca7-45011691b9dc", - "loggedOnUsers_s": "", - "size_s": 230341, - "creationTime_t [UTC]": "2/3/2023, 2:29:10.000 PM", - "lastAccessTime_t [UTC]": "", - "lastWriteTime_t [UTC]": "3/21/2023, 7:56:07.000 AM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - }, - { - "TenantId": "1111a111-b11b-111c-1111-e111e1e1e111", - "SourceSystem": "RestAPI", - "MG": "", - "ManagementGroupName": "", - "TimeGenerated [UTC]": "3/22/2023, 12:31:01.861 PM", - "Computer": "", - "RawData": "", - "countOfAllNearByFiles_s": 0, - "sha1_s": "e173d7ee8648bdfcca20cbcfc0688ea61e76276b", - "m365filePath_s": "", - "m365WebUrl_s": "https://DEMO-my.sharepoint.com/personal/DEMO_DEMO_onmicrosoft_com/Documents/bilder/IMG1.jpg", - "m365CreatedBymail_s": "", - "m365LastModifiedByMail_s": "", - "m365LibraryId_s": "b!iX-86uc3QkqYPC_eb22843801f7b20d197911613680a9167a17666b", - "m365LibraryDisplayName_s": "OneDrive", - "m365Librarytype_s": "user", - "m365siteid_s": "DEMO-my.sharepoint.com,e48fabbd84177996c9c1419cdea4b21dc4899925", - "m365sitedisplayName_s": "DEMO DEMO", - "m365sitename_s": "", - "filePath_s": "/drives/b!iX-86uc3QkqYPC_eb22843801f7b20d197911613680a9167a17666b/root:/bilder/IMG1.jpg", - "agentType_s": "microsoft365", - "nearbyFiles_sha1_s": "", - "Identifier_s": "", - "foundTime_s": "", - "creationTime_s": "", - "lastAccessTime_s": "", - "lastWriteTime_s": "", - "agentInformatonIdentifier_s": "", - "Agentidentifier_s": "", - "triggerSource_s": "", - "domain_s": "OneDrive", - "domainName_s": "", - "hasCollectedNearbyFiles_s": false, - "externalIP_s": "", - "nearbyFiles_md5s_s": "", - "Hostname_s": "microsoft365", - "Identifier_g": "ebcd8124-27b4-416c-8ca7-45011691b9dc", - "type_s": "demoIncident", - "version_s": 1, - "foundTime_t [UTC]": "3/21/2023, 7:58:08.922 AM", - "detectionMethod_s": "sha1", - "agentInformatonIdentifier_g": "", - "osVersion_s": "", - "machineName_s": "microsoft365", - "microsoftCultureId_s": "", - "timeZoneId_s": "", - "microsoftGeoId_s": "", - "domainname_s": "OneDrive", - "Agentversion_s": "22.4.0.0", - "Agentidentifier_g": "ebcd8124-27b4-416c-8ca7-45011691b9dc", - "loggedOnUsers_s": "", - "size_s": 230341, - "creationTime_t [UTC]": "2/3/2023, 2:29:10.000 PM", - "lastAccessTime_t [UTC]": "", - "lastWriteTime_t [UTC]": "3/21/2023, 7:56:07.000 AM", - "md5_s": "", - "Type": "Netclean_Incidents_CL", - "_ResourceId": "" - } - ] \ No newline at end of file + { + "value_identifier_g": "617463dfb3bf328e1396e75e5c81dc19", + "max_version": 1, + "TenantId": "4430d249e0adb1060186b4611274f5f5", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "12/19/2024, 2:56:30.656 PM", + "Computer": "", + "RawData": "", + "value_file_createdBy_graphIdentity_user_s": { + "mail": "sanitized@sanitized.com", + "id": "e8cd9e083d766411f257df3fc3d9ce6b", + "displayName": "John test" + }, + "value_file_createdBy_graphIdentity_application_s": { + "id": "73e5abb26b5b944ab880dfd44a025bc9", + "displayName": "SharePoint Online Client Extensibility" + }, + "value_file_lastModifiedBy_graphIdentity_user_s": { + "mail": "sanitized@sanitized.com", + "id": "e8cd9e083d766411f257df3fc3d9ce6b", + "displayName": "John test" + }, + "value_file_lastModifiedBy_graphIdentity_application_s": { + "id": "73e5abb26b5b944ab880dfd44a025bc9", + "displayName": "SharePoint Online Client Extensibility" + }, + "value_file_microsoft365_id_s": "beaf8470d38fa4ded493a3efd8a3d0d6", + "value_file_microsoft365_name_s": "image2.jpg", + "value_file_microsoft365_mimeType_s": "image/jpeg", + "value_file_microsoft365_parent_id_s": "fbeb1d40f58dede7b0910d1df2b269f8", + "value_file_microsoft365_parent_name_s": "Documents", + "value_file_microsoft365_parent_path_s": "/drives/b!38cb9016ce34a363a4bbcc2d5e002b92/root:", + "value_file_microsoft365_webUrl_s": "https://onmicrosoft_com/Documents/image2.jpg", + "value_file_microsoft365_library_id_s": "b!38cb9016ce34a363a4bbcc2d5e002b92", + "value_file_microsoft365_library_displayName_s": "OneDrive", + "value_file_microsoft365_library_type_s": "user", + "value_file_microsoft365_site_id_s": "test-my.sharepoint.com5fe770255b1109472b2ba858de11eada,5dce3069835f10522bb0a1d070f8fa10", + "value_file_microsoft365_site_displayName_s": "John test", + "value_file_microsoft365_site_name_s": "John test", + "value_file_owner_computerUser_username_s": "", + "value_file_owner_computerUser_domain_s": "", + "schemaVersion_s": "2.0.0", + "key_type_s": "demoIncident", + "key_identifier_g": "617463dfb3bf328e1396e75e5c81dc19", + "value_foundTime_t [UTC]": "12/19/2024, 2:56:14.598 PM", + "value_identifier_g1": "617463dfb3bf328e1396e75e5c81dc19", + "value_incidentVersion_d": 1, + "value_device_identifier_d": "", + "value_device_operatingSystem_s": "", + "value_device_operatingSystemVersion_s": "", + "value_device_machineName_s": "", + "value_device_microsoftCultureId_d": "", + "value_device_microsoftGeoId_d": "", + "value_device_timeZoneName_s": "", + "value_device_networkInterfaces_s": "", + "value_device_loggedOnUsers_s": "", + "value_device_accessingProcesses_s": "", + "value_agent_type_s": "microsoft365", + "value_agent_version_s": "24.4.2.0", + "value_file_path_s": "/drives/b!38cb9016ce34a363a4bbcc2d5e002b92/root:/image2.jpg", + "value_file_size_d": 152766, + "value_file_creationTime_t [UTC]": "12/19/2024, 2:56:12.000 PM", + "value_file_lastAccessTime_t [UTC]": "", + "value_file_lastModifiedTime_t [UTC]": "12/19/2024, 2:56:12.000 PM", + "value_file_calculatedHashes_sha1_s": "60bd0668b526870a6e61d8053d23d961=", + "value_file_calculatedHashes_pdna_s": "", + "value_file_diskDrive_diskType_s": "", + "value_file_diskDrive_diskModelNumber_s": "", + "value_file_diskDrive_diskSerialNumber_s": "", + "value_file_diskDrive_volumeSerialNumber_s": "", + "value_file_diskDrive_mountPoint_s": "", + "value_file_signature_hashes_sha1_s": "60bd0668b526870a6e61d8053d23d961=", + "value_file_signature_hashes_md5_s": "bae4e2fae7443c5c57b2582b21004f64==", + "value_file_signature_hashes_pdna_s": "4636e1ea32dd9c31835ba93e8bdd4889", + "value_file_nearbyFiles_s": [], + "value_detectionHashType_s": "nchash", + "value_incidentType_source_s": "onaccess", + "value_incidentType_isDemo_b": true, + "Type": "Netclean_Incidents_CL", + "_ResourceId": "" + }, + { + "value_identifier_g": "1b3e0545a2f5d20baf87688574c922a8", + "max_version": 12, + "TenantId": "4430d249e0adb1060186b4611274f5f5", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "12/19/2024, 2:52:37.470 PM", + "Computer": "", + "RawData": "", + "value_file_createdBy_graphIdentity_user_s": "", + "value_file_createdBy_graphIdentity_application_s": "", + "value_file_lastModifiedBy_graphIdentity_user_s": "", + "value_file_lastModifiedBy_graphIdentity_application_s": "", + "value_file_microsoft365_id_s": "", + "value_file_microsoft365_name_s": "", + "value_file_microsoft365_mimeType_s": "", + "value_file_microsoft365_parent_id_s": "", + "value_file_microsoft365_parent_name_s": "", + "value_file_microsoft365_parent_path_s": "", + "value_file_microsoft365_webUrl_s": "", + "value_file_microsoft365_library_id_s": "", + "value_file_microsoft365_library_displayName_s": "", + "value_file_microsoft365_library_type_s": "", + "value_file_microsoft365_site_id_s": "", + "value_file_microsoft365_site_displayName_s": "", + "value_file_microsoft365_site_name_s": "", + "value_file_owner_computerUser_username_s": "Administrators", + "value_file_owner_computerUser_domain_s": "BUILTIN", + "schemaVersion_s": "2.0.0", + "key_type_s": "demoIncident", + "key_identifier_g": "1b3e0545a2f5d20baf87688574c922a8", + "value_foundTime_t [UTC]": "12/6/2024, 5:01:40.605 PM", + "value_identifier_g1": "1b3e0545a2f5d20baf87688574c922a8", + "value_incidentVersion_d": 12, + "value_device_identifier_d": 10, + "value_device_operatingSystem_s": "windows", + "value_device_operatingSystemVersion_s": "Windows Server 2022 Standard Evaluation 2009", + "value_device_machineName_s": "WIN-Test", + "value_device_microsoftCultureId_d": 1053, + "value_device_microsoftGeoId_d": 221, + "value_device_timeZoneName_s": "Pacific Standard Time", + "value_device_networkInterfaces_s": [ + { + "description": "Intel(R) 82574L Gigabit Network Connection", + "physicalAddress": "FED27CD5E10C", + "ipAddresses": [ + "3e5d:825e:a037:48f9:3b66:ba40:3504:85cb", + "77.72.189.210" + ] + }, + { + "description": "Software Loopback Interface 1", + "ipAddresses": [ + "::1", + "127.0.0.1" + ] + } + ], + "value_device_loggedOnUsers_s": [ + { + "computerUser": { + "username": "DWM-2", + "logonTime": "2024-12-06T16:51:22+00:00", + "logonType": "interactive", + "domain": "Window Manager" + } + }, + { + "computerUser": { + "username": "WIN-Test$", + "logonTime": "2024-12-06T16:51:04+00:00", + "logonType": "service", + "domain": "WORKGROUP" + } + }, + { + "computerUser": { + "username": "UMFD-1", + "logonTime": "2024-12-06T16:51:04+00:00", + "logonType": "interactive", + "domain": "Font Driver Host" + } + }, + { + "computerUser": { + "username": "Administrator", + "logonTime": "2024-12-06T16:51:22+00:00", + "logonType": "remoteInteractive", + "domain": "WIN-Test" + } + }, + { + "computerUser": { + "username": "DWM-2", + "logonTime": "2024-12-06T16:51:22+00:00", + "logonType": "interactive", + "domain": "Window Manager" + } + }, + { + "computerUser": { + "username": "UMFD-2", + "logonTime": "2024-12-06T16:51:21+00:00", + "logonType": "interactive", + "domain": "Font Driver Host" + } + }, + { + "computerUser": { + "username": "LOCAL SERVICE", + "logonTime": "2024-12-06T16:51:04+00:00", + "logonType": "service", + "domain": "NT AUTHORITY" + } + }, + { + "computerUser": { + "username": "DWM-1", + "logonTime": "2024-12-06T16:51:04+00:00", + "logonType": "interactive", + "domain": "Window Manager" + } + }, + { + "computerUser": { + "username": "DWM-1", + "logonTime": "2024-12-06T16:51:04+00:00", + "logonType": "interactive", + "domain": "Window Manager" + } + }, + { + "computerUser": { + "username": "UMFD-0", + "logonTime": "2024-12-06T16:51:04+00:00", + "logonType": "interactive", + "domain": "Font Driver Host" + } + } + ], + "value_device_accessingProcesses_s": [ + { + "path": "", + "owner": { + "computerUser": { + "username": "SYSTEM", + "domain": "NT AUTHORITY" + } + } + } + ], + "value_agent_type_s": "computer", + "value_agent_version_s": "22.1.1.0", + "value_file_path_s": "C:\\Users\\Administrator\\Desktop\\image3.jpg", + "value_file_size_d": 397131, + "value_file_creationTime_t [UTC]": "5/22/2023, 4:29:48.000 PM", + "value_file_lastAccessTime_t [UTC]": "11/21/2024, 7:15:23.170 AM", + "value_file_lastModifiedTime_t [UTC]": "11/21/2024, 7:15:21.123 AM", + "value_file_calculatedHashes_sha1_s": "8ad6f6ce03897cf0767248c4fe7dbdbb=", + "value_file_calculatedHashes_pdna_s": "ec21d9e200624e8f9ce987736d4f52ac", + "value_file_diskDrive_diskType_s": "fixed", + "value_file_diskDrive_diskModelNumber_s": "QEMU HARDDISK", + "value_file_diskDrive_diskSerialNumber_s": "QM00001", + "value_file_diskDrive_volumeSerialNumber_s": "16C035EF", + "value_file_diskDrive_mountPoint_s": "C:\\", + "value_file_signature_hashes_sha1_s": "8ad6f6ce03897cf0767248c4fe7dbdbb=", + "value_file_signature_hashes_md5_s": "57912031db55762cd7ec52d387bc9a78g==", + "value_file_signature_hashes_pdna_s": "ec21d9e200624e8f9ce987736d4f52ac", + "value_file_nearbyFiles_s": [ + { + "fileName": "C:\\Users\\Administrator\\Desktop\\desktop.ini", + "isMatch": false + }, + { + "fileName": "C:\\Users\\Administrator\\Desktop\\image3.jpg", + "isMatch": true, + "calculatedHashes": { + "sha1": "8ad6f6ce03897cf0767248c4fe7dbdbb=", + "md5": "57912031db55762cd7ec52d387bc9a78g==", + "pdna": "ec21d9e200624e8f9ce987736d4f52ac" + } + }, + { + "fileName": "C:\\Users\\Administrator\\Desktop\\Microsoft Edge.lnk", + "isMatch": false + } + ], + "value_detectionHashType_s": "nchash", + "value_incidentType_source_s": "onaccess", + "value_incidentType_isDemo_b": true, + "Type": "Netclean_Incidents_CL", + "_ResourceId": "" + } +] \ No newline at end of file diff --git a/Solutions/NetClean ProActive/Analytic Rules/NetClean_Sentinel_analytic_rule.yaml b/Solutions/NetClean ProActive/Analytic Rules/NetClean_Sentinel_analytic_rule.yaml index 7ff6347ace1..d6f9649524f 100644 --- a/Solutions/NetClean ProActive/Analytic Rules/NetClean_Sentinel_analytic_rule.yaml +++ b/Solutions/NetClean ProActive/Analytic Rules/NetClean_Sentinel_analytic_rule.yaml @@ -18,30 +18,30 @@ tactics: relevantTechniques: - T1083 query: | - Netclean_Incidents_CL | where version_s == 1 + Netclean_Incidents_CL | where value_incidentVersion_d == 1 entityMappings: - entityType: FileHash fieldMappings: - identifier: Value - columnName: sha1_s + columnName: value_file_calculatedHashes_sha1_s - identifier: Algorithm - columnName: detectionMethod_s + columnName: value_detectionHashType_s - entityType: DNS fieldMappings: - identifier: DomainName - columnName: domain_s + columnName: value_file_owner_computerUser_domain_s - entityType: Host fieldMappings: - identifier: HostName - columnName: Hostname_s + columnName: value_device_machineName_s - entityType: IP fieldMappings: - identifier: Address - columnName: externalIP_s + columnName: value_device_networkInterfaces_s alertDetailsOverride: - alertDisplayNameFormat: NetClean {{agentType_s}} {{type_s}} - alertDescriptionFormat: A new NetClean {{agentType_s}} {{type_s}} has been Created {{TimeGenerated}} -version: 1.0.1 + alertDisplayNameFormat: NetClean {{value_agent_type_s}} {{type_s}} + alertDescriptionFormat: A new NetClean {{value_agent_type_s}} {{key_type_s}} has been Created {{TimeGenerated}} +version: 1.0.2 kind: Scheduled diff --git a/Solutions/NetClean ProActive/Data Connectors/Connector_NetClean.json b/Solutions/NetClean ProActive/Data Connectors/Connector_NetClean.json index 9f173bf8fca..c3b96d454b0 100644 --- a/Solutions/NetClean ProActive/Data Connectors/Connector_NetClean.json +++ b/Solutions/NetClean ProActive/Data Connectors/Connector_NetClean.json @@ -62,7 +62,7 @@ "instructionSteps": [ { "title": "", - "description": ">**NOTE:** The data connector relies on Azure Logic Apps to receive and push data to Log Analytics This might result in additional data ingestion costs.\n It's possible to test this without Logic Apps or NetClean Proactive see option 2", + "description": ">**NOTE:** NetClean ProActive uses a Webhook to expose incident data, Azure Logic Apps is used to receive and push data to Log Analytics This might result in additional data ingestion costs.\n It's possible to test this without Logic Apps or NetClean Proactive see option 2", "instructions": [ { "parameters": { @@ -86,11 +86,11 @@ }, { - "description" : "1. Download and install the Logic app here:\n https://portal.azure.com/#create/netcleantechnologiesab1651557549734.netcleanlogicappnetcleanproactivelogicapp)\n2. Go to your newly created logic app \n In your Logic app designer, click +New Step and search for “Azure Log Analytics Data Collector” click it and select “Send Data” \n Enter the Custom Log Name: Netclean_Incidents and a dummy value in the Json request body and click save \n Go to code view on the top ribbon and scroll down to line ~100 it should start with \"Body\" \n replace the line entirly with: \n \n \"body\": \"{\\n\\\"Hostname\\\":\\\"@{variables('machineName')}\\\",\\n\\\"agentType\\\":\\\"@{triggerBody()['value']['agent']['type']}\\\",\\n\\\"Identifier\\\":\\\"@{triggerBody()?['key']?['identifier']}\\\",\\n\\\"type\\\":\\\"@{triggerBody()?['key']?['type']}\\\",\\n\\\"version\\\":\\\"@{triggerBody()?['value']?['incidentVersion']}\\\",\\n\\\"foundTime\\\":\\\"@{triggerBody()?['value']?['foundTime']}\\\",\\n\\\"detectionMethod\\\":\\\"@{triggerBody()?['value']?['detectionHashType']}\\\",\\n\\\"agentInformatonIdentifier\\\":\\\"@{triggerBody()?['value']?['device']?['identifier']}\\\",\\n\\\"osVersion\\\":\\\"@{triggerBody()?['value']?['device']?['operatingSystemVersion']}\\\",\\n\\\"machineName\\\":\\\"@{variables('machineName')}\\\",\\n\\\"microsoftCultureId\\\":\\\"@{triggerBody()?['value']?['device']?['microsoftCultureId']}\\\",\\n\\\"timeZoneId\\\":\\\"@{triggerBody()?['value']?['device']?['timeZoneName']}\\\",\\n\\\"microsoftGeoId\\\":\\\"@{triggerBody()?['value']?['device']?['microsoftGeoId']}\\\",\\n\\\"domainname\\\":\\\"@{variables('domain')}\\\",\\n\\\"Agentversion\\\":\\\"@{triggerBody()['value']['agent']['version']}\\\",\\n\\\"Agentidentifier\\\":\\\"@{triggerBody()['value']['identifier']}\\\",\\n\\\"loggedOnUsers\\\":\\\"@{variables('Usernames')}\\\",\\n\\\"size\\\":\\\"@{triggerBody()?['value']?['file']?['size']}\\\",\\n\\\"creationTime\\\":\\\"@{triggerBody()?['value']?['file']?['creationTime']}\\\",\\n\\\"lastAccessTime\\\":\\\"@{triggerBody()?['value']?['file']?['lastAccessTime']}\\\",\\n\\\"lastWriteTime\\\":\\\"@{triggerBody()?['value']?['file']?['lastModifiedTime']}\\\",\\n\\\"sha1\\\":\\\"@{triggerBody()?['value']?['file']?['calculatedHashes']?['sha1']}\\\",\\n\\\"nearbyFiles_sha1\\\":\\\"@{variables('nearbyFiles_sha1s')}\\\",\\n\\\"externalIP\\\":\\\"@{triggerBody()?['value']?['device']?['resolvedExternalIp']}\\\",\\n\\\"domain\\\":\\\"@{variables('domain')}\\\",\\n\\\"hasCollectedNearbyFiles\\\":\\\"@{variables('hasCollectedNearbyFiles')}\\\",\\n\\\"filePath\\\":\\\"@{replace(triggerBody()['value']['file']['path'], '\\\\', '\\\\\\\\')}\\\",\\n\\\"m365WebUrl\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['webUrl']}\\\",\\n\\\"m365CreatedBymail\\\":\\\"@{triggerBody()?['value']?['file']?['createdBy']?['graphIdentity']?['user']?['mail']}\\\",\\n\\\"m365LastModifiedByMail\\\":\\\"@{triggerBody()?['value']?['file']?['lastModifiedBy']?['graphIdentity']?['user']?['mail']}\\\",\\n\\\"m365LibraryId\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['id']}\\\",\\n\\\"m365LibraryDisplayName\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['displayName']}\\\",\\n\\\"m365Librarytype\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['type']}\\\",\\n\\\"m365siteid\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['site']?['id']}\\\",\\n\\\"m365sitedisplayName\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['site']?['displayName']}\\\",\\n\\\"m365sitename\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['parent']?['name']}\\\",\\n\\\"countOfAllNearByFiles\\\":\\\"@{variables('countOfAllNearByFiles')}\\\",\\n\\n}\", \n click save \n3. Copy the HTTP POST URL\n4. Go to your NetClean ProActive web console, and go to settings, Under Webhook configure a new webhook using the URL copied from step 3 \n 5. Verify functionality by triggering a Demo Incident.", - "title":" Option 1: deploy Logic app (requires NetClean Proactive)" + "description" : "1. Create a new logic app\n Use When a HTTP request is recived as the Trigger and save it. It will now have generated a URL that can be used in the ProActive webconsole configuration.\n Add an action:\n Select the Azure Log Analytics Data Collector and choose Send Data\n Enter Connection Name, Workspace ID and Workspace Key, you will find the information needed in your Log Analytics workspace under Settings-->Agents-->Log Analytics agent instructions.\n In JSON Request body add @triggerBody(). in Custom Log Name add Netclean_Incidents.", + "title":" Option 1: Logic app" }, { - "description":"Ingest data using a api function. please use the script found on\n https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell \nReplace the CustomerId and SharedKey values with your values\nReplace the content in $json variable to the sample data.\nSet the LogType varible to **Netclean_Incidents_CL**\nRun the script", + "description":"Ingest data using a api function. please use the script found on\n https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell \nReplace the CustomerId and SharedKey values with your values\nReplace the content in $json variable to the sample data found here: https://github.com/Azure/Azure-Sentinel/blob/master/Sample%20Data/Custom/Netclean_Incidents_CL.json .\nSet the LogType varible to **Netclean_Incidents_CL**\nRun the script", "title":" Option 2 (Testing only)" } ], diff --git a/Solutions/NetClean ProActive/Data/Solution_NetCleanProActive.json b/Solutions/NetClean ProActive/Data/Solution_NetCleanProActive.json index 4b1655b73f6..43d698e2777 100644 --- a/Solutions/NetClean ProActive/Data/Solution_NetCleanProActive.json +++ b/Solutions/NetClean ProActive/Data/Solution_NetCleanProActive.json @@ -13,7 +13,7 @@ "Workbooks/NetCleanProActiveWorkbook.json" ], "BasePath": "C:\\git\\Azure-Sentinel\\Solutions\\NetClean ProActive", - "Version": "3.0.1", + "Version": "3.0.2", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/NetClean ProActive/Package/3.0.2.zip b/Solutions/NetClean ProActive/Package/3.0.2.zip new file mode 100644 index 00000000000..4073a27013b Binary files /dev/null and b/Solutions/NetClean ProActive/Package/3.0.2.zip differ diff --git a/Solutions/NetClean ProActive/Package/createUiDefinition.json b/Solutions/NetClean ProActive/Package/createUiDefinition.json index b3ed51fdc08..b92d6882c85 100644 --- a/Solutions/NetClean ProActive/Package/createUiDefinition.json +++ b/Solutions/NetClean ProActive/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NetClean%20ProActive/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution.\n\nThe [NetClean](https://www.netclean.com/) ProActive for Microsoft Sentinel solution gives you the ability to connect the [NetClean ProActive](https://www.netclean.com/proactive/) Incident logs with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution might take a dependency on the other technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n1. [Azure Logic Apps](https://azure.microsoft.com/services/logic-apps/#overview)\r\n\n OR \r\n\n2. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NetClean%20ProActive/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [NetClean](https://www.netclean.com/) ProActive for Microsoft Sentinel solution gives you the ability to connect the [NetClean ProActive](https://www.netclean.com/proactive/) Incident logs with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution might take a dependency on the other technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n1. [Azure Logic Apps](https://azure.microsoft.com/services/logic-apps/#overview)\r\n\n OR \r\n\n2. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/NetClean ProActive/Package/mainTemplate.json b/Solutions/NetClean ProActive/Package/mainTemplate.json index 89366cd35bb..d36379da910 100644 --- a/Solutions/NetClean ProActive/Package/mainTemplate.json +++ b/Solutions/NetClean ProActive/Package/mainTemplate.json @@ -39,28 +39,29 @@ }, "variables": { "_solutionName": "NetClean ProActive", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "netcleantechnologiesab1651557549734.azure-sentinel-solution-netclean-proactive", "_solutionId": "[variables('solutionId')]", - "analyticRuleVersion1": "1.0.1", - "analyticRulecontentId1": "77548170-5c60-42e5-bdac-b0360d0779bb", - "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))),variables('analyticRuleVersion1')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.2", + "_analyticRulecontentId1": "77548170-5c60-42e5-bdac-b0360d0779bb", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '77548170-5c60-42e5-bdac-b0360d0779bb')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('77548170-5c60-42e5-bdac-b0360d0779bb')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','77548170-5c60-42e5-bdac-b0360d0779bb','-', '1.0.2')))]" + }, "uiConfigId1": "Netclean_ProActive_Incidents", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "Netclean_ProActive_Incidents", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))),variables('dataConnectorVersion1')))]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "workbookVersion1": "1.0.0", "workbookContentId1": "NetCleanProActiveWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))),variables('workbookVersion1')))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", @@ -70,30 +71,30 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName1')]", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NetClean_Sentinel_analytic_rule_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "NetClean_Sentinel_analytic_rule_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion1')]", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId1')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { "description": "NetClean Incident", "displayName": "NetClean ProActive Incidents", "enabled": false, - "query": "Netclean_Incidents_CL | where version_s == 1\n", + "query": "Netclean_Incidents_CL | where value_incidentVersion_d == 1\n", "queryFrequency": "PT10M", "queryPeriod": "PT10M", "severity": "High", @@ -120,11 +121,11 @@ { "fieldMappings": [ { - "columnName": "sha1_s", + "columnName": "value_file_calculatedHashes_sha1_s", "identifier": "Value" }, { - "columnName": "detectionMethod_s", + "columnName": "value_detectionHashType_s", "identifier": "Algorithm" } ], @@ -133,7 +134,7 @@ { "fieldMappings": [ { - "columnName": "domain_s", + "columnName": "value_file_owner_computerUser_domain_s", "identifier": "DomainName" } ], @@ -142,7 +143,7 @@ { "fieldMappings": [ { - "columnName": "Hostname_s", + "columnName": "value_device_machineName_s", "identifier": "HostName" } ], @@ -151,7 +152,7 @@ { "fieldMappings": [ { - "columnName": "externalIP_s", + "columnName": "value_device_networkInterfaces_s", "identifier": "Address" } ], @@ -159,21 +160,21 @@ } ], "alertDetailsOverride": { - "alertDisplayNameFormat": "NetClean {{agentType_s}} {{type_s}}", - "alertDescriptionFormat": "A new NetClean {{agentType_s}} {{type_s}} has been Created {{TimeGenerated}}" + "alertDisplayNameFormat": "NetClean {{value_agent_type_s}} {{type_s}}", + "alertDescriptionFormat": "A new NetClean {{value_agent_type_s}} {{key_type_s}} has been Created {{TimeGenerated}}" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", "properties": { "description": "NetClean ProActive Analytics Rule 1", - "parentId": "[variables('analyticRuleId1')]", - "contentId": "[variables('_analyticRulecontentId1')]", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion1')]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", "source": { "kind": "Solution", "name": "NetClean ProActive", @@ -196,12 +197,12 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId1')]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "contentKind": "AnalyticsRule", "displayName": "NetClean ProActive Incidents", - "contentProductId": "[variables('_analyticRulecontentProductId1')]", - "id": "[variables('_analyticRulecontentProductId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" } }, { @@ -213,7 +214,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NetClean ProActive data connector with template version 3.0.1", + "description": "NetClean ProActive data connector with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -289,7 +290,7 @@ }, "instructionSteps": [ { - "description": ">**NOTE:** The data connector relies on Azure Logic Apps to receive and push data to Log Analytics This might result in additional data ingestion costs.\n It's possible to test this without Logic Apps or NetClean Proactive see option 2", + "description": ">**NOTE:** NetClean ProActive uses a Webhook to expose incident data, Azure Logic Apps is used to receive and push data to Log Analytics This might result in additional data ingestion costs.\n It's possible to test this without Logic Apps or NetClean Proactive see option 2", "instructions": [ { "parameters": { @@ -312,11 +313,11 @@ ] }, { - "description": "1. Download and install the Logic app here:\n https://portal.azure.com/#create/netcleantechnologiesab1651557549734.netcleanlogicappnetcleanproactivelogicapp)\n2. Go to your newly created logic app \n In your Logic app designer, click +New Step and search for “Azure Log Analytics Data Collector” click it and select “Send Data” \n Enter the Custom Log Name: Netclean_Incidents and a dummy value in the Json request body and click save \n Go to code view on the top ribbon and scroll down to line ~100 it should start with \"Body\" \n replace the line entirly with: \n \n \"body\": \"{\\n\\\"Hostname\\\":\\\"@{variables('machineName')}\\\",\\n\\\"agentType\\\":\\\"@{triggerBody()['value']['agent']['type']}\\\",\\n\\\"Identifier\\\":\\\"@{triggerBody()?['key']?['identifier']}\\\",\\n\\\"type\\\":\\\"@{triggerBody()?['key']?['type']}\\\",\\n\\\"version\\\":\\\"@{triggerBody()?['value']?['incidentVersion']}\\\",\\n\\\"foundTime\\\":\\\"@{triggerBody()?['value']?['foundTime']}\\\",\\n\\\"detectionMethod\\\":\\\"@{triggerBody()?['value']?['detectionHashType']}\\\",\\n\\\"agentInformatonIdentifier\\\":\\\"@{triggerBody()?['value']?['device']?['identifier']}\\\",\\n\\\"osVersion\\\":\\\"@{triggerBody()?['value']?['device']?['operatingSystemVersion']}\\\",\\n\\\"machineName\\\":\\\"@{variables('machineName')}\\\",\\n\\\"microsoftCultureId\\\":\\\"@{triggerBody()?['value']?['device']?['microsoftCultureId']}\\\",\\n\\\"timeZoneId\\\":\\\"@{triggerBody()?['value']?['device']?['timeZoneName']}\\\",\\n\\\"microsoftGeoId\\\":\\\"@{triggerBody()?['value']?['device']?['microsoftGeoId']}\\\",\\n\\\"domainname\\\":\\\"@{variables('domain')}\\\",\\n\\\"Agentversion\\\":\\\"@{triggerBody()['value']['agent']['version']}\\\",\\n\\\"Agentidentifier\\\":\\\"@{triggerBody()['value']['identifier']}\\\",\\n\\\"loggedOnUsers\\\":\\\"@{variables('Usernames')}\\\",\\n\\\"size\\\":\\\"@{triggerBody()?['value']?['file']?['size']}\\\",\\n\\\"creationTime\\\":\\\"@{triggerBody()?['value']?['file']?['creationTime']}\\\",\\n\\\"lastAccessTime\\\":\\\"@{triggerBody()?['value']?['file']?['lastAccessTime']}\\\",\\n\\\"lastWriteTime\\\":\\\"@{triggerBody()?['value']?['file']?['lastModifiedTime']}\\\",\\n\\\"sha1\\\":\\\"@{triggerBody()?['value']?['file']?['calculatedHashes']?['sha1']}\\\",\\n\\\"nearbyFiles_sha1\\\":\\\"@{variables('nearbyFiles_sha1s')}\\\",\\n\\\"externalIP\\\":\\\"@{triggerBody()?['value']?['device']?['resolvedExternalIp']}\\\",\\n\\\"domain\\\":\\\"@{variables('domain')}\\\",\\n\\\"hasCollectedNearbyFiles\\\":\\\"@{variables('hasCollectedNearbyFiles')}\\\",\\n\\\"filePath\\\":\\\"@{replace(triggerBody()['value']['file']['path'], '\\\\', '\\\\\\\\')}\\\",\\n\\\"m365WebUrl\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['webUrl']}\\\",\\n\\\"m365CreatedBymail\\\":\\\"@{triggerBody()?['value']?['file']?['createdBy']?['graphIdentity']?['user']?['mail']}\\\",\\n\\\"m365LastModifiedByMail\\\":\\\"@{triggerBody()?['value']?['file']?['lastModifiedBy']?['graphIdentity']?['user']?['mail']}\\\",\\n\\\"m365LibraryId\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['id']}\\\",\\n\\\"m365LibraryDisplayName\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['displayName']}\\\",\\n\\\"m365Librarytype\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['type']}\\\",\\n\\\"m365siteid\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['site']?['id']}\\\",\\n\\\"m365sitedisplayName\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['site']?['displayName']}\\\",\\n\\\"m365sitename\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['parent']?['name']}\\\",\\n\\\"countOfAllNearByFiles\\\":\\\"@{variables('countOfAllNearByFiles')}\\\",\\n\\n}\", \n click save \n3. Copy the HTTP POST URL\n4. Go to your NetClean ProActive web console, and go to settings, Under Webhook configure a new webhook using the URL copied from step 3 \n 5. Verify functionality by triggering a Demo Incident.", - "title": " Option 1: deploy Logic app (requires NetClean Proactive)" + "description": "1. Create a new logic app\n Use When a HTTP request is recived as the Trigger and save it. It will now have generated a URL that can be used in the ProActive webconsole configuration.\n Add an action:\n Select the Azure Log Analytics Data Collector and choose Send Data\n Enter Connection Name, Workspace ID and Workspace Key, you will find the information needed in your Log Analytics workspace under Settings-->Agents-->Log Analytics agent instructions.\n In JSON Request body add @triggerBody(). in Custom Log Name add Netclean_Incidents.", + "title": " Option 1: Logic app" }, { - "description": "Ingest data using a api function. please use the script found on\n https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell \nReplace the CustomerId and SharedKey values with your values\nReplace the content in $json variable to the sample data.\nSet the LogType varible to **Netclean_Incidents_CL**\nRun the script", + "description": "Ingest data using a api function. please use the script found on\n https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell \nReplace the CustomerId and SharedKey values with your values\nReplace the content in $json variable to the sample data found here: https://github.com/Azure/Azure-Sentinel/blob/master/Sample%20Data/Custom/Netclean_Incidents_CL.json .\nSet the LogType varible to **Netclean_Incidents_CL**\nRun the script", "title": " Option 2 (Testing only)" } ], @@ -476,7 +477,7 @@ }, "instructionSteps": [ { - "description": ">**NOTE:** The data connector relies on Azure Logic Apps to receive and push data to Log Analytics This might result in additional data ingestion costs.\n It's possible to test this without Logic Apps or NetClean Proactive see option 2", + "description": ">**NOTE:** NetClean ProActive uses a Webhook to expose incident data, Azure Logic Apps is used to receive and push data to Log Analytics This might result in additional data ingestion costs.\n It's possible to test this without Logic Apps or NetClean Proactive see option 2", "instructions": [ { "parameters": { @@ -499,11 +500,11 @@ ] }, { - "description": "1. Download and install the Logic app here:\n https://portal.azure.com/#create/netcleantechnologiesab1651557549734.netcleanlogicappnetcleanproactivelogicapp)\n2. Go to your newly created logic app \n In your Logic app designer, click +New Step and search for “Azure Log Analytics Data Collector” click it and select “Send Data” \n Enter the Custom Log Name: Netclean_Incidents and a dummy value in the Json request body and click save \n Go to code view on the top ribbon and scroll down to line ~100 it should start with \"Body\" \n replace the line entirly with: \n \n \"body\": \"{\\n\\\"Hostname\\\":\\\"@{variables('machineName')}\\\",\\n\\\"agentType\\\":\\\"@{triggerBody()['value']['agent']['type']}\\\",\\n\\\"Identifier\\\":\\\"@{triggerBody()?['key']?['identifier']}\\\",\\n\\\"type\\\":\\\"@{triggerBody()?['key']?['type']}\\\",\\n\\\"version\\\":\\\"@{triggerBody()?['value']?['incidentVersion']}\\\",\\n\\\"foundTime\\\":\\\"@{triggerBody()?['value']?['foundTime']}\\\",\\n\\\"detectionMethod\\\":\\\"@{triggerBody()?['value']?['detectionHashType']}\\\",\\n\\\"agentInformatonIdentifier\\\":\\\"@{triggerBody()?['value']?['device']?['identifier']}\\\",\\n\\\"osVersion\\\":\\\"@{triggerBody()?['value']?['device']?['operatingSystemVersion']}\\\",\\n\\\"machineName\\\":\\\"@{variables('machineName')}\\\",\\n\\\"microsoftCultureId\\\":\\\"@{triggerBody()?['value']?['device']?['microsoftCultureId']}\\\",\\n\\\"timeZoneId\\\":\\\"@{triggerBody()?['value']?['device']?['timeZoneName']}\\\",\\n\\\"microsoftGeoId\\\":\\\"@{triggerBody()?['value']?['device']?['microsoftGeoId']}\\\",\\n\\\"domainname\\\":\\\"@{variables('domain')}\\\",\\n\\\"Agentversion\\\":\\\"@{triggerBody()['value']['agent']['version']}\\\",\\n\\\"Agentidentifier\\\":\\\"@{triggerBody()['value']['identifier']}\\\",\\n\\\"loggedOnUsers\\\":\\\"@{variables('Usernames')}\\\",\\n\\\"size\\\":\\\"@{triggerBody()?['value']?['file']?['size']}\\\",\\n\\\"creationTime\\\":\\\"@{triggerBody()?['value']?['file']?['creationTime']}\\\",\\n\\\"lastAccessTime\\\":\\\"@{triggerBody()?['value']?['file']?['lastAccessTime']}\\\",\\n\\\"lastWriteTime\\\":\\\"@{triggerBody()?['value']?['file']?['lastModifiedTime']}\\\",\\n\\\"sha1\\\":\\\"@{triggerBody()?['value']?['file']?['calculatedHashes']?['sha1']}\\\",\\n\\\"nearbyFiles_sha1\\\":\\\"@{variables('nearbyFiles_sha1s')}\\\",\\n\\\"externalIP\\\":\\\"@{triggerBody()?['value']?['device']?['resolvedExternalIp']}\\\",\\n\\\"domain\\\":\\\"@{variables('domain')}\\\",\\n\\\"hasCollectedNearbyFiles\\\":\\\"@{variables('hasCollectedNearbyFiles')}\\\",\\n\\\"filePath\\\":\\\"@{replace(triggerBody()['value']['file']['path'], '\\\\', '\\\\\\\\')}\\\",\\n\\\"m365WebUrl\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['webUrl']}\\\",\\n\\\"m365CreatedBymail\\\":\\\"@{triggerBody()?['value']?['file']?['createdBy']?['graphIdentity']?['user']?['mail']}\\\",\\n\\\"m365LastModifiedByMail\\\":\\\"@{triggerBody()?['value']?['file']?['lastModifiedBy']?['graphIdentity']?['user']?['mail']}\\\",\\n\\\"m365LibraryId\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['id']}\\\",\\n\\\"m365LibraryDisplayName\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['displayName']}\\\",\\n\\\"m365Librarytype\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['type']}\\\",\\n\\\"m365siteid\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['site']?['id']}\\\",\\n\\\"m365sitedisplayName\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['site']?['displayName']}\\\",\\n\\\"m365sitename\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['parent']?['name']}\\\",\\n\\\"countOfAllNearByFiles\\\":\\\"@{variables('countOfAllNearByFiles')}\\\",\\n\\n}\", \n click save \n3. Copy the HTTP POST URL\n4. Go to your NetClean ProActive web console, and go to settings, Under Webhook configure a new webhook using the URL copied from step 3 \n 5. Verify functionality by triggering a Demo Incident.", - "title": " Option 1: deploy Logic app (requires NetClean Proactive)" + "description": "1. Create a new logic app\n Use When a HTTP request is recived as the Trigger and save it. It will now have generated a URL that can be used in the ProActive webconsole configuration.\n Add an action:\n Select the Azure Log Analytics Data Collector and choose Send Data\n Enter Connection Name, Workspace ID and Workspace Key, you will find the information needed in your Log Analytics workspace under Settings-->Agents-->Log Analytics agent instructions.\n In JSON Request body add @triggerBody(). in Custom Log Name add Netclean_Incidents.", + "title": " Option 1: Logic app" }, { - "description": "Ingest data using a api function. please use the script found on\n https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell \nReplace the CustomerId and SharedKey values with your values\nReplace the content in $json variable to the sample data.\nSet the LogType varible to **Netclean_Incidents_CL**\nRun the script", + "description": "Ingest data using a api function. please use the script found on\n https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell \nReplace the CustomerId and SharedKey values with your values\nReplace the content in $json variable to the sample data found here: https://github.com/Azure/Azure-Sentinel/blob/master/Sample%20Data/Custom/Netclean_Incidents_CL.json .\nSet the LogType varible to **Netclean_Incidents_CL**\nRun the script", "title": " Option 2 (Testing only)" } ], @@ -520,7 +521,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NetCleanProActiveWorkbookWorkbook Workbook with template version 3.0.1", + "description": "NetCleanProActiveWorkbook Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -538,7 +539,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## NetClean Overview last 30 Days\\nShows only original incident, please specify the incident you would like to view to include near by files\\n\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where version_s == 1 |summarize Count=count() by Type, type_s\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"xAxis\":\"type_s\",\"yAxis\":[\"Count\"]}},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where version_s == 1 |summarize Count=count() by sha1_s\",\"size\":4,\"title\":\"SHA1\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"name\":\"SHA1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where version_s == 1 |summarize Count=count() by agentType_s\",\"size\":4,\"title\":\"Agent Type\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"name\":\"Agent Type\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where version_s == 1 |summarize Count=count() by Hostname_s\",\"size\":4,\"title\":\"Hostname\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"name\":\"Hostname\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where version_s == 1 | distinct Identifier_g, TimeGenerated, agentType_s | sort by TimeGenerated desc | project-rename Incident_Identifier=Identifier_g, TimeGenerated, Agent_Type=agentType_s \",\"size\":0,\"title\":\"List of incidents \",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"List of incidents \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where version_s == 1 | sort by TimeGenerated asc\\n| summarize Count=count() by format_datetime (TimeGenerated,'yy-MM-dd '), Identifier_g\\n\",\"size\":0,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Week\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0},\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"yAxis\":[\"Count\"],\"xSettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":false},\"missingSparkDataOption\":\"Zero\"}},\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"count_\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 4\"}]},\"name\":\"NetClean Oerview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## NetClean Incident\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"1e3b2c62-399e-43e6-a643-8a7484ac5c91\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"incident\",\"type\":2,\"query\":\"Netclean_Incidents_CL |where version_s == 1 | sort by TimeGenerated desc | project Identifier_g \",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"ebcd8124-27b4-416c-8ca7-45011691b9dc\"},{\"id\":\"a3554367-06f8-4027-8134-07af2b82675b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"agentType\",\"type\":2,\"isRequired\":true,\"query\":\"Netclean_Incidents_CL | where Identifier_g == \\\"{incident}\\\" | distinct agentType_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::1\"],\"showDefault\":false},\"defaultValue\":\"value::1\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where Identifier_g == \\\"{incident}\\\" | top 1 by TimeGenerated | project sha1_s\",\"size\":4,\"title\":\"SHA1\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"SHA1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where Identifier_g == \\\"{incident}\\\" | top 1 by TimeGenerated | project filePath_s\",\"size\":4,\"title\":\"File Path\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"File Path\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where Identifier_g == \\\"{incident}\\\" |summarize Count=count()\",\"size\":4,\"title\":\"Number of log entrys for specified incident\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"min\":1,\"palette\":\"purpleDark\"},\"tooltipFormat\":{\"tooltip\":\"Number of log entrys for specified incident\"}},\"showBorder\":false}},\"customWidth\":\"20\",\"name\":\"Number of log entrys for specified incident\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where Identifier_g == \\\"{incident}\\\" | top 1 by TimeGenerated | project hasCollectedNearbyFiles_s\",\"size\":4,\"title\":\"Has Collected Nearby Files\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"hasCollectedNearbyFiles_s\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"20\",\"name\":\"hasCollectedNearbyFiles\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where Identifier_g == \\\"{incident}\\\" | top 1 by TimeGenerated | project domain_s\",\"size\":4,\"title\":\"Domain\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"domain_s\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"20\",\"name\":\"domain\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where Identifier_g == \\\"{incident}\\\" | top 1 by TimeGenerated | project countOfAllNearByFiles_s\\n\\n\\n\\n\\n\",\"size\":4,\"title\":\"Number of nearby files\",\"noDataMessage\":\"0\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"countOfAllNearByFiles_s\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"0\"}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"20\",\"name\":\"Number of nearby files\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where Identifier_g == \\\"{incident}\\\" | where hasCollectedNearbyFiles_s == true | top 1 by countof(nearbyFiles_sha1_s, \\\",\\\") | project countof(nearbyFiles_sha1_s, \\\",\\\")\\n\\n\\n\\n\\n\",\"size\":4,\"title\":\"Number of nearby files with match\",\"noDataMessage\":\"0\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":12,\"formatOptions\":{\"palette\":\"orange\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"0\"}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"20\",\"name\":\"Number of nearby files with match\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where Identifier_g == \\\"{incident}\\\" | top 1 by TimeGenerated | project Hostname_s, osVersion_s, hasCollectedNearbyFiles_s, externalIP_s\\n\\n\\n\\n\",\"size\":4,\"title\":\"Hostname\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"hasCollectedNearbyFiles_s\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"hasCollectedNearbyFiles_s\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Hostname_s\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":false,\"sortCriteriaField\":\"hasCollectedNearbyFiles_s\",\"sortOrderField\":1,\"size\":\"auto\"},\"textSettings\":{\"style\":\"header\"}},\"conditionalVisibility\":{\"parameterName\":\"agentType\",\"comparison\":\"isEqualTo\",\"value\":\"computer\"},\"name\":\"Hostname\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where Identifier_g == \\\"{incident}\\\" | top 1 by TimeGenerated | mvexpand LoggedOnUsers=split(loggedOnUsers_s, '|') to typeof(string) | project LoggedOnUsers\\n \",\"size\":0,\"title\":\"All Logged On Users\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"loggedOnUsers_s\",\"formatter\":1},\"showBorder\":true,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"agentType\",\"comparison\":\"isEqualTo\",\"value\":\"computer\"},\"name\":\"LoggedOnUsers\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where Identifier_g == \\\"{incident}\\\" | top 1 by TimeGenerated | mvexpand LoggedOnUser=split(loggedOnUsers_s, '|') to typeof(string) | where LoggedOnUser hassuffix Hostname_s or LoggedOnUser endswith domain_s | where LoggedOnUser !contains \\\"WORKGROUP\\\" |distinct LoggedOnUser\",\"size\":4,\"title\":\"Users where domain matches hostname or domainname\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"agentType\",\"comparison\":\"isEqualTo\",\"value\":\"computer\"},\"name\":\"user\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where Identifier_g == \\\"{incident}\\\" | top 1 by TimeGenerated\\n| project format_datetime (creationTime_t,'yyyy-MM-dd HH:mm:ss'), format_datetime (lastAccessTime_t,'yyyy-MM-dd HH:mm:ss'), format_datetime (lastWriteTime_t,'yyyy-MM-dd HH:mm:ss'), format_datetime (TimeGenerated,'yyyy-MM-dd HH:mm:ss'), format_datetime (foundTime_t,'yyyy-MM-dd HH:mm:ss') \",\"size\":4,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"creationTime_t\",\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"nodeIdField\":\"foundTime_t\",\"sourceIdField\":\"foundTime_t\",\"targetIdField\":\"foundTime_t\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"nodeSize\":\"\",\"staticNodeSize\":100,\"colorSettings\":\"\",\"hivesMargin\":5},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where Identifier_g == \\\"{incident}\\\" | top 1 by TimeGenerated | project m365LibraryDisplayName_s,m365Librarytype_s, m365WebUrl_s, m365LibraryId_s, m365siteid_s, m365CreatedBymail_s, m365LastModifiedByMail_s, m365sitedisplayName_s, m365sitename_s\\n\\n\",\"size\":4,\"title\":\"Cloud Agent \",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"conditionalVisibility\":{\"parameterName\":\"agentType\",\"comparison\":\"isEqualTo\",\"value\":\"microsoft365\"},\"name\":\"Cloud Agent \"}]},\"name\":\"group - 5\"}],\"fromTemplateId\":\"sentinel-NetCleanProActiveWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## NetClean Overview last 30 Days\\nShows only original incident, please specify the incident you would like to view to include near by files\\n\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where value_incidentVersion_d == 1 |summarize Count=count() by key_type_s, value_agent_type_s\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"xAxis\":\"value_agent_type_s\",\"yAxis\":[\"Count\"]}},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where value_incidentVersion_d == 1 |summarize Count=count() by value_file_calculatedHashes_sha1_s\",\"size\":4,\"title\":\"SHA1\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"name\":\"SHA1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where value_incidentVersion_d == 1 |summarize Count=count() by value_agent_type_s\",\"size\":4,\"title\":\"Agent Type\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"name\":\"Agent Type\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL\\n| where value_incidentVersion_d == 1\\n| extend machineName = coalesce(value_device_machineName_s, value_agent_type_s)\\n| summarize Count = count() by machineName\\n\",\"size\":4,\"title\":\"Hostname\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"name\":\"Hostname\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where value_incidentVersion_d == 1 | distinct key_identifier_g, TimeGenerated, value_agent_type_s | sort by TimeGenerated desc | project-rename Incident_Identifier=key_identifier_g, TimeGenerated, Agent_Type=value_agent_type_s\",\"size\":0,\"title\":\"List of incidents \",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":\"[]\"},\"sortBy\":\"[]\"},\"name\":\"List of incidents \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where value_incidentVersion_d == 1 | sort by TimeGenerated asc\\n| summarize Count=count() by format_datetime (TimeGenerated,'yy-MM-dd '), key_identifier_g\\n\",\"size\":0,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Week\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0},\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"yAxis\":[\"Count\"],\"xSettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":false},\"missingSparkDataOption\":\"Zero\"}},\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"count_\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 4\"}]},\"name\":\"NetClean Oerview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## NetClean Incident\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"1e3b2c62-399e-43e6-a643-8a7484ac5c91\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"incident\",\"type\":2,\"query\":\"Netclean_Incidents_CL |where value_incidentVersion_d == 1 | sort by TimeGenerated desc | project key_identifier_g \",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"7186627a-4a09-4276-a6ae-9687aa5d2e89\"},{\"id\":\"a3554367-06f8-4027-8134-07af2b82675b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"agentType\",\"type\":2,\"isRequired\":true,\"query\":\"Netclean_Incidents_CL | where key_identifier_g == \\\"{incident}\\\" | distinct value_agent_type_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::1\"],\"showDefault\":false},\"defaultValue\":\"value::1\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where key_identifier_g == \\\"{incident}\\\" | top 1 by TimeGenerated | project value_file_signature_hashes_sha1_s\\n\",\"size\":4,\"title\":\"SHA1\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"SHA1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where key_identifier_g == \\\"{incident}\\\" | top 1 by TimeGenerated | project value_file_path_s\\n\",\"size\":4,\"title\":\"File Path\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"File Path\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where key_identifier_g == \\\"{incident}\\\" |summarize Count=count()\",\"size\":4,\"title\":\"Number of log entrys for specified incident\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"min\":1,\"palette\":\"purpleDark\"},\"tooltipFormat\":{\"tooltip\":\"Number of log entrys for specified incident\"}},\"showBorder\":false}},\"customWidth\":\"20\",\"name\":\"Number of log entrys for specified incident\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL\\n| where key_identifier_g == \\\"{incident}\\\"\\n| top 1 by TimeGenerated\\n| extend NearbyFiles = parse_json(value_file_nearbyFiles_s)\\n| project IsNotEmpty = iff(not(isempty(NearbyFiles)), \\\"true\\\", \\\"false\\\")\\n\",\"size\":4,\"title\":\"Has Collected Nearby Files\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"IsNotEmpty\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"20\",\"name\":\"hasCollectedNearbyFiles\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where key_identifier_g == \\\"{incident}\\\" | top 1 by TimeGenerated | project value_file_owner_computerUser_domain_s\\n \",\"size\":4,\"title\":\"Domain\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"value_file_owner_computerUser_domain_s\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"20\",\"name\":\"domain\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL\\n| where key_identifier_g == \\\"{incident}\\\"\\n| top 1 by TimeGenerated\\n| extend NearbyFiles = parse_json(value_file_nearbyFiles_s)\\n| mv-expand NearbyFiles\\n| extend Sha1 = tostring(NearbyFiles.calculatedHashes.sha1)\\n| summarize NumberOfSha1s = count(Sha1)\\n\\n\\n\\n\\n\\n\",\"size\":4,\"title\":\"Number of nearby files\",\"noDataMessage\":\"0\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"sortBy\":\"[]\"},\"sortBy\":\"[]\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"NumberOfSha1s\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"0\"}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"20\",\"name\":\"Number of nearby files\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL\\n| where key_identifier_g == \\\"{incident}\\\"\\n| top 1 by TimeGenerated\\n| extend NearbyFiles = parse_json(value_file_nearbyFiles_s)\\n| mv-expand NearbyFiles\\n| where NearbyFiles.isMatch == true\\n| extend Sha1 = tostring(NearbyFiles.calculatedHashes.sha1)\\n| summarize NumberOfSha1s = count(Sha1)\\n\",\"size\":4,\"title\":\"Number of nearby files with match\",\"noDataMessage\":\"0\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"sortBy\":\"[]\"},\"sortBy\":\"[]\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"NumberOfSha1s\",\"formatter\":12,\"formatOptions\":{\"palette\":\"orange\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"0\"}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"20\",\"name\":\"Number of nearby files with match\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL\\n| where key_identifier_g == \\\"{incident}\\\"\\n| top 1 by TimeGenerated\\n| project value_device_machineName_s, value_device_operatingSystemVersion_s, Interfaces = parse_json(value_device_networkInterfaces_s), value_file_diskDrive_diskType_s, value_file_diskDrive_volumeSerialNumber_s,value_file_diskDrive_mountPoint_s\\n \\n| mv-expand Interfaces\\n| extend Description = tostring(Interfaces.description), IPs = Interfaces.ipAddresses\\n| mv-expand IPs\\n| where IPs !in (\\\"::1\\\", \\\"127.0.0.1\\\")\\n| where tostring(IPs) !startswith(\\\"fe80::\\\") // Exclude link-local IPv6 addresses\\n| project IPv4 = IPs, value_device_machineName_s, value_device_operatingSystemVersion_s, value_file_diskDrive_diskType_s, value_file_diskDrive_volumeSerialNumber_s, value_file_diskDrive_mountPoint_s\\n \\n\\n \\n \\n\\n\\n\\n\\n\\n\\n\",\"size\":4,\"title\":\"Hostname\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Hostname_s\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":false,\"sortCriteriaField\":\"hasCollectedNearbyFiles_s\",\"sortOrderField\":1,\"size\":\"auto\"},\"textSettings\":{\"style\":\"header\"}},\"conditionalVisibility\":{\"parameterName\":\"agentType\",\"comparison\":\"isEqualTo\",\"value\":\"computer\"},\"name\":\"Hostname\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL\\n| where key_identifier_g == \\\"{incident}\\\"\\n| top 1 by TimeGenerated\\n| extend LoggedOnUsers = parse_json(value_device_loggedOnUsers_s)\\n| mv-expand LoggedOnUsers\\n| extend Username = tostring(LoggedOnUsers.computerUser.username),\\n LogonTime = tostring(LoggedOnUsers.computerUser.logonTime),\\n LogonType = tostring(LoggedOnUsers.computerUser.logonType),\\n Domain = tostring(LoggedOnUsers.computerUser.domain)\\n| project Username, LogonTime, LogonType, Domain\\n\",\"size\":0,\"title\":\"All Logged On Users\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"loggedOnUsers_s\",\"formatter\":1},\"showBorder\":true,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"agentType\",\"comparison\":\"isEqualTo\",\"value\":\"computer\"},\"name\":\"LoggedOnUsers\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL\\n| where key_identifier_g == \\\"{incident}\\\"\\n| top 1 by TimeGenerated\\n| extend NearbyFiles = parse_json(value_file_nearbyFiles_s)\\n| mv-expand NearbyFiles\\n| project FileName = tostring(NearbyFiles.fileName), Sha1 = tostring(NearbyFiles.calculatedHashes.sha1)\",\"size\":4,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"nearbyFiles\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where key_identifier_g == \\\"{incident}\\\" | top 1 by TimeGenerated\\n| project format_datetime (value_file_creationTime_t,'yyyy-MM-dd HH:mm:ss'), format_datetime (value_file_lastAccessTime_t,'yyyy-MM-dd HH:mm:ss'), format_datetime (value_file_lastModifiedTime_t ,'yyyy-MM-dd HH:mm:ss'), format_datetime (TimeGenerated,'yyyy-MM-dd HH:mm:ss'), format_datetime (value_foundTime_t,'yyyy-MM-dd HH:mm:ss') \",\"size\":4,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"creationTime_t\",\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"nodeIdField\":\"foundTime_t\",\"sourceIdField\":\"foundTime_t\",\"targetIdField\":\"foundTime_t\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"nodeSize\":\"\",\"staticNodeSize\":100,\"colorSettings\":\"\",\"hivesMargin\":5},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Netclean_Incidents_CL | where key_identifier_g == \\\"{incident}\\\" | top 1 by TimeGenerated | project key_type_s, value_file_microsoft365_site_displayName_s, value_file_microsoft365_site_name_s, value_file_microsoft365_id_s, value_file_microsoft365_mimeType_s, value_file_microsoft365_webUrl_s, value_file_microsoft365_library_displayName_s, value_file_microsoft365_library_type_s\\n\\n\\n\\n\\n\\n\\n\",\"size\":4,\"title\":\"Cloud Agent \",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"conditionalVisibility\":{\"parameterName\":\"agentType\",\"comparison\":\"isEqualTo\",\"value\":\"microsoft365\"},\"name\":\"Cloud Agent \"}]},\"name\":\"group - 5\"}],\"fromTemplateId\":\"sentinel-NetCleanProActiveWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -602,12 +603,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "NetClean ProActive", "publisherDisplayName": "NetClean", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The NetClean ProActive for Microsoft Sentinel solution gives you the ability to connect the NetClean ProActive Incident logs with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation.

\n

Underlying Microsoft Technologies used:

\n

This solution might take a dependency on the other technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Azure Logic Apps
    2. \n
\n

OR

\n
    \n
  1. Azure Monitor HTTP Data Collector API
    2. \n
\n

Data Connectors: 1, Workbooks: 1, Analytic Rules: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The NetClean ProActive for Microsoft Sentinel solution gives you the ability to connect the NetClean ProActive Incident logs with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation.

\n

Underlying Microsoft Technologies used:

\n

This solution might take a dependency on the other technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Azure Logic Apps
    2. \n
\n

OR

\n
    \n
  1. Azure Monitor HTTP Data Collector API
    2. \n
\n

Data Connectors: 1, Workbooks: 1, Analytic Rules: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -632,8 +633,8 @@ "criteria": [ { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" }, { "kind": "DataConnector", diff --git a/Solutions/NetClean ProActive/Package/testParameters.json b/Solutions/NetClean ProActive/Package/testParameters.json new file mode 100644 index 00000000000..1f4815618d4 --- /dev/null +++ b/Solutions/NetClean ProActive/Package/testParameters.json @@ -0,0 +1,32 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "NetClean ProActive", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } +} diff --git a/Solutions/NetClean ProActive/ReleaseNotes.md b/Solutions/NetClean ProActive/ReleaseNotes.md index ed718a45283..7b6e29e22b3 100644 --- a/Solutions/NetClean ProActive/ReleaseNotes.md +++ b/Solutions/NetClean ProActive/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.0.2 | 30-01-2025 | Updated **Analytic Rules**, **Workbook** columns due to change in **Data Connector** | | 3.0.1 | 27-07-2023 | Updated solution to remove unwanted spaces from variables. | diff --git a/Solutions/NetClean ProActive/Workbooks/NetCleanProActiveWorkbook.json b/Solutions/NetClean ProActive/Workbooks/NetCleanProActiveWorkbook.json index ab469e4134d..a92f7f3c5b2 100644 --- a/Solutions/NetClean ProActive/Workbooks/NetCleanProActiveWorkbook.json +++ b/Solutions/NetClean ProActive/Workbooks/NetCleanProActiveWorkbook.json @@ -18,13 +18,13 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Netclean_Incidents_CL | where version_s == 1 |summarize Count=count() by Type, type_s\n", + "query": "Netclean_Incidents_CL | where value_incidentVersion_d == 1 |summarize Count=count() by key_type_s, value_agent_type_s", "size": 1, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "categoricalbar", "chartSettings": { - "xAxis": "type_s", + "xAxis": "value_agent_type_s", "yAxis": [ "Count" ] @@ -36,7 +36,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Netclean_Incidents_CL | where version_s == 1 |summarize Count=count() by sha1_s", + "query": "Netclean_Incidents_CL | where value_incidentVersion_d == 1 |summarize Count=count() by value_file_calculatedHashes_sha1_s", "size": 4, "title": "SHA1", "timeContext": { @@ -55,7 +55,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Netclean_Incidents_CL | where version_s == 1 |summarize Count=count() by agentType_s", + "query": "Netclean_Incidents_CL | where value_incidentVersion_d == 1 |summarize Count=count() by value_agent_type_s", "size": 4, "title": "Agent Type", "timeContext": { @@ -71,7 +71,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Netclean_Incidents_CL | where version_s == 1 |summarize Count=count() by Hostname_s", + "query": "Netclean_Incidents_CL\n| where value_incidentVersion_d == 1\n| extend machineName = coalesce(value_device_machineName_s, value_agent_type_s)\n| summarize Count = count() by machineName\n", "size": 4, "title": "Hostname", "timeContext": { @@ -87,7 +87,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Netclean_Incidents_CL | where version_s == 1 | distinct Identifier_g, TimeGenerated, agentType_s | sort by TimeGenerated desc | project-rename Incident_Identifier=Identifier_g, TimeGenerated, Agent_Type=agentType_s ", + "query": "Netclean_Incidents_CL | where value_incidentVersion_d == 1 | distinct key_identifier_g, TimeGenerated, value_agent_type_s | sort by TimeGenerated desc | project-rename Incident_Identifier=key_identifier_g, TimeGenerated, Agent_Type=value_agent_type_s", "size": 0, "title": "List of incidents ", "timeContext": { @@ -95,7 +95,10 @@ }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "sortBy": [] + "gridSettings": { + "sortBy": "[]" + }, + "sortBy": "[]" }, "name": "List of incidents " }, @@ -103,7 +106,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Netclean_Incidents_CL | where version_s == 1 | sort by TimeGenerated asc\n| summarize Count=count() by format_datetime (TimeGenerated,'yy-MM-dd '), Identifier_g\n", + "query": "Netclean_Incidents_CL | where value_incidentVersion_d == 1 | sort by TimeGenerated asc\n| summarize Count=count() by format_datetime (TimeGenerated,'yy-MM-dd '), key_identifier_g\n", "size": 0, "timeContext": { "durationMs": 2592000000 @@ -203,7 +206,7 @@ "version": "KqlParameterItem/1.0", "name": "incident", "type": 2, - "query": "Netclean_Incidents_CL |where version_s == 1 | sort by TimeGenerated desc | project Identifier_g ", + "query": "Netclean_Incidents_CL |where value_incidentVersion_d == 1 | sort by TimeGenerated desc | project key_identifier_g ", "typeSettings": { "additionalResourceOptions": [], "showDefault": false @@ -213,7 +216,7 @@ }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "value": "ebcd8124-27b4-416c-8ca7-45011691b9dc" + "value": "7186627a-4a09-4276-a6ae-9687aa5d2e89" }, { "id": "a3554367-06f8-4027-8134-07af2b82675b", @@ -221,7 +224,7 @@ "name": "agentType", "type": 2, "isRequired": true, - "query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | distinct agentType_s", + "query": "Netclean_Incidents_CL | where key_identifier_g == \"{incident}\" | distinct value_agent_type_s", "typeSettings": { "additionalResourceOptions": [ "value::1" @@ -243,7 +246,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project sha1_s", + "query": "Netclean_Incidents_CL | where key_identifier_g == \"{incident}\" | top 1 by TimeGenerated | project value_file_signature_hashes_sha1_s\n", "size": 4, "title": "SHA1", "timeContext": { @@ -262,7 +265,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project filePath_s", + "query": "Netclean_Incidents_CL | where key_identifier_g == \"{incident}\" | top 1 by TimeGenerated | project value_file_path_s\n", "size": 4, "title": "File Path", "timeContext": { @@ -281,7 +284,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" |summarize Count=count()", + "query": "Netclean_Incidents_CL | where key_identifier_g == \"{incident}\" |summarize Count=count()", "size": 4, "title": "Number of log entrys for specified incident", "timeContext": { @@ -312,7 +315,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project hasCollectedNearbyFiles_s", + "query": "Netclean_Incidents_CL\n| where key_identifier_g == \"{incident}\"\n| top 1 by TimeGenerated\n| extend NearbyFiles = parse_json(value_file_nearbyFiles_s)\n| project IsNotEmpty = iff(not(isempty(NearbyFiles)), \"true\", \"false\")\n", "size": 4, "title": "Has Collected Nearby Files", "timeContext": { @@ -323,7 +326,7 @@ "visualization": "tiles", "tileSettings": { "titleContent": { - "columnMatch": "hasCollectedNearbyFiles_s", + "columnMatch": "IsNotEmpty", "formatter": 1, "numberFormat": { "unit": 0, @@ -343,7 +346,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project domain_s", + "query": "Netclean_Incidents_CL | where key_identifier_g == \"{incident}\" | top 1 by TimeGenerated | project value_file_owner_computerUser_domain_s\n ", "size": 4, "title": "Domain", "timeContext": { @@ -354,7 +357,7 @@ "visualization": "tiles", "tileSettings": { "titleContent": { - "columnMatch": "domain_s", + "columnMatch": "value_file_owner_computerUser_domain_s", "formatter": 1, "numberFormat": { "unit": 0, @@ -374,7 +377,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project countOfAllNearByFiles_s\n\n\n\n\n", + "query": "Netclean_Incidents_CL\n| where key_identifier_g == \"{incident}\"\n| top 1 by TimeGenerated\n| extend NearbyFiles = parse_json(value_file_nearbyFiles_s)\n| mv-expand NearbyFiles\n| extend Sha1 = tostring(NearbyFiles.calculatedHashes.sha1)\n| summarize NumberOfSha1s = count(Sha1)\n\n\n\n\n\n", "size": 4, "title": "Number of nearby files", "noDataMessage": "0", @@ -384,10 +387,13 @@ "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "tiles", - "sortBy": [], + "gridSettings": { + "sortBy": "[]" + }, + "sortBy": "[]", "tileSettings": { "titleContent": { - "columnMatch": "countOfAllNearByFiles_s", + "columnMatch": "NumberOfSha1s", "formatter": 1, "numberFormat": { "unit": 17, @@ -408,7 +414,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | where hasCollectedNearbyFiles_s == true | top 1 by countof(nearbyFiles_sha1_s, \",\") | project countof(nearbyFiles_sha1_s, \",\")\n\n\n\n\n", + "query": "Netclean_Incidents_CL\n| where key_identifier_g == \"{incident}\"\n| top 1 by TimeGenerated\n| extend NearbyFiles = parse_json(value_file_nearbyFiles_s)\n| mv-expand NearbyFiles\n| where NearbyFiles.isMatch == true\n| extend Sha1 = tostring(NearbyFiles.calculatedHashes.sha1)\n| summarize NumberOfSha1s = count(Sha1)\n", "size": 4, "title": "Number of nearby files with match", "noDataMessage": "0", @@ -418,10 +424,13 @@ "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "tiles", - "sortBy": [], + "gridSettings": { + "sortBy": "[]" + }, + "sortBy": "[]", "tileSettings": { "titleContent": { - "columnMatch": "Column1", + "columnMatch": "NumberOfSha1s", "formatter": 12, "formatOptions": { "palette": "orange" @@ -445,7 +454,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project Hostname_s, osVersion_s, hasCollectedNearbyFiles_s, externalIP_s\n\n\n\n", + "query": "Netclean_Incidents_CL\n| where key_identifier_g == \"{incident}\"\n| top 1 by TimeGenerated\n| project value_device_machineName_s, value_device_operatingSystemVersion_s, Interfaces = parse_json(value_device_networkInterfaces_s), value_file_diskDrive_diskType_s, value_file_diskDrive_volumeSerialNumber_s,value_file_diskDrive_mountPoint_s\n \n| mv-expand Interfaces\n| extend Description = tostring(Interfaces.description), IPs = Interfaces.ipAddresses\n| mv-expand IPs\n| where IPs !in (\"::1\", \"127.0.0.1\")\n| where tostring(IPs) !startswith(\"fe80::\") // Exclude link-local IPv6 addresses\n| project IPv4 = IPs, value_device_machineName_s, value_device_operatingSystemVersion_s, value_file_diskDrive_diskType_s, value_file_diskDrive_volumeSerialNumber_s, value_file_diskDrive_mountPoint_s\n \n\n \n \n\n\n\n\n\n\n", "size": 4, "title": "Hostname", "timeContext": { @@ -454,20 +463,7 @@ "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "table", - "gridSettings": { - "sortBy": [ - { - "itemKey": "hasCollectedNearbyFiles_s", - "sortOrder": 1 - } - ] - }, - "sortBy": [ - { - "itemKey": "hasCollectedNearbyFiles_s", - "sortOrder": 1 - } - ], + "sortBy": [], "tileSettings": { "titleContent": { "columnMatch": "Hostname_s", @@ -499,7 +495,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | mvexpand LoggedOnUsers=split(loggedOnUsers_s, '|') to typeof(string) | project LoggedOnUsers\n ", + "query": "Netclean_Incidents_CL\n| where key_identifier_g == \"{incident}\"\n| top 1 by TimeGenerated\n| extend LoggedOnUsers = parse_json(value_device_loggedOnUsers_s)\n| mv-expand LoggedOnUsers\n| extend Username = tostring(LoggedOnUsers.computerUser.username),\n LogonTime = tostring(LoggedOnUsers.computerUser.logonTime),\n LogonType = tostring(LoggedOnUsers.computerUser.logonType),\n Domain = tostring(LoggedOnUsers.computerUser.domain)\n| project Username, LogonTime, LogonType, Domain\n", "size": 0, "title": "All Logged On Users", "timeContext": { @@ -528,27 +524,21 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | mvexpand LoggedOnUser=split(loggedOnUsers_s, '|') to typeof(string) | where LoggedOnUser hassuffix Hostname_s or LoggedOnUser endswith domain_s | where LoggedOnUser !contains \"WORKGROUP\" |distinct LoggedOnUser", + "query": "Netclean_Incidents_CL\n| where key_identifier_g == \"{incident}\"\n| top 1 by TimeGenerated\n| extend NearbyFiles = parse_json(value_file_nearbyFiles_s)\n| mv-expand NearbyFiles\n| project FileName = tostring(NearbyFiles.fileName), Sha1 = tostring(NearbyFiles.calculatedHashes.sha1)", "size": 4, - "title": "Users where domain matches hostname or domainname", "timeContext": { - "durationMs": 2592000000 + "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, - "conditionalVisibility": { - "parameterName": "agentType", - "comparison": "isEqualTo", - "value": "computer" - }, - "name": "user" + "name": "nearbyFiles" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated\n| project format_datetime (creationTime_t,'yyyy-MM-dd HH:mm:ss'), format_datetime (lastAccessTime_t,'yyyy-MM-dd HH:mm:ss'), format_datetime (lastWriteTime_t,'yyyy-MM-dd HH:mm:ss'), format_datetime (TimeGenerated,'yyyy-MM-dd HH:mm:ss'), format_datetime (foundTime_t,'yyyy-MM-dd HH:mm:ss') ", + "query": "Netclean_Incidents_CL | where key_identifier_g == \"{incident}\" | top 1 by TimeGenerated\n| project format_datetime (value_file_creationTime_t,'yyyy-MM-dd HH:mm:ss'), format_datetime (value_file_lastAccessTime_t,'yyyy-MM-dd HH:mm:ss'), format_datetime (value_file_lastModifiedTime_t ,'yyyy-MM-dd HH:mm:ss'), format_datetime (TimeGenerated,'yyyy-MM-dd HH:mm:ss'), format_datetime (value_foundTime_t,'yyyy-MM-dd HH:mm:ss') ", "size": 4, "timeContext": { "durationMs": 2592000000 @@ -571,15 +561,14 @@ }, "graphSettings": { "type": 0, - "topContent": {}, "nodeIdField": "foundTime_t", "sourceIdField": "foundTime_t", "targetIdField": "foundTime_t", "graphOrientation": 3, "showOrientationToggles": false, - "nodeSize": null, + "nodeSize": "", "staticNodeSize": 100, - "colorSettings": null, + "colorSettings": "", "hivesMargin": 5 }, "mapSettings": { @@ -592,7 +581,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project m365LibraryDisplayName_s,m365Librarytype_s, m365WebUrl_s, m365LibraryId_s, m365siteid_s, m365CreatedBymail_s, m365LastModifiedByMail_s, m365sitedisplayName_s, m365sitename_s\n\n", + "query": "Netclean_Incidents_CL | where key_identifier_g == \"{incident}\" | top 1 by TimeGenerated | project key_type_s, value_file_microsoft365_site_displayName_s, value_file_microsoft365_site_name_s, value_file_microsoft365_id_s, value_file_microsoft365_mimeType_s, value_file_microsoft365_webUrl_s, value_file_microsoft365_library_displayName_s, value_file_microsoft365_library_type_s\n\n\n\n\n\n\n", "size": 4, "title": "Cloud Agent ", "timeContext": {