diff --git a/Solutions/Threat Intelligence Solution for Azure Government/Data/Solution_ThreatIntelligenceFairfax.json b/Solutions/Threat Intelligence Solution for Azure Government/Data/Solution_ThreatIntelligenceFairfax.json index daef53714fe..bf143dd57ba 100644 --- a/Solutions/Threat Intelligence Solution for Azure Government/Data/Solution_ThreatIntelligenceFairfax.json +++ b/Solutions/Threat Intelligence Solution for Azure Government/Data/Solution_ThreatIntelligenceFairfax.json @@ -56,7 +56,7 @@ "Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/IPEntity_DuoSecurity.yaml" ], "BasePath": "C:\\GitHub\\Azure-Sentinel", - "Version": "3.0.3", + "Version": "3.0.4", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "StaticDataConnectorIds": [ diff --git a/Solutions/Threat Intelligence Solution for Azure Government/Package/3.0.4.zip b/Solutions/Threat Intelligence Solution for Azure Government/Package/3.0.4.zip new file mode 100644 index 00000000000..11d653c72ae Binary files /dev/null and b/Solutions/Threat Intelligence Solution for Azure Government/Package/3.0.4.zip differ diff --git a/Solutions/Threat Intelligence Solution for Azure Government/Package/mainTemplate.json b/Solutions/Threat Intelligence Solution for Azure Government/Package/mainTemplate.json index 19c04d7e94d..cbbbdf973f2 100644 --- a/Solutions/Threat Intelligence Solution for Azure Government/Package/mainTemplate.json +++ b/Solutions/Threat Intelligence Solution for Azure Government/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Threat Intelligence Solution for Azure Government", - "_solutionVersion": "3.0.3", + "_solutionVersion": "3.0.4", "solutionId": "azuresentinel.azure-sentinel-solution-threatintelligenceazuregov", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "ThreatIntelligenceTaxii", @@ -362,7 +362,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence Solution for Azure Government data connector with template version 3.0.3", + "description": "Threat Intelligence Solution for Azure Government data connector with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -521,7 +521,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence Solution for Azure Government data connector with template version 3.0.3", + "description": "Threat Intelligence Solution for Azure Government data connector with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -568,7 +568,7 @@ } ], "availability": { - "status": 1, + "status": 2, "isPreview": false }, "permissions": { @@ -716,7 +716,7 @@ } ], "availability": { - "status": 1, + "status": 2, "isPreview": false }, "permissions": { @@ -764,7 +764,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence Solution for Azure Government data connector with template version 3.0.3", + "description": "Threat Intelligence Solution for Azure Government data connector with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion3')]", @@ -923,7 +923,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence Solution for Azure Government data connector with template version 3.0.3", + "description": "Threat Intelligence Solution for Azure Government data connector with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion4')]", @@ -1082,7 +1082,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ThreatIntelligence Workbook with template version 3.0.3", + "description": "ThreatIntelligence Workbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1186,7 +1186,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.0.3", + "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -1267,7 +1267,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.0.3", + "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -1348,7 +1348,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.0.3", + "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -1429,7 +1429,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.0.3", + "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -1510,7 +1510,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.0.3", + "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -1591,7 +1591,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -1619,22 +1619,22 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -1725,7 +1725,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -1753,28 +1753,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "DNS", "dataTypes": [ "DnsEvents" - ] + ], + "connectorId": "DNS" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -1873,7 +1873,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -1901,34 +1901,34 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SquidProxy", "dataTypes": [ "SquidProxy_CL" - ] + ], + "connectorId": "SquidProxy" }, { - "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Zscaler" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -1958,17 +1958,17 @@ } ], "customDetails": { + "EventTime": "Event_TimeGenerated", "IoCExpirationTime": "ExpirationDateTime", "ActivityGroupNames": "ActivityGroupNames", - "IndicatorId": "IndicatorId", "IoCConfidenceScore": "ConfidenceScore", - "IoCDescription": "Description", "ThreatType": "ThreatType", - "EventTime": "Event_TimeGenerated" + "IndicatorId": "IndicatorId", + "IoCDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.", - "alertDisplayNameFormat": "A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC" + "alertDisplayNameFormat": "A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC", + "alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator." } } }, @@ -2023,7 +2023,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -2051,28 +2051,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "PaloAltoNetworks" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2163,7 +2163,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -2191,34 +2191,34 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftCloudAppSecurity", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftCloudAppSecurity" }, { - "connectorId": "AzureSecurityCenter", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "AzureSecurityCenter" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2309,7 +2309,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -2337,28 +2337,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Syslog", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "Syslog" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2457,7 +2457,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -2485,28 +2485,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActivity", "dataTypes": [ "AzureActivity" - ] + ], + "connectorId": "AzureActivity" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2605,7 +2605,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -2633,28 +2633,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity" - ] + ], + "connectorId": "Office365" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2753,7 +2753,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -2781,28 +2781,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "PaloAltoNetworks" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2893,7 +2893,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -2921,28 +2921,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureSecurityCenter", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "AzureSecurityCenter" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -3032,7 +3032,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -3060,40 +3060,40 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvents" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ] + ], + "connectorId": "WindowsForwardedEvents" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -3197,7 +3197,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", @@ -3225,34 +3225,34 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -3351,7 +3351,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", @@ -3379,28 +3379,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "PaloAltoNetworks" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -3529,7 +3529,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", @@ -3557,40 +3557,40 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvents" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ] + ], + "connectorId": "WindowsForwardedEvents" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -3710,7 +3710,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", @@ -3738,22 +3738,22 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -3869,7 +3869,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", @@ -3897,28 +3897,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "AWS", "dataTypes": [ "AWSCloudTrail" - ] + ], + "connectorId": "AWS" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -4009,7 +4009,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", @@ -4037,28 +4037,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "AzureActivity", "dataTypes": [ "AzureActivity" - ] + ], + "connectorId": "AzureActivity" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -4175,7 +4175,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", @@ -4203,28 +4203,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureFirewall" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -4306,7 +4306,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", @@ -4334,28 +4334,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "AzureKeyVault", "dataTypes": [ "KeyVaultData" - ] + ], + "connectorId": "AzureKeyVault" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -4437,7 +4437,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", @@ -4465,22 +4465,22 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -4579,7 +4579,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", @@ -4607,28 +4607,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "AzureSql", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureSql" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -4701,7 +4701,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", @@ -4729,28 +4729,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "CEF", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CEF" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -4823,7 +4823,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", @@ -4851,28 +4851,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "DNS", "dataTypes": [ "DnsEvents" - ] + ], + "connectorId": "DNS" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -4971,7 +4971,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", @@ -4999,34 +4999,34 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SquidProxy", "dataTypes": [ "SquidProxy_CL" - ] + ], + "connectorId": "SquidProxy" }, { - "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Zscaler" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -5047,17 +5047,17 @@ } ], "customDetails": { + "EventTime": "imNWS_TimeGenerated", "IoCExpirationTime": "ExpirationDateTime", "ActivityGroupNames": "ActivityGroupNames", - "IndicatorId": "IndicatorId", "IoCConfidenceScore": "ConfidenceScore", - "IoCDescription": "Description", "ThreatType": "ThreatType", - "EventTime": "imNWS_TimeGenerated" + "IndicatorId": "IndicatorId", + "IoCDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator.", - "alertDisplayNameFormat": "The IP {{SrcIpAddr}} of the web request matches an IP IoC" + "alertDisplayNameFormat": "The IP {{SrcIpAddr}} of the web request matches an IP IoC", + "alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator." } } }, @@ -5112,7 +5112,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", @@ -5140,28 +5140,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity" - ] + ], + "connectorId": "Office365" } ], "tactics": [ @@ -5260,7 +5260,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPentity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPentity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", @@ -5288,34 +5288,34 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -5414,7 +5414,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", @@ -5442,28 +5442,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "AzureMonitor(VMInsights)", "dataTypes": [ "VMConnection" - ] + ], + "connectorId": "AzureMonitor(VMInsights)" } ], "tactics": [ @@ -5558,7 +5558,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", @@ -5586,28 +5586,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "AzureMonitor(IIS)", "dataTypes": [ "W3CIISLog" - ] + ], + "connectorId": "AzureMonitor(IIS)" } ], "tactics": [ @@ -5707,7 +5707,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", @@ -5735,28 +5735,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -5863,7 +5863,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "URLEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", @@ -5891,28 +5891,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity" - ] + ], + "connectorId": "Office365" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" } ], "tactics": [ @@ -6002,7 +6002,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", @@ -6030,28 +6030,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "PaloAltoNetworks" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -6142,7 +6142,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", @@ -6170,34 +6170,34 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftCloudAppSecurity", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftCloudAppSecurity" }, { - "connectorId": "AzureSecurityCenter", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "AzureSecurityCenter" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -6279,7 +6279,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", @@ -6307,28 +6307,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Syslog", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "Syslog" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -6419,7 +6419,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", @@ -6447,28 +6447,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "CiscoDuoSecurity", "dataTypes": [ "CiscoDuo" - ] + ], + "connectorId": "CiscoDuoSecurity" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -6554,7 +6554,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.4", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Threat Intelligence Solution for Azure Government", diff --git a/Solutions/Threat Intelligence Solution for Azure Government/ReleaseNotes.md b/Solutions/Threat Intelligence Solution for Azure Government/ReleaseNotes.md index 647e49e94c5..5d0a02a5cbe 100644 --- a/Solutions/Threat Intelligence Solution for Azure Government/ReleaseNotes.md +++ b/Solutions/Threat Intelligence Solution for Azure Government/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.0.4 | 01-15-2025 | Updated feature flags for PMDTI and MDTI for GA, and Upload API for PP. | | 3.0.3 | 28-11-2024 | Removed (Preview) from name for **Data Connectors** Microsoft Defender Threat Intelligence and Premium Microsoft Defender Threat Intelligence, make the MDTI and PMDTI data connctors available in gov solution, and update descriptions of data connectors. | | 3.0.2 | 19-08-2024 | Updated isConnectedQuery for **Data Connector** of "Threat Intelligence Upload Indicators API". | | 3.0.1 | 06-08-2024 | Updated the URL in **data connector** | diff --git a/Solutions/Threat Intelligence/Data Connectors/template_MicrosoftDefenderThreatIntelligence.json b/Solutions/Threat Intelligence/Data Connectors/template_MicrosoftDefenderThreatIntelligence.json index 86f57c35201..1c1c242a5e1 100644 --- a/Solutions/Threat Intelligence/Data Connectors/template_MicrosoftDefenderThreatIntelligence.json +++ b/Solutions/Threat Intelligence/Data Connectors/template_MicrosoftDefenderThreatIntelligence.json @@ -39,15 +39,18 @@ } ], "availability": { - "status": 2, - "isPreview": true, + "status": 3, + "isPreview": false, "featureFlag": { "feature": "msticonnector", "featureStates": { - "1": 1, - "2": 1, - "3": 1, - "4": 1 + "1": 3, + "2": 3, + "3": 3, + "4": 3, + "5": 3, + "6": 2, + "7": 2 } } }, diff --git a/Solutions/Threat Intelligence/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json b/Solutions/Threat Intelligence/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json index fe656115f67..c4bef5b2ee6 100644 --- a/Solutions/Threat Intelligence/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json +++ b/Solutions/Threat Intelligence/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json @@ -39,15 +39,18 @@ } ], "availability": { - "status": 2, - "isPreview": true, + "status": 3, + "isPreview": false, "featureFlag": { "feature": "premiummdticonnector", - "featureStates": { - "1": 1, - "2": 1, - "3": 1, - "4": 1 + "featureStates": { + "1": 3, + "2": 3, + "3": 3, + "4": 3, + "5": 3, + "6": 1, + "7": 1 } } }, diff --git a/Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceUploadIndicators.json b/Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceUploadIndicators.json index 0eff786764b..e0a71b6288a 100644 --- a/Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceUploadIndicators.json +++ b/Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceUploadIndicators.json @@ -31,7 +31,7 @@ } ], "availability": { - "status": 1, + "status": 2, "isPreview": true }, "permissions": { diff --git a/Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceUploadIndicators_ForGov.json b/Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceUploadIndicators_ForGov.json index 23cef753aa6..b6004188359 100644 --- a/Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceUploadIndicators_ForGov.json +++ b/Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceUploadIndicators_ForGov.json @@ -31,7 +31,7 @@ } ], "availability": { - "status": 1, + "status": 2, "isPreview": true }, "permissions": { diff --git a/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json b/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json index 3487118e055..709e189ba79 100644 --- a/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json +++ b/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json @@ -77,11 +77,12 @@ ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Threat Intelligence\\", - "Version": "3.0.8", + "Version": "3.1.0", "TemplateSpec": true, "StaticDataConnectorIds": [ "ThreatIntelligenceTaxii", "ThreatIntelligence", - "MicrosoftDefenderThreatIntelligence" + "MicrosoftDefenderThreatIntelligence", + "PremiumMicrosoftDefenderForThreatIntelligence" ] } \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Package/3.1.0.zip b/Solutions/Threat Intelligence/Package/3.1.0.zip new file mode 100644 index 00000000000..f18e971c10e Binary files /dev/null and b/Solutions/Threat Intelligence/Package/3.1.0.zip differ diff --git a/Solutions/Threat Intelligence/Package/mainTemplate.json b/Solutions/Threat Intelligence/Package/mainTemplate.json index 98eaa5b1478..4dd41060621 100644 --- a/Solutions/Threat Intelligence/Package/mainTemplate.json +++ b/Solutions/Threat Intelligence/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Threat Intelligence", - "_solutionVersion": "3.0.9", + "_solutionVersion": "3.1.0", "solutionId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "ThreatIntelligenceTaxii", @@ -444,11 +444,11 @@ "_analyticRulecontentProductId46": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e2399891-383c-4caf-ae67-68a008b9f89e','-', '1.2.6')))]" }, "analyticRuleObject47": { - "analyticRuleVersion47": "1.0.4", + "analyticRuleVersion47": "1.0.5", "_analyticRulecontentId47": "aac495a9-feb1-446d-b08e-a1164a539452", "analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'aac495a9-feb1-446d-b08e-a1164a539452')]", "analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('aac495a9-feb1-446d-b08e-a1164a539452')))]", - "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','aac495a9-feb1-446d-b08e-a1164a539452','-', '1.0.4')))]" + "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','aac495a9-feb1-446d-b08e-a1164a539452','-', '1.0.5')))]" }, "analyticRuleObject48": { "analyticRuleVersion48": "1.0.3", @@ -505,7 +505,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.9", + "description": "Threat Intelligence data connector with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -664,7 +664,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.9", + "description": "Threat Intelligence data connector with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -823,7 +823,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.9", + "description": "Threat Intelligence data connector with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion3')]", @@ -870,7 +870,7 @@ } ], "availability": { - "status": 1, + "status": 2, "isPreview": false }, "permissions": { @@ -1018,7 +1018,7 @@ } ], "availability": { - "status": 1, + "status": 2, "isPreview": false }, "permissions": { @@ -1066,7 +1066,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.9", + "description": "Threat Intelligence data connector with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion4')]", @@ -1078,15 +1078,12 @@ "apiVersion": "2021-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", - "kind": "GenericUI", + "kind": "StaticUI", "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId4')]", "title": "Premium Microsoft Defender Threat Intelligence", "publisher": "Microsoft", - "logo": { - "type": 258 - }, "descriptionMarkdown": "Microsoft Sentinel provides you the capability to import threat intelligence generated by Microsoft to enable monitoring, alerting and hunting. Use this data connector to import Indicators of Compromise (IOCs) from Microsoft Defender Threat Intelligence (MDTI) into Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes, etc. Note: This is a paid connector. To use and ingest data from it, please purchase the \"MDTI API Access\" SKU from the Partner Center.", "graphQueries": [ { @@ -1095,16 +1092,6 @@ "baseQuery": "ThreatIntelligenceIndicator\n | where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"" } ], - "sampleQueries": [ - { - "description": "Summarize by threat type", - "query": "ThreatIntelligenceIndicator\n| where ExpirationDateTime > now()\n| where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"\n| where ExpirationDateTime > now()\n| join ( SigninLogs ) on $left.NetworkIP == $right.IPAddress | summarize count() by ThreatType" - }, - { - "description": "Summarize by 1 hour bins", - "query": "ThreatIntelligenceIndicator\n| where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"\n| where TimeGenerated >= ago(1d) | summarize count()" - } - ], "connectivityCriterias": [ { "type": "SentinelKinds", @@ -1118,49 +1105,6 @@ "name": "ThreatIntelligenceIndicator", "lastDataReceivedQuery": "ThreatIntelligenceIndicator \n | where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } - ], - "availability": { - "status": 2, - "isPreview": false, - "featureFlag": { - "feature": "premiummdticonnector", - "featureStates": { - "1": 1, - "2": 1, - "3": 1, - "4": 1 - } - } - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - } - ] - }, - "instructionSteps": [ - { - "title": "Use this data connector to import Indicators of Compromise (IOCs) from Premium Microsoft Defender Threat Intelligence (MDTI) into Microsoft Sentinel." - }, - { - "instructions": [ - { - "type": "PremiumMicrosoftDefenderForThreatIntelligence", - "parameters": { - "connectorKind": "PremiumMicrosoftDefenderForThreatIntelligence" - } - } - ] - } ] } } @@ -1241,7 +1185,7 @@ "apiVersion": "2021-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", - "kind": "GenericUI", + "kind": "StaticUI", "properties": { "connectorUiConfig": { "title": "Premium Microsoft Defender Threat Intelligence", @@ -1268,59 +1212,6 @@ ] } ], - "sampleQueries": [ - { - "description": "Summarize by threat type", - "query": "ThreatIntelligenceIndicator\n| where ExpirationDateTime > now()\n| where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"\n| where ExpirationDateTime > now()\n| join ( SigninLogs ) on $left.NetworkIP == $right.IPAddress | summarize count() by ThreatType" - }, - { - "description": "Summarize by 1 hour bins", - "query": "ThreatIntelligenceIndicator\n| where SourceSystem == \"Premium Microsoft Defender Threat Intelligence\"\n| where TimeGenerated >= ago(1d) | summarize count()​​" - } - ], - "availability": { - "status": 2, - "isPreview": false, - "featureFlag": { - "feature": "premiummdticonnector", - "featureStates": { - "1": 1, - "2": 1, - "3": 1, - "4": 1 - } - } - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - } - ] - }, - "instructionSteps": [ - { - "title": "Use this data connector to import Indicators of Compromise (IOCs) from Premium Microsoft Defender Threat Intelligence (MDTI) into Microsoft Sentinel." - }, - { - "instructions": [ - { - "type": "PremiumMicrosoftDefenderForThreatIntelligence", - "parameters": { - "connectorKind": "PremiumMicrosoftDefenderForThreatIntelligence" - } - } - ] - } - ], "id": "[variables('_uiConfigId4')]" } } @@ -1334,7 +1225,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.9", + "description": "Threat Intelligence data connector with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion5')]", @@ -1493,7 +1384,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ThreatIntelligence Workbook with template version 3.0.9", + "description": "ThreatIntelligence Workbook with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1597,7 +1488,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.0.9", + "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -1678,7 +1569,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.0.9", + "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -1759,7 +1650,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.0.9", + "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -1840,7 +1731,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.0.9", + "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -1921,7 +1812,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.0.9", + "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -2002,7 +1893,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -2058,8 +1949,8 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "HostName" } ], "entityType": "Host" @@ -2067,8 +1958,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } ], "entityType": "IP" @@ -2076,8 +1967,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "PA_Url" + "columnName": "PA_Url", + "identifier": "Url" } ], "entityType": "URL" @@ -2136,7 +2027,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "DomainEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -2198,12 +2089,12 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -2211,8 +2102,8 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } ], "entityType": "Host" @@ -2220,8 +2111,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -2229,8 +2120,8 @@ { "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "InitiatingProcessCommandLine" + "columnName": "InitiatingProcessCommandLine", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -2289,7 +2180,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -2351,16 +2242,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -2368,8 +2259,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } ], "entityType": "IP" @@ -2377,8 +2268,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -2437,7 +2328,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "DomainEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -2499,16 +2390,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "RecipientEmailAddress" + "columnName": "RecipientEmailAddress", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -2567,7 +2458,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "DomainEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -2629,16 +2520,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "RecipientEmailAddress" + "columnName": "RecipientEmailAddress", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -2646,8 +2537,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -2706,7 +2597,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -2774,8 +2665,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } ], "entityType": "IP" @@ -2783,25 +2674,25 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" } ], "customDetails": { - "IoCExpirationTime": "ExpirationDateTime", "EventTime": "Event_TimeGenerated", - "IndicatorId": "IndicatorId", - "IoCConfidenceScore": "ConfidenceScore", + "IoCExpirationTime": "ExpirationDateTime", "ActivityGroupNames": "ActivityGroupNames", - "IoCDescription": "Description", - "ThreatType": "ThreatType" + "IoCConfidenceScore": "ConfidenceScore", + "ThreatType": "ThreatType", + "IndicatorId": "IndicatorId", + "IoCDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.", - "alertDisplayNameFormat": "A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC" + "alertDisplayNameFormat": "A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC", + "alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator." } } }, @@ -2856,7 +2747,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -2918,8 +2809,8 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "HostName" } ], "entityType": "Host" @@ -2927,8 +2818,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } ], "entityType": "IP" @@ -2936,8 +2827,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "PA_Url" + "columnName": "PA_Url", + "identifier": "Url" } ], "entityType": "URL" @@ -2996,7 +2887,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -3064,8 +2955,8 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" } ], "entityType": "Host" @@ -3073,8 +2964,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IP_addr" + "columnName": "IP_addr", + "identifier": "Address" } ], "entityType": "IP" @@ -3082,8 +2973,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -3142,7 +3033,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -3204,16 +3095,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -3221,8 +3112,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "HostIP" + "columnName": "HostIP", + "identifier": "Address" } ], "entityType": "IP" @@ -3230,8 +3121,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -3290,7 +3181,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -3352,16 +3243,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Caller" + "columnName": "Caller", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -3369,8 +3260,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "CallerIpAddress" + "columnName": "CallerIpAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -3378,8 +3269,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -3438,7 +3329,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "EmailEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -3500,16 +3391,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "RecipientEmailAddress" + "columnName": "RecipientEmailAddress", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -3568,7 +3459,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", @@ -3630,16 +3521,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -3647,8 +3538,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } ], "entityType": "IP" @@ -3656,8 +3547,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -3716,7 +3607,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", @@ -3778,8 +3669,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "DestinationUserID" + "columnName": "DestinationUserID", + "identifier": "Name" } ], "entityType": "Account" @@ -3787,8 +3678,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } ], "entityType": "IP" @@ -3796,8 +3687,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -3856,7 +3747,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", @@ -3918,16 +3809,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "EntityEmail" + "columnName": "EntityEmail", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -3935,8 +3826,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -3995,7 +3886,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", @@ -4069,8 +3960,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "TargetUserName" + "columnName": "TargetUserName", + "identifier": "Name" } ], "entityType": "Account" @@ -4078,12 +3969,12 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -4091,8 +3982,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IpAddress" + "columnName": "IpAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -4100,8 +3991,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -4160,7 +4051,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", @@ -4228,16 +4119,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserPrincipalName" + "columnName": "UserPrincipalName", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -4245,8 +4136,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -4254,8 +4145,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -4314,7 +4205,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", @@ -4376,16 +4267,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "SourceUserName" + "columnName": "SourceUserName", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -4393,16 +4284,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -4410,8 +4301,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } ], "entityType": "IP" @@ -4419,8 +4310,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -4428,12 +4319,12 @@ { "fieldMappings": [ { - "identifier": "Value", - "columnName": "FileHashValue" + "columnName": "FileHashValue", + "identifier": "Value" }, { - "identifier": "Algorithm", - "columnName": "FileHashType" + "columnName": "FileHashType", + "identifier": "Algorithm" } ], "entityType": "FileHash" @@ -4492,7 +4383,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_DeviceFileEvents_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "FileHashEntity_DeviceFileEvents_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", @@ -4554,16 +4445,16 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "RequestAccountName" + "columnName": "RequestAccountName", + "identifier": "Name" }, { - "identifier": "Sid", - "columnName": "RequestAccountSid" + "columnName": "RequestAccountSid", + "identifier": "Sid" }, { - "identifier": "NTDomain", - "columnName": "RequestAccountDomain" + "columnName": "RequestAccountDomain", + "identifier": "NTDomain" } ], "entityType": "Account" @@ -4571,12 +4462,12 @@ { "fieldMappings": [ { - "identifier": "Value", - "columnName": "FileHashValue" + "columnName": "FileHashValue", + "identifier": "Value" }, { - "identifier": "Algorithm", - "columnName": "FileHashType" + "columnName": "FileHashType", + "identifier": "Algorithm" } ], "entityType": "FileHash" @@ -4584,8 +4475,8 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "HostName" } ], "entityType": "Host" @@ -4644,7 +4535,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", @@ -4718,16 +4609,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Account" + "columnName": "Account", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } ], "entityType": "Account" @@ -4735,16 +4626,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -4752,8 +4643,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -4761,12 +4652,12 @@ { "fieldMappings": [ { - "identifier": "Value", - "columnName": "FileHashValue" + "columnName": "FileHashValue", + "identifier": "Value" }, { - "identifier": "Algorithm", - "columnName": "FileHashType" + "columnName": "FileHashType", + "identifier": "Algorithm" } ], "entityType": "FileHash" @@ -4825,7 +4716,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", @@ -4881,12 +4772,12 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -4894,8 +4785,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "CsUsername" + "columnName": "CsUsername", + "identifier": "Name" } ], "entityType": "Account" @@ -4903,8 +4794,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "CIp" + "columnName": "CIp", + "identifier": "Address" } ], "entityType": "IP" @@ -4912,8 +4803,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -4921,8 +4812,8 @@ { "fieldMappings": [ { - "identifier": "ResourceId", - "columnName": "_ResourceId" + "columnName": "_ResourceId", + "identifier": "ResourceId" } ], "entityType": "AzureResource" @@ -4984,7 +4875,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", @@ -5046,8 +4937,8 @@ { "fieldMappings": [ { - "identifier": "ObjectGuid", - "columnName": "UserIdentityUserName" + "columnName": "UserIdentityUserName", + "identifier": "ObjectGuid" } ], "entityType": "Account" @@ -5055,8 +4946,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIpAddress" + "columnName": "SourceIpAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -5064,8 +4955,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -5124,7 +5015,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", @@ -5186,16 +5077,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Caller" + "columnName": "Caller", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -5203,8 +5094,8 @@ { "fieldMappings": [ { - "identifier": "AadUserId", - "columnName": "AadUserId" + "columnName": "AadUserId", + "identifier": "AadUserId" } ], "entityType": "Account" @@ -5212,8 +5103,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "CallerIpAddress" + "columnName": "CallerIpAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -5221,8 +5112,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -5230,8 +5121,8 @@ { "fieldMappings": [ { - "identifier": "ResourceId", - "columnName": "ResourceId" + "columnName": "ResourceId", + "identifier": "ResourceId" } ], "entityType": "AzureResource" @@ -5290,7 +5181,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", @@ -5352,8 +5243,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "TI_ipEntity", + "identifier": "Address" } ], "entityType": "IP" @@ -5361,8 +5252,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -5421,7 +5312,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", @@ -5483,8 +5374,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } ], "entityType": "IP" @@ -5492,8 +5383,8 @@ { "fieldMappings": [ { - "identifier": "ResourceId", - "columnName": "ResourceId" + "columnName": "ResourceId", + "identifier": "ResourceId" } ], "entityType": "AzureResource" @@ -5552,7 +5443,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", @@ -5608,16 +5499,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -5625,8 +5516,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "TI_ipEntity", + "identifier": "Address" } ], "entityType": "IP" @@ -5634,8 +5525,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -5694,7 +5585,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", @@ -5756,8 +5647,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } ], "entityType": "IP" @@ -5816,7 +5707,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", @@ -5878,8 +5769,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "CS_ipEntity" + "columnName": "CS_ipEntity", + "identifier": "Address" } ], "entityType": "IP" @@ -5938,7 +5829,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", @@ -6000,12 +5891,12 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -6013,8 +5904,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "TI_ipEntity", + "identifier": "Address" } ], "entityType": "IP" @@ -6022,8 +5913,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "RemoteUrl" + "columnName": "RemoteUrl", + "identifier": "Url" } ], "entityType": "URL" @@ -6031,8 +5922,8 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "HostName" } ], "entityType": "Host" @@ -6091,7 +5982,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", @@ -6153,16 +6044,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -6170,8 +6061,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } ], "entityType": "IP" @@ -6179,8 +6070,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -6239,7 +6130,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", @@ -6307,25 +6198,25 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "DstIpAddr" + "columnName": "DstIpAddr", + "identifier": "Address" } ], "entityType": "IP" } ], "customDetails": { - "IoCExpirationTime": "ExpirationDateTime", "EventTime": "imNWS_TimeGenerated", - "IndicatorId": "IndicatorId", - "IoCConfidenceScore": "ConfidenceScore", + "IoCExpirationTime": "ExpirationDateTime", "ActivityGroupNames": "ActivityGroupNames", - "IoCDescription": "Description", - "ThreatType": "ThreatType" + "IoCConfidenceScore": "ConfidenceScore", + "ThreatType": "ThreatType", + "IndicatorId": "IndicatorId", + "IoCDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator.", - "alertDisplayNameFormat": "The IP {{SrcIpAddr}} of the web request matches an IP IoC" + "alertDisplayNameFormat": "The IP {{SrcIpAddr}} of the web request matches an IP IoC", + "alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator." } } }, @@ -6380,7 +6271,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", @@ -6442,16 +6333,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -6459,8 +6350,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "TI_ipEntity", + "identifier": "Address" } ], "entityType": "IP" @@ -6468,8 +6359,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -6528,7 +6419,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", @@ -6596,16 +6487,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserPrincipalName" + "columnName": "UserPrincipalName", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -6613,8 +6504,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -6622,8 +6513,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -6682,7 +6573,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", @@ -6744,12 +6635,12 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -6757,8 +6648,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "RemoteIp" + "columnName": "RemoteIp", + "identifier": "Address" } ], "entityType": "IP" @@ -6766,8 +6657,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -6826,7 +6717,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", @@ -6888,8 +6779,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "csUserName" + "columnName": "csUserName", + "identifier": "Name" } ], "entityType": "Account" @@ -6897,8 +6788,8 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "HostName" } ], "entityType": "Host" @@ -6906,8 +6797,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "cIP" + "columnName": "cIP", + "identifier": "Address" } ], "entityType": "IP" @@ -6915,8 +6806,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -6975,7 +6866,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]", @@ -7037,16 +6928,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "userPrincipalName" + "columnName": "userPrincipalName", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -7054,16 +6945,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "TargetResourceDisplayName" + "columnName": "TargetResourceDisplayName", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -7071,8 +6962,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -7131,7 +7022,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "URLEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]", @@ -7193,12 +7084,12 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -7206,8 +7097,8 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } ], "entityType": "Host" @@ -7215,8 +7106,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -7224,8 +7115,8 @@ { "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "InitiatingProcessCommandLine" + "columnName": "InitiatingProcessCommandLine", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -7284,7 +7175,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "URLEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]", @@ -7346,16 +7237,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "RecipientEmailAddress" + "columnName": "RecipientEmailAddress", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -7363,8 +7254,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -7423,7 +7314,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "URLEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]", @@ -7485,16 +7376,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "User" + "columnName": "User", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -7502,8 +7393,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -7562,7 +7453,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]", @@ -7624,8 +7515,8 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "HostName" } ], "entityType": "Host" @@ -7633,8 +7524,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } ], "entityType": "IP" @@ -7642,8 +7533,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "PA_Url" + "columnName": "PA_Url", + "identifier": "Url" } ], "entityType": "URL" @@ -7702,7 +7593,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]", @@ -7770,8 +7661,8 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "Compromised_Host" + "columnName": "Compromised_Host", + "identifier": "HostName" } ], "entityType": "Host" @@ -7779,8 +7670,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -7839,7 +7730,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]", @@ -7901,8 +7792,8 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "HostName" } ], "entityType": "Host" @@ -7910,8 +7801,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "HostIP" + "columnName": "HostIP", + "identifier": "Address" } ], "entityType": "IP" @@ -7919,8 +7810,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -7979,7 +7870,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_UrlClickEvents_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "URLEntity_UrlClickEvents_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]", @@ -8041,16 +7932,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountUpn" + "columnName": "AccountUpn", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -8058,8 +7949,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -8118,7 +8009,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]", @@ -8180,16 +8071,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "user_name_s" + "columnName": "user_name_s", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -8197,8 +8088,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "access_device_ip_s" + "columnName": "access_device_ip_s", + "identifier": "Address" } ], "entityType": "IP" @@ -8257,7 +8148,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "imDns_DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "imDns_DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]", @@ -8361,16 +8252,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Dvc" + "columnName": "Dvc", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -8378,8 +8269,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } ], "entityType": "IP" @@ -8387,8 +8278,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -8396,25 +8287,25 @@ { "fieldMappings": [ { - "identifier": "DomainName", - "columnName": "Domain" + "columnName": "Domain", + "identifier": "DomainName" } ], "entityType": "DNS" } ], "customDetails": { - "ExpirationDateTime": "ExpirationDateTime", - "LatestIndicatorTime": "LatestIndicatorTime", - "DnsQuery": "DnsQuery", "DNSRequestTime": "DNS_TimeGenerated", - "QueryType": "DnsQueryType", - "IndicatorId": "IndicatorId", + "DnsQuery": "DnsQuery", "ActivityGroupNames": "ActivityGroupNames", + "LatestIndicatorTime": "LatestIndicatorTime", + "ConfidenceScore": "ConfidenceScore", + "Description": "Description", + "QueryType": "DnsQueryType", "SourceIPAddress": "SrcIpAddr", + "ExpirationDateTime": "ExpirationDateTime", "ThreatType": "ThreatType", - "ConfidenceScore": "ConfidenceScore", - "Description": "Description" + "IndicatorId": "IndicatorId" } } }, @@ -8469,7 +8360,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "imDns_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "imDns_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]", @@ -8573,8 +8464,8 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Dvc" + "columnName": "Dvc", + "identifier": "FullName" } ], "entityType": "Host" @@ -8582,8 +8473,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IoC" + "columnName": "IoC", + "identifier": "Address" } ], "entityType": "IP" @@ -8591,28 +8482,28 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } ], "entityType": "IP" } ], "customDetails": { - "ExpirationDateTime": "ExpirationDateTime", - "LatestIndicatorTime": "LatestIndicatorTime", - "DnsQuery": "DnsQuery", "DNSRequestTime": "imDns_mintime", - "IndicatorId": "IndicatorId", + "DnsQuery": "DnsQuery", "ActivityGroupNames": "ActivityGroupNames", + "LatestIndicatorTime": "LatestIndicatorTime", + "ConfidenceScore": "ConfidenceScore", + "Description": "Description", "SourceIPAddress": "SrcIpAddr", + "ExpirationDateTime": "ExpirationDateTime", "ThreatType": "ThreatType", - "ConfidenceScore": "ConfidenceScore", - "Description": "Description" + "IndicatorId": "IndicatorId" }, "alertDetailsOverride": { - "alertDescriptionFormat": "The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.", - "alertDisplayNameFormat": "The response {{IoC}} to DNS query matched an IoC" + "alertDisplayNameFormat": "The response {{IoC}} to DNS query matched an IoC", + "alertDescriptionFormat": "The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator." } } }, @@ -8667,7 +8558,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]", @@ -8814,27 +8705,27 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IoCIP" + "columnName": "IoCIP", + "identifier": "Address" } ], "entityType": "IP" } ], "customDetails": { - "EventEndTime": "imNWS_maxtime", - "IoCExpirationTime": "ExpirationDateTime", + "ActivityGroupNames": "ActivityGroupNames", "EventStartTime": "imNWS_mintime", - "IndicatorId": "IndicatorId", + "IoCExpirationTime": "ExpirationDateTime", "IoCConfidenceScore": "ConfidenceScore", - "ActivityGroupNames": "ActivityGroupNames", - "IoCDescription": "Description", + "IoCIPDirection": "IoCDirection", + "EventEndTime": "imNWS_maxtime", "ThreatType": "ThreatType", - "IoCIPDirection": "IoCDirection" + "IndicatorId": "IndicatorId", + "IoCDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.", - "alertDisplayNameFormat": "A network session {{IoCDirection}} address {{IoCIP}} matched an IoC." + "alertDisplayNameFormat": "A network session {{IoCDirection}} address {{IoCIP}} matched an IoC.", + "alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator." } } }, @@ -8889,7 +8780,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intel Matches to GitHub Audit Logs_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "Threat Intel Matches to GitHub Audit Logs_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]", @@ -8906,7 +8797,7 @@ "description": "Identifies a match in GitHub_CL table from any IP IOC from TI", "displayName": "TI map IP entity to GitHub_CL", "enabled": false, - "query": "let dt_lookBack = 1h; // Look back 1 hour for VMConnection events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\nThreatIntelligenceIndicator\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| where Action == true\n| where TimeGenerated >= ago(ioc_lookBack)\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| join (\n GitHubAudit\n | where TimeGenerated >= ago(dt_lookBack)\n | extend GitHubAudit_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.IPaddress\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for VMConnection events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\nThreatIntelligenceIndicator\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| where Action == true\n| where TimeGenerated >= ago(ioc_lookBack)\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| join (\n GitHubAudit\n | where TimeGenerated >= ago(dt_lookBack)\n | extend GitHubAudit_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.IPaddress\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -8945,8 +8836,8 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "Actor", + "identifier": "FullName" } ], "entityType": "Account" @@ -8954,8 +8845,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPaddress", + "identifier": "Address" } ], "entityType": "IP" @@ -9014,7 +8905,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "DomainEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject48').analyticRuleVersion48]", @@ -9064,8 +8955,8 @@ { "fieldMappings": [ { - "identifier": "DomainName", - "columnName": "DomainName" + "columnName": "DomainName", + "identifier": "DomainName" } ], "entityType": "DNS" @@ -9073,8 +8964,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -9133,7 +9024,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "EmailEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject49').analyticRuleVersion49]", @@ -9183,16 +9074,16 @@ { "fieldMappings": [ { - "identifier": "DisplayName", - "columnName": "Name" + "columnName": "Name", + "identifier": "DisplayName" }, { - "identifier": "FullName", - "columnName": "User_Id" + "columnName": "User_Id", + "identifier": "FullName" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -9251,7 +9142,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "FileHashEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject50').analyticRuleVersion50]", @@ -9307,8 +9198,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "DestinationIP" + "columnName": "DestinationIP", + "identifier": "Address" } ], "entityType": "IP" @@ -9316,8 +9207,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } ], "entityType": "IP" @@ -9325,8 +9216,8 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "HostName" } ], "entityType": "Host" @@ -9334,12 +9225,12 @@ { "fieldMappings": [ { - "identifier": "Value", - "columnName": "FileHashValue" + "columnName": "FileHashValue", + "identifier": "Value" }, { - "identifier": "Algorithm", - "columnName": "FileHashType" + "columnName": "FileHashType", + "identifier": "Algorithm" } ], "entityType": "FileHash" @@ -9398,7 +9289,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject51').analyticRuleVersion51]", @@ -9448,8 +9339,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "TI_ipEntity", + "identifier": "Address" } ], "entityType": "IP" @@ -9457,8 +9348,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "NetworkDestinationIP" + "columnName": "NetworkDestinationIP", + "identifier": "Address" } ], "entityType": "IP" @@ -9466,8 +9357,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "NetworkSourceIP" + "columnName": "NetworkSourceIP", + "identifier": "Address" } ], "entityType": "IP" @@ -9475,8 +9366,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "EmailSourceIPAddress" + "columnName": "EmailSourceIPAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -9535,7 +9426,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "URLEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject52').analyticRuleVersion52]", @@ -9585,16 +9476,16 @@ { "fieldMappings": [ { - "identifier": "ObjectGuid", - "columnName": "AccountObjectId" + "columnName": "AccountObjectId", + "identifier": "ObjectGuid" }, { - "identifier": "FullName", - "columnName": "userPrincipalName" + "columnName": "userPrincipalName", + "identifier": "FullName" }, { - "identifier": "DisplayName", - "columnName": "AccountDisplayName" + "columnName": "AccountDisplayName", + "identifier": "DisplayName" } ], "entityType": "Account" @@ -9602,8 +9493,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -9611,8 +9502,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -9620,12 +9511,12 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Application" + "columnName": "Application", + "identifier": "Name" }, { - "identifier": "AppId", - "columnName": "ApplicationID" + "columnName": "ApplicationID", + "identifier": "AppId" } ], "entityType": "CloudApplication" @@ -9684,7 +9575,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_Workday_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "IPEntity_Workday_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject53').analyticRuleVersion53]", @@ -9746,16 +9637,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "ActorUsername" + "columnName": "ActorUsername", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -9763,8 +9654,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "DvcIpAddr" + "columnName": "DvcIpAddr", + "identifier": "Address" } ], "entityType": "IP" @@ -9819,7 +9710,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.9", + "version": "3.1.0", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Threat Intelligence", diff --git a/Solutions/Threat Intelligence/ReleaseNotes.md b/Solutions/Threat Intelligence/ReleaseNotes.md index 07462f00975..bf00a464127 100644 --- a/Solutions/Threat Intelligence/ReleaseNotes.md +++ b/Solutions/Threat Intelligence/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.0.10 | 01-15-2025 | Updated feature flags for PMDTI and MDTI for GA, and Upload API for PP. | | 3.0.9 | 04-12-2024 | Modified DomainEntity_EmailUrlInfo **Analytic Rule** to resolve memory issues | | 3.0.8 | 28-11-2024 | Removed (Preview) from name for **Data Connectors** Microsoft Defender Threat Intelligence and Premium Microsoft Defender Threat Intelligence, make the MDTI and PMDTI data connctors available in gov solution, and update descriptions of data connectors. | | 3.0.7 | 24-10-2024 | Updated Columns of **Analytical Rules** |