[skip ci] Github Bot Added package to Pull Request!

Azure · Nov 13, 2023 · 0d5e686 · 0d5e686
1 parent 90a4b98
commit 0d5e686
Show file tree

Hide file tree

Showing 4 changed files with 9,032 additions and 9,449 deletions.
diff --git a/Solutions/Microsoft Entra ID/Data/system_generated_metadata.json b/Solutions/Microsoft Entra ID/Data/system_generated_metadata.json
@@ -1,13 +1,13 @@
 {
   "Name": "Microsoft Entra ID",
   "Author": "Microsoft - support@microsoft.com",
-  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/azureactivedirectory_logo.svg\"width=\"75px\" height=\"75px\">",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg\"width=\"75px\" height=\"75px\">",
   "Description": "The [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)  solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.",
   "BasePath": "C:\\GitHub\\Azure-Sentinel",
+  "Version": "3.0.7",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1PConnector": true,
-  "Version": "3.0.7",
   "publisherId": "azuresentinel",
   "offerId": "azure-sentinel-solution-azureactivedirectory",
   "providers": [
@@ -41,5 +41,5 @@
     "Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json"
   ],
   "Workbooks": "[\n  \"AzureActiveDirectoryAuditLogs.json\",\n  \"AzureActiveDirectorySignins.json\"\n]",
-  "Analytic Rules": "[\n  \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n  \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n  \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n  \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n  \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n  \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n  \"AccountCreatedDeletedByNonApprovedUser.yaml\",\n  \"ADFSDomainTrustMods.yaml\",\n  \"ADFSSignInLogsPasswordSpray.yaml\",\n  \"AdminPromoAfterRoleMgmtAppPermissionGrant.yaml\",\n  \"AnomalousUserAppSigninLocationIncrease-detection.yaml\",\n  \"AuthenticationMethodsChangedforPrivilegedAccount.yaml\",\n  \"AzureAADPowerShellAnomaly.yaml\",\n  \"AzureADRoleManagementPermissionGrant.yaml\",\n  \"AzurePortalSigninfromanotherAzureTenant.yaml\",\n  \"Brute Force Attack against GitHub Account.yaml\",\n  \"BruteForceCloudPC.yaml\",\n  \"BulkChangestoPrivilegedAccountPermissions.yaml\",\n  \"BypassCondAccessRule.yaml\",\n  \"CredentialAddedAfterAdminConsent.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationAdded.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationDeleted.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml\",\n  \"DisabledAccountSigninsAcrossManyApplications.yaml\",\n  \"DistribPassCrackAttempt.yaml\",\n  \"ExplicitMFADeny.yaml\",\n  \"ExchangeFullAccessGrantedToApp.yaml\",\n  \"FailedLogonToAzurePortal.yaml\",\n  \"FirstAppOrServicePrincipalCredential.yaml\",\n  \"GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml\",\n  \"MailPermissionsAddedToApplication.yaml\",\n  \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n  \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n  \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n  \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n  \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n  \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n  \"MaliciousOAuthApp_PwnAuth.yaml\",\n  \"MFARejectedbyUser.yaml\",\n  \"MultipleAdmin_membership_removals_from_NewAdmin.yaml\",\n  \"NewAppOrServicePrincipalCredential.yaml\",\n  \"NRT_ADFSDomainTrustMods.yaml\",\n  \"NRT_AuthenticationMethodsChangedforVIPUsers.yaml\",\n  \"nrt_FirstAppOrServicePrincipalCredential.yaml\",\n  \"NRT_NewAppOrServicePrincipalCredential.yaml\",\n  \"NRT_PIMElevationRequestRejected.yaml\",\n  \"NRT_PrivlegedRoleAssignedOutsidePIM.yaml\",\n  \"NRT_UseraddedtoPrivilgedGroups.yaml\",\n  \"PIMElevationRequestRejected.yaml\",\n  \"PrivilegedAccountsSigninFailureSpikes.yaml\",\n  \"PrivlegedRoleAssignedOutsidePIM.yaml\",\n  \"RareApplicationConsent.yaml\",\n  \"SeamlessSSOPasswordSpray.yaml\",\n  \"Sign-in Burst from Multiple Locations.yaml\",\n  \"SigninAttemptsByIPviaDisabledAccounts.yaml\",\n  \"SigninBruteForce-AzurePortal.yaml\",\n  \"SigninPasswordSpray.yaml\",\n  \"SuccessThenFail_DiffIP_SameUserandApp.yaml\",\n  \"SuspiciousAADJoinedDeviceUpdate.yaml\",\n  \"SuspiciousOAuthApp_OfflineAccess.yaml\",\n  \"SuspiciousServicePrincipalcreationactivity.yaml\",\n  \"UnusualGuestActivity.yaml\",\n  \"UserAccounts-CABlockedSigninSpikes.yaml\",\n  \"UseraddedtoPrivilgedGroups.yaml\",\n  \"UserAssignedPrivilegedRole.yaml\",\n  \"NewOnmicrosoftDomainAdded.yaml\",\n  \"SuspiciousSignInFollowedByMFAModification.yaml\"\n]"
+  "Analytic Rules": "[\n  \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n  \"AccountCreatedDeletedByNonApprovedUser.yaml\",\n  \"ADFSDomainTrustMods.yaml\",\n  \"ADFSSignInLogsPasswordSpray.yaml\",\n  \"AdminPromoAfterRoleMgmtAppPermissionGrant.yaml\",\n  \"AnomalousUserAppSigninLocationIncrease-detection.yaml\",\n  \"AuthenticationMethodsChangedforPrivilegedAccount.yaml\",\n  \"AzureAADPowerShellAnomaly.yaml\",\n  \"AzureADRoleManagementPermissionGrant.yaml\",\n  \"AzurePortalSigninfromanotherAzureTenant.yaml\",\n  \"Brute Force Attack against GitHub Account.yaml\",\n  \"BruteForceCloudPC.yaml\",\n  \"BulkChangestoPrivilegedAccountPermissions.yaml\",\n  \"BypassCondAccessRule.yaml\",\n  \"CredentialAddedAfterAdminConsent.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationAdded.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationDeleted.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml\",\n  \"DisabledAccountSigninsAcrossManyApplications.yaml\",\n  \"DistribPassCrackAttempt.yaml\",\n  \"ExplicitMFADeny.yaml\",\n  \"ExchangeFullAccessGrantedToApp.yaml\",\n  \"FailedLogonToAzurePortal.yaml\",\n  \"FirstAppOrServicePrincipalCredential.yaml\",\n  \"GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml\",\n  \"MailPermissionsAddedToApplication.yaml\",\n  \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n  \"MaliciousOAuthApp_PwnAuth.yaml\",\n  \"MFARejectedbyUser.yaml\",\n  \"MFASpammingfollowedbySuccessfullogin.yaml\",\n  \"MultipleAdmin_membership_removals_from_NewAdmin.yaml\",\n  \"NewOnmicrosoftDomainAdded.yaml\",\n  \"NewAppOrServicePrincipalCredential.yaml\",\n  \"NRT_ADFSDomainTrustMods.yaml\",\n  \"NRT_AuthenticationMethodsChangedforVIPUsers.yaml\",\n  \"nrt_FirstAppOrServicePrincipalCredential.yaml\",\n  \"NRT_NewAppOrServicePrincipalCredential.yaml\",\n  \"NRT_PIMElevationRequestRejected.yaml\",\n  \"NRT_PrivlegedRoleAssignedOutsidePIM.yaml\",\n  \"NRT_UseraddedtoPrivilgedGroups.yaml\",\n  \"PIMElevationRequestRejected.yaml\",\n  \"PrivilegedAccountsSigninFailureSpikes.yaml\",\n  \"PrivlegedRoleAssignedOutsidePIM.yaml\",\n  \"RareApplicationConsent.yaml\",\n  \"SeamlessSSOPasswordSpray.yaml\",\n  \"Sign-in Burst from Multiple Locations.yaml\",\n  \"SigninAttemptsByIPviaDisabledAccounts.yaml\",\n  \"SigninBruteForce-AzurePortal.yaml\",\n  \"SigninPasswordSpray.yaml\",\n  \"SuccessThenFail_DiffIP_SameUserandApp.yaml\",\n  \"SuspiciousAADJoinedDeviceUpdate.yaml\",\n  \"SuspiciousOAuthApp_OfflineAccess.yaml\",\n  \"SuspiciousServicePrincipalcreationactivity.yaml\",\n  \"SuspiciousSignInFollowedByMFAModification.yaml\",\n  \"UnusualGuestActivity.yaml\",\n  \"UserAccounts-CABlockedSigninSpikes.yaml\",\n  \"UseraddedtoPrivilgedGroups.yaml\",\n  \"UserAssignedNewPrivilegedRole.yaml\",\n  \"UserAssignedPrivilegedRole.yaml\"\n]"
 }
diff --git a/Solutions/Microsoft Entra ID/Package/3.0.7.zip b/Solutions/Microsoft Entra ID/Package/3.0.7.zip
diff --git a/Solutions/Microsoft Entra ID/Package/createUiDefinition.json b/Solutions/Microsoft Entra ID/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)  solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 62, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)  solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Workbooks:** 2, **Analytic Rules:** 62, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -51,30 +51,6 @@
       }
     ],
     "steps": [
-      {
-        "name": "dataconnectors",
-        "label": "Data Connectors",
-        "bladeTitle": "Data Connectors",
-        "elements": [
-          {
-            "name": "dataconnectors1-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "This Solution installs the data connector for Microsoft Entra ID. You can get Microsoft Entra ID custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
-            }
-          },
-          {
-            "name": "dataconnectors-link2",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "link": {
-                "label": "Learn more about connecting data sources",
-                "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
-              }
-            }
-          }
-        ]
-      },
       {
         "name": "workbooks",
         "label": "Workbooks",