diff --git a/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_folders_above_threshold.yaml b/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_folders_above_threshold.yaml index 5732dc3c25c..8f8daec3070 100644 --- a/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_folders_above_threshold.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_folders_above_threshold.yaml @@ -1,5 +1,5 @@ id: 8a547285-801c-4290-aa2e-5e7e20ca157d -name: Office365 Sharepoint File transfer above threshold +name: Office365 Sharepoint File transfer Folders above threshold description: | 'Identifies Office365 Sharepoint File Transfers with distinct folder count above certain threshold in a 15min time period. Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.' @@ -55,5 +55,5 @@ incidentConfiguration: - Account groupByAlertDetails: [] groupByCustomDetails: [] -version: 1.0.5 +version: 1.0.6 kind: Scheduled diff --git a/Solutions/Microsoft 365/Package/3.0.4.zip b/Solutions/Microsoft 365/Package/3.0.4.zip new file mode 100644 index 00000000000..b80a325d96d Binary files /dev/null and b/Solutions/Microsoft 365/Package/3.0.4.zip differ diff --git a/Solutions/Microsoft 365/Package/createUiDefinition.json b/Solutions/Microsoft 365/Package/createUiDefinition.json index fb6f194be07..daed1e6ff9b 100644 --- a/Solutions/Microsoft 365/Package/createUiDefinition.json +++ b/Solutions/Microsoft 365/Package/createUiDefinition.json @@ -356,7 +356,7 @@ { "name": "analytic14", "type": "Microsoft.Common.Section", - "label": "Office365 Sharepoint File transfer above threshold", + "label": "Office365 Sharepoint File transfer Folders above threshold", "elements": [ { "name": "analytic14-text", diff --git a/Solutions/Microsoft 365/Package/mainTemplate.json b/Solutions/Microsoft 365/Package/mainTemplate.json index b7d61c913bf..0b9ecc066fb 100644 --- a/Solutions/Microsoft 365/Package/mainTemplate.json +++ b/Solutions/Microsoft 365/Package/mainTemplate.json @@ -57,7 +57,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Microsoft 365", - "_solutionVersion": "3.0.3", + "_solutionVersion": "3.0.4", "solutionId": "azuresentinel.azure-sentinel-solution-office365", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "Office365", @@ -285,11 +285,11 @@ "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fbd72eb8-087e-466b-bd54-1ca6ea08c6d3','-', '2.0.3')))]" }, "analyticRuleObject14": { - "analyticRuleVersion14": "1.0.5", + "analyticRuleVersion14": "1.0.6", "_analyticRulecontentId14": "8a547285-801c-4290-aa2e-5e7e20ca157d", "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8a547285-801c-4290-aa2e-5e7e20ca157d')]", "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8a547285-801c-4290-aa2e-5e7e20ca157d')))]", - "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8a547285-801c-4290-aa2e-5e7e20ca157d','-', '1.0.5')))]" + "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8a547285-801c-4290-aa2e-5e7e20ca157d','-', '1.0.6')))]" }, "analyticRuleObject15": { "analyticRuleVersion15": "1.0.5", @@ -310,7 +310,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft 365 data connector with template version 3.0.3", + "description": "Microsoft 365 data connector with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -505,7 +505,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SharePointAndOneDrive Workbook with template version 3.0.3", + "description": "SharePointAndOneDrive Workbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -593,7 +593,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Office365 Workbook with template version 3.0.3", + "description": "Office365 Workbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -681,7 +681,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeOnline Workbook with template version 3.0.3", + "description": "ExchangeOnline Workbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion3')]", @@ -769,7 +769,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnomolousUserAccessingOtherUsersMailbox_HuntingQueries Hunting Query with template version 3.0.3", + "description": "AnomolousUserAccessingOtherUsersMailbox_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -854,7 +854,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExternalUserAddedRemovedInTeams_HuntVersion_HuntingQueries Hunting Query with template version 3.0.3", + "description": "ExternalUserAddedRemovedInTeams_HuntVersion_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -939,7 +939,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExternalUserFromNewOrgAddedToTeams_HuntingQueries Hunting Query with template version 3.0.3", + "description": "ExternalUserFromNewOrgAddedToTeams_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -1024,7 +1024,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Mail_redirect_via_ExO_transport_rule_hunting_HuntingQueries Hunting Query with template version 3.0.3", + "description": "Mail_redirect_via_ExO_transport_rule_hunting_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -1109,7 +1109,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultiTeamBot_HuntingQueries Hunting Query with template version 3.0.3", + "description": "MultiTeamBot_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -1194,7 +1194,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultiTeamOwner_HuntingQueries Hunting Query with template version 3.0.3", + "description": "MultiTeamOwner_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -1279,7 +1279,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultipleTeamsDeletes_HuntingQueries Hunting Query with template version 3.0.3", + "description": "MultipleTeamsDeletes_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -1364,7 +1364,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewBotAddedToTeams_HuntingQueries Hunting Query with template version 3.0.3", + "description": "NewBotAddedToTeams_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -1449,7 +1449,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "New_WindowsReservedFileNamesOnOfficeFileServices_HuntingQueries Hunting Query with template version 3.0.3", + "description": "New_WindowsReservedFileNamesOnOfficeFileServices_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -1534,7 +1534,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OfficeMailForwarding_hunting_HuntingQueries Hunting Query with template version 3.0.3", + "description": "OfficeMailForwarding_hunting_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -1619,7 +1619,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TeamsFilesUploaded_HuntingQueries Hunting Query with template version 3.0.3", + "description": "TeamsFilesUploaded_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject11').huntingQueryVersion11]", @@ -1704,7 +1704,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAddToTeamsAndUploadsFile_HuntingQueries Hunting Query with template version 3.0.3", + "description": "UserAddToTeamsAndUploadsFile_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject12').huntingQueryVersion12]", @@ -1789,7 +1789,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WindowsReservedFileNamesOnOfficeFileServices_HuntingQueries Hunting Query with template version 3.0.3", + "description": "WindowsReservedFileNamesOnOfficeFileServices_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject13').huntingQueryVersion13]", @@ -1874,7 +1874,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "double_file_ext_exes_HuntingQueries Hunting Query with template version 3.0.3", + "description": "double_file_ext_exes_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject14').huntingQueryVersion14]", @@ -1959,7 +1959,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "new_adminaccountactivity_HuntingQueries Hunting Query with template version 3.0.3", + "description": "new_adminaccountactivity_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject15').huntingQueryVersion15]", @@ -2044,7 +2044,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "new_sharepoint_downloads_by_IP_HuntingQueries Hunting Query with template version 3.0.3", + "description": "new_sharepoint_downloads_by_IP_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject16').huntingQueryVersion16]", @@ -2129,7 +2129,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "new_sharepoint_downloads_by_UserAgent_HuntingQueries Hunting Query with template version 3.0.3", + "description": "new_sharepoint_downloads_by_UserAgent_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject17').huntingQueryVersion17]", @@ -2214,7 +2214,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "nonowner_MailboxLogin_HuntingQueries Hunting Query with template version 3.0.3", + "description": "nonowner_MailboxLogin_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject18').huntingQueryVersion18]", @@ -2299,7 +2299,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "powershell_or_nonbrowser_MailboxLogin_HuntingQueries Hunting Query with template version 3.0.3", + "description": "powershell_or_nonbrowser_MailboxLogin_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject19').huntingQueryVersion19]", @@ -2384,7 +2384,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "sharepoint_downloads_HuntingQueries Hunting Query with template version 3.0.3", + "description": "sharepoint_downloads_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject20').huntingQueryVersion20]", @@ -2469,7 +2469,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultipleUsersEmailForwardedToSameDestination_HuntingQueries Hunting Query with template version 3.0.3", + "description": "MultipleUsersEmailForwardedToSameDestination_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject21').huntingQueryVersion21]", @@ -2554,7 +2554,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "External User added to Team and immediately uploads file_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "External User added to Team and immediately uploads file_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -2582,16 +2582,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity (Teams)" - ] + ], + "connectorId": "Office365" }, { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity (SharePoint)" - ] + ], + "connectorId": "Office365" } ], "tactics": [ @@ -2715,7 +2715,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExternalUserAddedRemovedInTeams_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "ExternalUserAddedRemovedInTeams_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -2743,10 +2743,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity (Teams)" - ] + ], + "connectorId": "Office365" } ], "tactics": [ @@ -2870,7 +2870,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MailItemsAccessedTimeSeries_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "MailItemsAccessedTimeSeries_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -2898,10 +2898,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity (Exchange)" - ] + ], + "connectorId": "Office365" } ], "tactics": [ @@ -3000,7 +3000,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Mail_redirect_via_ExO_transport_rule_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "Mail_redirect_via_ExO_transport_rule_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -3028,10 +3028,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity (Exchange)" - ] + ], + "connectorId": "Office365" } ], "tactics": [ @@ -3123,7 +3123,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malicious_Inbox_Rule_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "Malicious_Inbox_Rule_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -3151,10 +3151,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity (Exchange)" - ] + ], + "connectorId": "Office365" } ], "tactics": [ @@ -3255,7 +3255,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultipleTeamsDeletes_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "MultipleTeamsDeletes_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -3283,10 +3283,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity (Teams)" - ] + ], + "connectorId": "Office365" } ], "tactics": [ @@ -3368,7 +3368,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Office_MailForwarding_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "Office_MailForwarding_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -3396,10 +3396,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity (Exchange)" - ] + ], + "connectorId": "Office365" } ], "tactics": [ @@ -3491,7 +3491,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Office_Uploaded_Executables_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "Office_Uploaded_Executables_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -3519,10 +3519,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity (SharePoint)" - ] + ], + "connectorId": "Office365" } ], "tactics": [ @@ -3632,7 +3632,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareOfficeOperations_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "RareOfficeOperations_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -3660,10 +3660,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity" - ] + ], + "connectorId": "Office365" } ], "tactics": [ @@ -3764,7 +3764,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SharePoint_Downloads_byNewIP_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "SharePoint_Downloads_byNewIP_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -3792,10 +3792,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity" - ] + ], + "connectorId": "Office365" } ], "tactics": [ @@ -3894,7 +3894,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SharePoint_Downloads_byNewUserAgent_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "SharePoint_Downloads_byNewUserAgent_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -3922,10 +3922,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity" - ] + ], + "connectorId": "Office365" } ], "tactics": [ @@ -4024,7 +4024,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "exchange_auditlogdisabled_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "exchange_auditlogdisabled_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", @@ -4052,10 +4052,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity (Exchange)" - ] + ], + "connectorId": "Office365" } ], "tactics": [ @@ -4154,7 +4154,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "office_policytampering_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "office_policytampering_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", @@ -4182,10 +4182,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity (Exchange)" - ] + ], + "connectorId": "Office365" } ], "tactics": [ @@ -4277,7 +4277,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "sharepoint_file_transfer_folders_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "sharepoint_file_transfer_folders_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", @@ -4292,7 +4292,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "Identifies Office365 Sharepoint File Transfers with distinct folder count above certain threshold in a 15min time period.\n Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.", - "displayName": "Office365 Sharepoint File transfer above threshold", + "displayName": "Office365 Sharepoint File transfer Folders above threshold", "enabled": false, "query": "let threshold = 500;\nOfficeActivity\n| where EventSource == \"SharePoint\" and OfficeWorkload has_any(\"SharePoint\", \"OneDrive\") and Operation has_any (\"FileDownloaded\", \"FileSyncDownloadedFull\", \"FileSyncUploadedFull\", \"FileUploaded\")\n| summarize count_distinct_SourceRelativeUrl=dcount(SourceRelativeUrl), dirlist=make_set(SourceRelativeUrl, 10000) by UserId,ClientIP,UserAgent,bin(TimeGenerated, 15m)\n| where count_distinct_SourceRelativeUrl >= threshold\n| extend DirSample = iff(array_length(dirlist) == 1, tostring(dirlist[0]), strcat(\"SeeDirListField\",\"_\", tostring(hash(tostring(dirlist)))))\n| extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n", "queryFrequency": "PT15M", @@ -4305,10 +4305,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity (SharePoint)" - ] + ], + "connectorId": "Office365" } ], "tactics": [ @@ -4361,8 +4361,8 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { - "enabled": true, "matchingMethod": "Selected", + "enabled": true, "reopenClosedIncident": false, "lookbackDuration": "PT5H", "groupByEntities": [ @@ -4408,7 +4408,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", "contentKind": "AnalyticsRule", - "displayName": "Office365 Sharepoint File transfer above threshold", + "displayName": "Office365 Sharepoint File transfer Folders above threshold", "contentProductId": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", "id": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" @@ -4423,7 +4423,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "sharepoint_file_transfer_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "sharepoint_file_transfer_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", @@ -4451,10 +4451,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity (SharePoint)" - ] + ], + "connectorId": "Office365" } ], "tactics": [ @@ -4507,8 +4507,8 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { - "enabled": true, "matchingMethod": "Selected", + "enabled": true, "reopenClosedIncident": false, "lookbackDuration": "PT5H", "groupByEntities": [ @@ -4565,7 +4565,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.3", + "version": "3.0.4", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Microsoft 365", diff --git a/Solutions/Microsoft 365/ReleaseNotes.md b/Solutions/Microsoft 365/ReleaseNotes.md index 338e9c2d656..7d00a51ab90 100644 --- a/Solutions/Microsoft 365/ReleaseNotes.md +++ b/Solutions/Microsoft 365/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.0.4 | 27-08-2024 | Updated **Analytic Rule** for Same names | | 3.0.3 | 12-06-2024 | Updated **Analytic Rule** for Bug Fixes ExternalUserAddedRemovedInTeams.yaml | | 3.0.2 | 09-05-2024 | Updated **Analytic Rule** to get expected result and Entity Mapping exchange_auditlogdisabled.yaml and fixed typo description in **Analytic Rules** ExternalUserAddedRemovedInTeams.yaml | | 3.0.1 | 04-01-2024 | Updated **Analytic Rules**, **Hunting Queries** and **Workbook** for Bug Fixes |