diff --git a/.script/package-automation/package-generator.ps1 b/.script/package-automation/package-generator.ps1
index a714cc797cb..f4e51d6c815 100644
--- a/.script/package-automation/package-generator.ps1
+++ b/.script/package-automation/package-generator.ps1
@@ -49,11 +49,11 @@ try {
$zipFileExist = $item -match ([regex]::Escape(".zip"))
$pythonFileExist = $item -match ([regex]::Escape(".py"))
$jsonFile = $item -match ([regex]::Escape(".json"))
- $capsJsonFile = $item -match ([regex]::Escape(".JSON"))
+
if ($hostFileExist -or $proxiesFileExist -or $azureDeployFileExist -or $functionFileExist -or $textFileExist -or $zipFileExist -or $pythonFileExist)
{ }
else {
- if ($jsonFile -or $capsJsonFile) {
+ if ($jsonFile) {
$newDataConnectorFilesWithoutExcludedFiles += $item
}
}
diff --git a/Solutions/AI Analyst Darktrace/ReleaseNotes.md b/Solutions/AI Analyst Darktrace/ReleaseNotes.md
index 4cd8043e487..ec6c1da4259 100644
--- a/Solutions/AI Analyst Darktrace/ReleaseNotes.md
+++ b/Solutions/AI Analyst Darktrace/ReleaseNotes.md
@@ -1,5 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
-| 3.0.0 | 18-09-2023 | Addition of new AI Analyst Darktrace AMA **Data Connector** | |
-
-
+| 3.0.0 | 18-09-2023 | Addition of new AI Analyst Darktrace AMA **Data Connector** |
\ No newline at end of file
diff --git a/Solutions/AbnormalSecurity/ReleaseNotes.md b/Solutions/AbnormalSecurity/ReleaseNotes.md
index c92998a554c..73e101f1008 100644
--- a/Solutions/AbnormalSecurity/ReleaseNotes.md
+++ b/Solutions/AbnormalSecurity/ReleaseNotes.md
@@ -1,3 +1,3 @@
-| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
-|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 29-06-2023 | Updating Azure Function to Azure Functions in **Data Connector** Description |
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------------------|
+| 3.0.0 | 29-06-2023 | Renaming Azure Function to Azure Functions in **Data Connector** Description |
diff --git a/Solutions/Aruba ClearPass/ReleaseNotes.md b/Solutions/Aruba ClearPass/ReleaseNotes.md
index ebe1ea7cfaa..1759ea0cb9d 100644
--- a/Solutions/Aruba ClearPass/ReleaseNotes.md
+++ b/Solutions/Aruba ClearPass/ReleaseNotes.md
@@ -1,5 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
-| 3.0.0 | 21-09-2023 | Addition of new Aruba ClearPass AMA **Data Connector** | |
-
-
+| 3.0.0 | 21-09-2023 | Addition of new Aruba ClearPass AMA **Data Connector** |
\ No newline at end of file
diff --git a/Solutions/Atlassian Beacon/ReleaseNotes.md b/Solutions/Atlassian Beacon/ReleaseNotes.md
index cf511b3757b..847202d99a5 100644
--- a/Solutions/Atlassian Beacon/ReleaseNotes.md
+++ b/Solutions/Atlassian Beacon/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------------|
-| 3.0.0 | 24-10-2023 | Initial solution release |
\ No newline at end of file
+| 3.0.0 | 24-10-2023 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/AtlassianConfluenceAudit/ReleaseNotes.md b/Solutions/AtlassianConfluenceAudit/ReleaseNotes.md
index 72315adf6c3..fb4ac4f9688 100644
--- a/Solutions/AtlassianConfluenceAudit/ReleaseNotes.md
+++ b/Solutions/AtlassianConfluenceAudit/ReleaseNotes.md
@@ -1,3 +1,3 @@
-| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
-|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 19-07-2023 | Updated to enable solution for **Azure government**. |
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|-------------------------------------------------------|
+| 3.0.0 | 19-07-2023 | Updated to enable solution for **Azure government**. |
\ No newline at end of file
diff --git a/Solutions/Authomize/ReleaseNotes.md b/Solutions/Authomize/ReleaseNotes.md
index 14aa48857e0..e1feaf90b40 100644
--- a/Solutions/Authomize/ReleaseNotes.md
+++ b/Solutions/Authomize/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 1.0.0 | 07-27-2023 | Initial solution release. |
\ No newline at end of file
+| 3.0.0 | 27-07-2023 | Initial Solution Release. |
\ No newline at end of file
diff --git a/Solutions/BloodHound Enterprise/ReleaseNotes.md b/Solutions/BloodHound Enterprise/ReleaseNotes.md
index e2d42a51770..a7834da75de 100644
--- a/Solutions/BloodHound Enterprise/ReleaseNotes.md
+++ b/Solutions/BloodHound Enterprise/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 20-07-2023 | Initial solution release |
\ No newline at end of file
+| 3.0.0 | 20-07-2023 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/Broadcom SymantecDLP/ReleaseNotes.md b/Solutions/Broadcom SymantecDLP/ReleaseNotes.md
index 94a61822f0d..b11f68b6dc4 100644
--- a/Solutions/Broadcom SymantecDLP/ReleaseNotes.md
+++ b/Solutions/Broadcom SymantecDLP/ReleaseNotes.md
@@ -1,4 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.1 | 01-09-2023 | Addition of new Broadcom SymantecDLP AMA **Data Connector** |
| 3.0.0 | 27-07-2023 | Corrected the links in the solution. |
-| 3.0.1 | 01-09-2023 | Addition of new Broadcom SymantecDLP AMA **Data Connector** |
diff --git a/Solutions/Business Email Compromise - Financial Fraud/ReleaseNotes.md b/Solutions/Business Email Compromise - Financial Fraud/ReleaseNotes.md
index bf8b9d0ef7c..b670792bbcc 100644
--- a/Solutions/Business Email Compromise - Financial Fraud/ReleaseNotes.md
+++ b/Solutions/Business Email Compromise - Financial Fraud/ReleaseNotes.md
@@ -3,4 +3,4 @@
| 3.0.3 | 23-11-2023 | Updated description of **Hunting query**
| 3.0.2 | 06-11-2023 | Changes for rebranding from Microsoft 365 Defender to Microsoft Defender XDR |
| 3.0.1 | 03-11-2023 | Updated **Analytic Rule** datatype and descriptions for **Hunting queries** |
-| 3.0.0 | 07-08-2023 | Initial Release |
+| 3.0.0 | 07-08-2023 | Initial Solution Release |
diff --git a/Solutions/CiscoUmbrella/ReleaseNotes.md b/Solutions/CiscoUmbrella/ReleaseNotes.md
index 56f58eab5b8..1f56d342d4e 100644
--- a/Solutions/CiscoUmbrella/ReleaseNotes.md
+++ b/Solutions/CiscoUmbrella/ReleaseNotes.md
@@ -1,4 +1,4 @@
-| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
-|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 28-09-2023 | Updated Dataconnector with step by step |
-| | | guidelines |
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------|
+| 3.0.0 | 28-09-2023 | Updated Dataconnector with step by step guidelines |
+
diff --git a/Solutions/Citrix ADC/ReleaseNotes.md b/Solutions/Citrix ADC/ReleaseNotes.md
index f44edc98046..dcdbe668e33 100644
--- a/Solutions/Citrix ADC/ReleaseNotes.md
+++ b/Solutions/Citrix ADC/ReleaseNotes.md
@@ -1,7 +1,8 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
+| 3.0.1 | 18-08-2023 | Modified the **Parser** with correct watchlist alias|
| 3.0.0 | 14-07-2023 | Modified the **Data Connector** with improved onboarding instructions \| v 1.0.1
| | | Modified the **Parser** to process the logs coming from Citrix ADC to Syslog table
-| 3.0.1 | 18-08-2023 | Modified the **Parser** with correct watchlist alias
+
diff --git a/Solutions/CofenseIntelligence/ReleaseNotes.md b/Solutions/CofenseIntelligence/ReleaseNotes.md
index 7d1f3d0ce64..795ea3804a4 100644
--- a/Solutions/CofenseIntelligence/ReleaseNotes.md
+++ b/Solutions/CofenseIntelligence/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 10-12-2022 | Initial solution release |
+| 3.0.0 | 10-12-2022 | Initial Solution Release |
diff --git a/Solutions/CognyteLuminar/ReleaseNotes.md b/Solutions/CognyteLuminar/ReleaseNotes.md
index 1c6a0e00c75..3048b853366 100644
--- a/Solutions/CognyteLuminar/ReleaseNotes.md
+++ b/Solutions/CognyteLuminar/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 22-09-2023 | Initial solution release |
+| 3.0.0 | 22-09-2023 | Initial Solution Release |
diff --git a/Solutions/Commvault Security IQ/ReleaseNotes.md b/Solutions/Commvault Security IQ/ReleaseNotes.md
index 66c42b017a6..b6f5efaf69e 100644
--- a/Solutions/Commvault Security IQ/ReleaseNotes.md
+++ b/Solutions/Commvault Security IQ/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 21-08-2023 | Initial solution release|
+| 3.0.0 | 21-08-2023 | Initial Solution Release|
diff --git a/Solutions/Corelight/ReleaseNotes.md b/Solutions/Corelight/ReleaseNotes.md
index 2b14d0fc302..fe3bcf0f28a 100644
--- a/Solutions/Corelight/ReleaseNotes.md
+++ b/Solutions/Corelight/ReleaseNotes.md
@@ -2,8 +2,8 @@
|-------------|--------------------------------|--------------------------------------------------------------------|
| 3.0.1 | 16-11-2023 | Updated package mainTemplate variables |
| 3.0.0 | 20-09-2023 | Changed backend format to use separate tables with parsed values |
-| 2.0.0 | 10-06-2022 | Update workbooks and packaging |
+| 2.0.0 | 10-06-2022 | Updated **Workbooks** |
| 1.1.0 | 22-10-2021 | Packaging updates |
-| 1.0.2 | 22-04-2021 | Update instructions, rules, LA config |
-| 1.0.1 | 09-04-2021 | Update analytic rule, packaging |
-| 1.0.0 | 01-04-2021 | Initial release |
+| 1.0.2 | 22-04-2021 | Updated instructions, rules, LA config |
+| 1.0.1 | 09-04-2021 | Updated **Analytic Rule** |
+| 1.0.0 | 01-04-2021 | Initial Solution Release |
diff --git a/Solutions/Cortex XDR/ReleaseNotes.md b/Solutions/Cortex XDR/ReleaseNotes.md
index 4143453f6a1..08f6c5a5750 100644
--- a/Solutions/Cortex XDR/ReleaseNotes.md
+++ b/Solutions/Cortex XDR/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------------|
-| 3.0.0 | 28-07-2023 | Initial solution release |
+| 3.0.0 | 28-07-2023 | Initial Solution Release |
diff --git a/Solutions/Cynerio/ReleaseNotes.md b/Solutions/Cynerio/ReleaseNotes.md
index 57b73687b4a..75f7e247272 100644
--- a/Solutions/Cynerio/ReleaseNotes.md
+++ b/Solutions/Cynerio/ReleaseNotes.md
@@ -1,4 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
| 3.0.0 | 11-07-2023 | New analytic rules and workbook
-| 2.0.0 | 29-03-2023 | Initial solution release |
+| 2.0.0 | 29-03-2023 | Initial Solution Release |
diff --git a/Solutions/Dataminr Pulse/ReleaseNotes.md b/Solutions/Dataminr Pulse/ReleaseNotes.md
index 6875632b16f..01acdcb7538 100644
--- a/Solutions/Dataminr Pulse/ReleaseNotes.md
+++ b/Solutions/Dataminr Pulse/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 14-07-2023 | Initial Version Release |
\ No newline at end of file
+| 3.0.0 | 14-07-2023 | Initial Solution Release |
diff --git a/Solutions/Dynatrace/ReleaseNotes.md b/Solutions/Dynatrace/ReleaseNotes.md
index b26dba47cf9..f2e6729c80a 100644
--- a/Solutions/Dynatrace/ReleaseNotes.md
+++ b/Solutions/Dynatrace/ReleaseNotes.md
@@ -2,4 +2,4 @@
|-------------|--------------------------------|---------------------------------------------|
| 3.0.1 | 07-11-2023 | Changes for rebranding from Microsoft 365 Defender to Microsoft Defender XDR |
| 3.0.0 | 16-10-2023 | Enabled new api paging mode on **Data Connector** to fix issues related to polling Dynatrace REST API's with a large number of results. |
-| 2.0.0 | 18-10-2022 | Initial release. |
+| 2.0.0 | 18-10-2022 | Initial Solution Release. |
diff --git a/Solutions/Egress Defend/ReleaseNotes.md b/Solutions/Egress Defend/ReleaseNotes.md
index f1c25a75d1c..df6cdfdfc02 100644
--- a/Solutions/Egress Defend/ReleaseNotes.md
+++ b/Solutions/Egress Defend/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 02-08-2023 | Initial solution release. |
+| 3.0.0 | 02-08-2023 | Initial Solution Release. |
diff --git a/Solutions/Ermes Browser Security/ReleaseNotes.md b/Solutions/Ermes Browser Security/ReleaseNotes.md
index 7bb17b50fe0..ff2aa798bda 100644
--- a/Solutions/Ermes Browser Security/ReleaseNotes.md
+++ b/Solutions/Ermes Browser Security/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 29-09-2023 | Initial Version Release |
\ No newline at end of file
+| 3.0.0 | 29-09-2023 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/Feedly/ReleaseNotes.md b/Solutions/Feedly/ReleaseNotes.md
index 73b2e9b41a3..12a1619756a 100644
--- a/Solutions/Feedly/ReleaseNotes.md
+++ b/Solutions/Feedly/ReleaseNotes.md
@@ -2,4 +2,4 @@
|-------------|--------------------------------|-----------------------------------------------------------------|
| 3.0.2 | 10-11-2023 | Fixed the app service plan |
| 3.0.1 | 25-10-2023 | Fixed the runtime of the functionapp for the **Data Connector** |
-| 3.0.0 | 17-08-2023 | Initial Version Release |
+| 3.0.0 | 17-08-2023 | Initial Solution Release |
diff --git a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/ReleaseNotes.md b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/ReleaseNotes.md
index ff07c8851a8..6064e049190 100644
--- a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/ReleaseNotes.md
+++ b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/ReleaseNotes.md
@@ -1,6 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|-----------------------------------------------------------------------------------------|
| 3.0.3 | 07-11-2023 |Changes for rebranding from Azure Active Directory to Microsoft Entra ID |
-| 3.0.2 | 10-08-2023 |Added the missing userAssignedIdentities field for UserAssigned type in the playbooks |
+| 3.0.2 | 10-08-2023 |Added the missing userAssignedIdentities field for UserAssigned type in the **Playbooks**|
| 3.0.1 | 21-07-2023 |Updated the description in the solution |
| 3.0.0 | 11-07-2023 |Updated the title, logo and the description in the solution |
diff --git a/Solutions/Gigamon Connector/ReleaseNotes.md b/Solutions/Gigamon Connector/ReleaseNotes.md
index f4150050eb2..d8611521063 100644
--- a/Solutions/Gigamon Connector/ReleaseNotes.md
+++ b/Solutions/Gigamon Connector/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 25-10-2023 | Initial solution release |
+| 3.0.0 | 25-10-2023 | Initial Solution Release |
diff --git a/Solutions/GitHub/ReleaseNotes.md b/Solutions/GitHub/ReleaseNotes.md
index 3a75bb03ccf..dcc5cbc8b2d 100644
--- a/Solutions/GitHub/ReleaseNotes.md
+++ b/Solutions/GitHub/ReleaseNotes.md
@@ -1,4 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------------|
-| 3.0.0 | 17-07-2023 | **Data Connectors** description updated |
-| | | Code Enhancements added for **Workbooks**
+| 3.0.0 | 17-07-2023 | **Data Connectors** description updated & Code Enhancements added for **Workbooks** |
diff --git a/Solutions/GreyNoiseThreatIntelligence/ReleaseNotes.md b/Solutions/GreyNoiseThreatIntelligence/ReleaseNotes.md
index 0b28f03a717..60e00e2951c 100644
--- a/Solutions/GreyNoiseThreatIntelligence/ReleaseNotes.md
+++ b/Solutions/GreyNoiseThreatIntelligence/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 09-21-2023 | Initial Version Release |
+| 3.0.0 | 21-09-2023 | Initial Solution Release |
diff --git a/Solutions/HYAS Protect/ReleaseNotes.md b/Solutions/HYAS Protect/ReleaseNotes.md
index 1c6a0e00c75..3048b853366 100644
--- a/Solutions/HYAS Protect/ReleaseNotes.md
+++ b/Solutions/HYAS Protect/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 22-09-2023 | Initial solution release |
+| 3.0.0 | 22-09-2023 | Initial Solution Release |
diff --git a/Solutions/HolmSecurity/ReleaseNotes.md b/Solutions/HolmSecurity/ReleaseNotes.md
index 011ddda78d7..370130b8cf0 100644
--- a/Solutions/HolmSecurity/ReleaseNotes.md
+++ b/Solutions/HolmSecurity/ReleaseNotes.md
@@ -2,4 +2,4 @@
|-------------|--------------------------------|---------------------------------------------|
| 3.0.1 | 05-10-2023 | Minor fixes |
| 3.0.0 | 28-09-2023 | Repackaged with V3 |
-| 2.0.0 | 17-02-2022 | Initial solution release |
\ No newline at end of file
+| 2.0.0 | 17-02-2022 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/Infoblox Cloud Data Connector/ReleaseNotes.md b/Solutions/Infoblox Cloud Data Connector/ReleaseNotes.md
index ad0139983b4..553a07aadc1 100644
--- a/Solutions/Infoblox Cloud Data Connector/ReleaseNotes.md
+++ b/Solutions/Infoblox Cloud Data Connector/ReleaseNotes.md
@@ -1,15 +1,6 @@
| **Version** | **Date Modified** | **Change History** |
|---------------|--------------------------------|------------------------------------------------------------------------|
| 3.0.1 | 11-09-2023 | Addition of new Infoblox Cloud Data Connector AMA **Data Connector** |
-| 3.0.0 | Aug 2023 | Bug fixes |
-| | | Documentation updates |
-| | | Update Infoblox logo |
-| | | **Analytic Rules** Optimization updates. 5 new rules |
-| | | **Playbooks** 11 new playbooks |
-| 2.0.1-2.0.10 | May 2022-June 2023 | Bug fixes |
-| | | Documentation updates |
-| 1.0.0-1.1.0 | April 2021-Oct 2021 | Initial solution release |
-| | | **Data Connector** New custom data connector for the Infoblox CDC |
-| | | **Analytic Rules** 3 new rules |
-| | | **Parser** 1 new parser |
-| | | **Workbook** 1 new workbook |
+| 3.0.0 | 01-08-2023 | Updated Infoblox logo, **Analytic Rules** Optimization updates. 5 new rules,**Playbooks** 11 new playbooks|
+| 2.0.10 | 01-06-2023 | Bug fixes, Documentation updates |
+| 1.0.0 | 01-04-2021 | Initial Solution Release |
diff --git a/Solutions/Island/ReleaseNotes.md b/Solutions/Island/ReleaseNotes.md
index 27eb706c9bf..2698d273658 100644
--- a/Solutions/Island/ReleaseNotes.md
+++ b/Solutions/Island/ReleaseNotes.md
@@ -4,4 +4,4 @@
| | | Added new query rate limit in Data Connectors to prevent API flooding |
| | | Bug fix for wrong table referenced in query in workbook |
| 2.0.1 | 08-05-2023 | Bug fix for APIVersion in Data Connector |
-| 2.0.0 | 14-02-2023 | Initial solution release |
\ No newline at end of file
+| 2.0.0 | 14-02-2023 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/Jamf Protect/ReleaseNotes.md b/Solutions/Jamf Protect/ReleaseNotes.md
index f16becfa863..e5f8a52df66 100644
--- a/Solutions/Jamf Protect/ReleaseNotes.md
+++ b/Solutions/Jamf Protect/ReleaseNotes.md
@@ -1,11 +1,11 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 20-10-2023 | Added **Parser** for parsing jamfprotect_CL raw logs.
+| 3.0.0 | 20-10-2023 | Added **Parser** for parsing jamfprotect_CL raw logs.
| | | Modified existing **Analytic Rules** & **Workbooks** to make use of newly added parser in this release.
| | | Added macOS Threat Hunting **Hunting Queries** for hunting macOS specific threats retrospectivly
| | | Added **Playbooks** for interacting with the Jamf Protect and Jamf Pro API's, including Remote Locking a computer, and changes Alert statusses based on a Microsoft Sentinel incident.
-| 2.1.1 | 03-03-2023 | Updating **Analytic Rules** to include MITRE Tactics and Techniques.
+| 2.1.1 | 03-03-2023 | Updating **Analytic Rules** to include MITRE Tactics and Techniques.
| 2.1.0 | 10-02-2023 | Added **Data Connector** for monitoring logs
| | | Added **Analytics Rules** for automated incident creation within Microsoft Sentinel
-| | | Improved Workbook and added Endpoint Telemetry
-| 2.0.0 | 12-10-2022 | Initial solution release |
+| | | Improved **Workbook** and added Endpoint Telemetry
+| 2.0.0 | 12-10-2022 | Initial Solution Release |
diff --git a/Solutions/Legacy IOC based Threat Protection/ReleaseNotes.md b/Solutions/Legacy IOC based Threat Protection/ReleaseNotes.md
index 3224fa2b98d..7eb92c37240 100644
--- a/Solutions/Legacy IOC based Threat Protection/ReleaseNotes.md
+++ b/Solutions/Legacy IOC based Threat Protection/ReleaseNotes.md
@@ -1,5 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------------------|
-| 3.0.1 | 07-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID |
-| | | Changes for rebranding from Microsoft 365 Defender to Microsoft Defender XDR |
+| 3.0.1 | 07-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID & Microsoft 365 Defender to Microsoft Defender XDR |
| 3.0.0 | 19-05-2023 | Deprecating outdated IOC Based **Analytic Rules** |
diff --git a/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/ReleaseNotes.md b/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/ReleaseNotes.md
index f4c9668f3f5..97f0de99d4f 100644
--- a/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/ReleaseNotes.md
+++ b/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/ReleaseNotes.md
@@ -1,4 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 11-14-2023 | **Data Connector** Updated data connector to use Lookout SASE Platform Integration API v23.2|
-| 2.0.0 | 02-20-2023 | Initial solution release |
\ No newline at end of file
+| 3.0.0 | 14-11-2023 | **Data Connector** Updated data connector to use Lookout SASE Platform Integration API v23.2|
+| 2.0.0 | 20-02-2023 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/MailGuard 365/ReleaseNotes.md b/Solutions/MailGuard 365/ReleaseNotes.md
index d44c5aa2db1..a05f69abc74 100644
--- a/Solutions/MailGuard 365/ReleaseNotes.md
+++ b/Solutions/MailGuard 365/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 31-08-2023 | Initial Version Release |
\ No newline at end of file
+| 3.0.0 | 31-08-2023 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml
index 703da2f29ba..d86fe5ac1f8 100644
--- a/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml
+++ b/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml
@@ -63,5 +63,11 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: InitiatedByIPAdress
-version: 1.0.4
+ - entityType: SecurityGroup
+ fieldMappings:
+ - identifier: DistinguishedName
+ columnName: AADGroup
+ - identifier: ObjectGuid
+ columnName: AADGroupId
+version: 1.0.5
kind: Scheduled
diff --git a/Solutions/Microsoft Entra ID/Package/3.0.9.zip b/Solutions/Microsoft Entra ID/Package/3.0.9.zip
index 60fd2dff32c..5a84903cbc8 100644
Binary files a/Solutions/Microsoft Entra ID/Package/3.0.9.zip and b/Solutions/Microsoft Entra ID/Package/3.0.9.zip differ
diff --git a/Solutions/Microsoft Entra ID/Package/createUiDefinition.json b/Solutions/Microsoft Entra ID/Package/createUiDefinition.json
index 547dc6c2386..8fe45c2d3ca 100644
--- a/Solutions/Microsoft Entra ID/Package/createUiDefinition.json
+++ b/Solutions/Microsoft Entra ID/Package/createUiDefinition.json
@@ -880,7 +880,7 @@
"name": "analytic52-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 1 day\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes."
+ "text": "Identifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 1 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes."
}
}
]
@@ -1062,4 +1062,4 @@
"workspace": "[basics('workspace')]"
}
}
-}
\ No newline at end of file
+}
diff --git a/Solutions/Microsoft Entra ID/Package/mainTemplate.json b/Solutions/Microsoft Entra ID/Package/mainTemplate.json
index 39ab13ba05e..18e406625f4 100644
--- a/Solutions/Microsoft Entra ID/Package/mainTemplate.json
+++ b/Solutions/Microsoft Entra ID/Package/mainTemplate.json
@@ -74,440 +74,378 @@
"workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]",
"_workbookContentId2": "[variables('workbookContentId2')]",
"_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]",
- "analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.3",
- "_analyticRulecontentId1": "bb616d82-108f-47d3-9dec-9652ea0d3bf6",
- "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bb616d82-108f-47d3-9dec-9652ea0d3bf6')]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bb616d82-108f-47d3-9dec-9652ea0d3bf6')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bb616d82-108f-47d3-9dec-9652ea0d3bf6','-', '1.0.3')))]"
- },
- "analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.2",
- "_analyticRulecontentId2": "6d63efa6-7c25-4bd4-a486-aa6bf50fde8a",
- "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6d63efa6-7c25-4bd4-a486-aa6bf50fde8a')]",
- "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6d63efa6-7c25-4bd4-a486-aa6bf50fde8a')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6d63efa6-7c25-4bd4-a486-aa6bf50fde8a','-', '1.0.2')))]"
- },
- "analyticRuleObject3": {
- "analyticRuleVersion3": "1.0.1",
- "_analyticRulecontentId3": "95dc4ae3-e0f2-48bd-b996-cdd22b90f9af",
- "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '95dc4ae3-e0f2-48bd-b996-cdd22b90f9af')]",
- "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('95dc4ae3-e0f2-48bd-b996-cdd22b90f9af')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','95dc4ae3-e0f2-48bd-b996-cdd22b90f9af','-', '1.0.1')))]"
- },
- "analyticRuleObject4": {
- "analyticRuleVersion4": "1.0.1",
- "_analyticRulecontentId4": "5533fe80-905e-49d5-889a-df27d2c3976d",
- "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5533fe80-905e-49d5-889a-df27d2c3976d')]",
- "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5533fe80-905e-49d5-889a-df27d2c3976d')))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5533fe80-905e-49d5-889a-df27d2c3976d','-', '1.0.1')))]"
- },
- "analyticRuleObject5": {
- "analyticRuleVersion5": "1.0.4",
- "_analyticRulecontentId5": "f80d951a-eddc-4171-b9d0-d616bb83efdc",
- "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f80d951a-eddc-4171-b9d0-d616bb83efdc')]",
- "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f80d951a-eddc-4171-b9d0-d616bb83efdc')))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f80d951a-eddc-4171-b9d0-d616bb83efdc','-', '1.0.4')))]"
- },
- "analyticRuleObject6": {
- "analyticRuleVersion6": "2.0.1",
- "_analyticRulecontentId6": "7cb8f77d-c52f-4e46-b82f-3cf2e106224a",
- "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7cb8f77d-c52f-4e46-b82f-3cf2e106224a')]",
- "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7cb8f77d-c52f-4e46-b82f-3cf2e106224a')))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7cb8f77d-c52f-4e46-b82f-3cf2e106224a','-', '2.0.1')))]"
- },
- "analyticRuleObject7": {
- "analyticRuleVersion7": "1.0.9",
- "_analyticRulecontentId7": "694c91ee-d606-4ba9-928e-405a2dd0ff0f",
- "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '694c91ee-d606-4ba9-928e-405a2dd0ff0f')]",
- "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('694c91ee-d606-4ba9-928e-405a2dd0ff0f')))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','694c91ee-d606-4ba9-928e-405a2dd0ff0f','-', '1.0.9')))]"
- },
- "analyticRuleObject8": {
- "analyticRuleVersion8": "1.0.3",
- "_analyticRulecontentId8": "50574fac-f8d1-4395-81c7-78a463ff0c52",
- "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '50574fac-f8d1-4395-81c7-78a463ff0c52')]",
- "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('50574fac-f8d1-4395-81c7-78a463ff0c52')))]",
- "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','50574fac-f8d1-4395-81c7-78a463ff0c52','-', '1.0.3')))]"
- },
- "analyticRuleObject9": {
- "analyticRuleVersion9": "1.0.5",
- "_analyticRulecontentId9": "1ff56009-db01-4615-8211-d4fda21da02d",
- "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1ff56009-db01-4615-8211-d4fda21da02d')]",
- "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1ff56009-db01-4615-8211-d4fda21da02d')))]",
- "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1ff56009-db01-4615-8211-d4fda21da02d','-', '1.0.5')))]"
- },
- "analyticRuleObject10": {
- "analyticRuleVersion10": "2.0.1",
- "_analyticRulecontentId10": "87210ca1-49a4-4a7d-bb4a-4988752f978c",
- "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '87210ca1-49a4-4a7d-bb4a-4988752f978c')]",
- "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('87210ca1-49a4-4a7d-bb4a-4988752f978c')))]",
- "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','87210ca1-49a4-4a7d-bb4a-4988752f978c','-', '2.0.1')))]"
- },
- "analyticRuleObject11": {
- "analyticRuleVersion11": "2.0.1",
- "_analyticRulecontentId11": "97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06",
- "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06')]",
- "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06')))]",
- "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06','-', '2.0.1')))]"
- },
- "analyticRuleObject12": {
- "analyticRuleVersion12": "2.0.0",
- "_analyticRulecontentId12": "3fbc20a4-04c4-464e-8fcb-6667f53e4987",
- "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3fbc20a4-04c4-464e-8fcb-6667f53e4987')]",
- "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3fbc20a4-04c4-464e-8fcb-6667f53e4987')))]",
- "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3fbc20a4-04c4-464e-8fcb-6667f53e4987','-', '2.0.0')))]"
- },
- "analyticRuleObject13": {
- "analyticRuleVersion13": "1.0.4",
- "_analyticRulecontentId13": "218f60de-c269-457a-b882-9966632b9dc6",
- "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '218f60de-c269-457a-b882-9966632b9dc6')]",
- "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('218f60de-c269-457a-b882-9966632b9dc6')))]",
- "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','218f60de-c269-457a-b882-9966632b9dc6','-', '1.0.4')))]"
- },
- "analyticRuleObject14": {
- "analyticRuleVersion14": "1.0.5",
- "_analyticRulecontentId14": "3af9285d-bb98-4a35-ad29-5ea39ba0c628",
- "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3af9285d-bb98-4a35-ad29-5ea39ba0c628')]",
- "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3af9285d-bb98-4a35-ad29-5ea39ba0c628')))]",
- "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3af9285d-bb98-4a35-ad29-5ea39ba0c628','-', '1.0.5')))]"
- },
- "analyticRuleObject15": {
- "analyticRuleVersion15": "1.0.2",
- "_analyticRulecontentId15": "707494a5-8e44-486b-90f8-155d1797a8eb",
- "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '707494a5-8e44-486b-90f8-155d1797a8eb')]",
- "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('707494a5-8e44-486b-90f8-155d1797a8eb')))]",
- "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','707494a5-8e44-486b-90f8-155d1797a8eb','-', '1.0.2')))]"
- },
- "analyticRuleObject16": {
- "analyticRuleVersion16": "1.0.2",
- "_analyticRulecontentId16": "757e6a79-6d23-4ae6-9845-4dac170656b5",
- "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '757e6a79-6d23-4ae6-9845-4dac170656b5')]",
- "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('757e6a79-6d23-4ae6-9845-4dac170656b5')))]",
- "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','757e6a79-6d23-4ae6-9845-4dac170656b5','-', '1.0.2')))]"
- },
- "analyticRuleObject17": {
- "analyticRuleVersion17": "1.0.2",
- "_analyticRulecontentId17": "eb8a9c1c-f532-4630-817c-1ecd8a60ed80",
- "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'eb8a9c1c-f532-4630-817c-1ecd8a60ed80')]",
- "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('eb8a9c1c-f532-4630-817c-1ecd8a60ed80')))]",
- "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','eb8a9c1c-f532-4630-817c-1ecd8a60ed80','-', '1.0.2')))]"
- },
- "analyticRuleObject18": {
- "analyticRuleVersion18": "1.0.1",
- "_analyticRulecontentId18": "c895c5b9-0fc6-40ce-9830-e8818862f2d5",
- "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c895c5b9-0fc6-40ce-9830-e8818862f2d5')]",
- "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c895c5b9-0fc6-40ce-9830-e8818862f2d5')))]",
- "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c895c5b9-0fc6-40ce-9830-e8818862f2d5','-', '1.0.1')))]"
- },
- "analyticRuleObject19": {
- "analyticRuleVersion19": "1.0.1",
- "_analyticRulecontentId19": "276d5190-38de-4eb2-9933-b3b72f4a5737",
- "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '276d5190-38de-4eb2-9933-b3b72f4a5737')]",
- "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('276d5190-38de-4eb2-9933-b3b72f4a5737')))]",
- "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','276d5190-38de-4eb2-9933-b3b72f4a5737','-', '1.0.1')))]"
- },
- "analyticRuleObject20": {
- "analyticRuleVersion20": "1.0.1",
- "_analyticRulecontentId20": "229f71ba-d83b-42a5-b83b-11a641049ed1",
- "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '229f71ba-d83b-42a5-b83b-11a641049ed1')]",
- "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('229f71ba-d83b-42a5-b83b-11a641049ed1')))]",
- "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','229f71ba-d83b-42a5-b83b-11a641049ed1','-', '1.0.1')))]"
- },
- "analyticRuleObject21": {
- "analyticRuleVersion21": "1.0.1",
- "_analyticRulecontentId21": "0101e08d-99cd-4a97-a9e0-27649c4369ad",
- "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0101e08d-99cd-4a97-a9e0-27649c4369ad')]",
- "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0101e08d-99cd-4a97-a9e0-27649c4369ad')))]",
- "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0101e08d-99cd-4a97-a9e0-27649c4369ad','-', '1.0.1')))]"
- },
- "analyticRuleObject22": {
- "analyticRuleVersion22": "1.0.2",
- "_analyticRulecontentId22": "75ea5c39-93e5-489b-b1e1-68fa6c9d2d04",
- "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '75ea5c39-93e5-489b-b1e1-68fa6c9d2d04')]",
- "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('75ea5c39-93e5-489b-b1e1-68fa6c9d2d04')))]",
- "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','75ea5c39-93e5-489b-b1e1-68fa6c9d2d04','-', '1.0.2')))]"
- },
- "analyticRuleObject23": {
- "analyticRuleVersion23": "1.0.3",
- "_analyticRulecontentId23": "bfb1c90f-8006-4325-98be-c7fffbc254d6",
- "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bfb1c90f-8006-4325-98be-c7fffbc254d6')]",
- "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bfb1c90f-8006-4325-98be-c7fffbc254d6')))]",
- "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bfb1c90f-8006-4325-98be-c7fffbc254d6','-', '1.0.3')))]"
- },
- "analyticRuleObject24": {
- "analyticRuleVersion24": "1.0.3",
- "_analyticRulecontentId24": "a22740ec-fc1e-4c91-8de6-c29c6450ad00",
- "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a22740ec-fc1e-4c91-8de6-c29c6450ad00')]",
- "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a22740ec-fc1e-4c91-8de6-c29c6450ad00')))]",
- "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a22740ec-fc1e-4c91-8de6-c29c6450ad00','-', '1.0.3')))]"
- },
- "analyticRuleObject25": {
- "analyticRuleVersion25": "1.0.0",
- "_analyticRulecontentId25": "54e22fed-0ec6-4fb2-8312-2a3809a93f63",
- "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '54e22fed-0ec6-4fb2-8312-2a3809a93f63')]",
- "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('54e22fed-0ec6-4fb2-8312-2a3809a93f63')))]",
- "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','54e22fed-0ec6-4fb2-8312-2a3809a93f63','-', '1.0.0')))]"
- },
- "analyticRuleObject26": {
- "analyticRuleVersion26": "1.0.5",
- "_analyticRulecontentId26": "223db5c1-1bf8-47d8-8806-bed401b356a4",
- "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '223db5c1-1bf8-47d8-8806-bed401b356a4')]",
- "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('223db5c1-1bf8-47d8-8806-bed401b356a4')))]",
- "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','223db5c1-1bf8-47d8-8806-bed401b356a4','-', '1.0.5')))]"
- },
- "analyticRuleObject27": {
- "analyticRuleVersion27": "1.1.4",
- "_analyticRulecontentId27": "2cfc3c6e-f424-4b88-9cc9-c89f482d016a",
- "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2cfc3c6e-f424-4b88-9cc9-c89f482d016a')]",
- "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2cfc3c6e-f424-4b88-9cc9-c89f482d016a')))]",
- "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2cfc3c6e-f424-4b88-9cc9-c89f482d016a','-', '1.1.4')))]"
- },
- "analyticRuleObject28": {
- "analyticRuleVersion28": "1.0.4",
- "_analyticRulecontentId28": "6ab1f7b2-61b8-442f-bc81-96afe7ad8c53",
- "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6ab1f7b2-61b8-442f-bc81-96afe7ad8c53')]",
- "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6ab1f7b2-61b8-442f-bc81-96afe7ad8c53')))]",
- "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6ab1f7b2-61b8-442f-bc81-96afe7ad8c53','-', '1.0.4')))]"
- },
- "analyticRuleObject29": {
- "analyticRuleVersion29": "1.0.3",
- "_analyticRulecontentId29": "2560515c-07d1-434e-87fb-ebe3af267760",
- "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2560515c-07d1-434e-87fb-ebe3af267760')]",
- "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2560515c-07d1-434e-87fb-ebe3af267760')))]",
- "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2560515c-07d1-434e-87fb-ebe3af267760','-', '1.0.3')))]"
- },
- "analyticRuleObject30": {
- "analyticRuleVersion30": "1.1.1",
- "_analyticRulecontentId30": "f948a32f-226c-4116-bddd-d95e91d97eb9",
- "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f948a32f-226c-4116-bddd-d95e91d97eb9')]",
- "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f948a32f-226c-4116-bddd-d95e91d97eb9')))]",
- "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f948a32f-226c-4116-bddd-d95e91d97eb9','-', '1.1.1')))]"
- },
- "analyticRuleObject31": {
- "analyticRuleVersion31": "1.0.1",
- "_analyticRulecontentId31": "39198934-62a0-4781-8416-a81265c03fd6",
- "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '39198934-62a0-4781-8416-a81265c03fd6')]",
- "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('39198934-62a0-4781-8416-a81265c03fd6')))]",
- "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','39198934-62a0-4781-8416-a81265c03fd6','-', '1.0.1')))]"
- },
- "analyticRuleObject32": {
- "analyticRuleVersion32": "2.0.1",
- "_analyticRulecontentId32": "d99cf5c3-d660-436c-895b-8a8f8448da23",
- "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd99cf5c3-d660-436c-895b-8a8f8448da23')]",
- "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d99cf5c3-d660-436c-895b-8a8f8448da23')))]",
- "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d99cf5c3-d660-436c-895b-8a8f8448da23','-', '2.0.1')))]"
- },
- "analyticRuleObject33": {
- "analyticRuleVersion33": "1.0.2",
- "_analyticRulecontentId33": "a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b",
- "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b')]",
- "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b')))]",
- "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b','-', '1.0.2')))]"
- },
- "analyticRuleObject34": {
- "analyticRuleVersion34": "1.0.1",
- "_analyticRulecontentId34": "cda5928c-2c1e-4575-9dfa-07568bc27a4f",
- "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cda5928c-2c1e-4575-9dfa-07568bc27a4f')]",
- "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cda5928c-2c1e-4575-9dfa-07568bc27a4f')))]",
- "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cda5928c-2c1e-4575-9dfa-07568bc27a4f','-', '1.0.1')))]"
- },
- "analyticRuleObject35": {
- "analyticRuleVersion35": "1.0.0",
- "_analyticRulecontentId35": "4f42b94f-b210-42d1-a023-7fa1c51d969f",
- "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4f42b94f-b210-42d1-a023-7fa1c51d969f')]",
- "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4f42b94f-b210-42d1-a023-7fa1c51d969f')))]",
- "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4f42b94f-b210-42d1-a023-7fa1c51d969f','-', '1.0.0')))]"
- },
- "analyticRuleObject36": {
- "analyticRuleVersion36": "1.1.1",
- "_analyticRulecontentId36": "79566f41-df67-4e10-a703-c38a6213afd8",
- "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '79566f41-df67-4e10-a703-c38a6213afd8')]",
- "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('79566f41-df67-4e10-a703-c38a6213afd8')))]",
- "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','79566f41-df67-4e10-a703-c38a6213afd8','-', '1.1.1')))]"
- },
- "analyticRuleObject37": {
- "analyticRuleVersion37": "1.0.1",
- "_analyticRulecontentId37": "8540c842-5bbc-4a24-9fb2-a836c0e55a51",
- "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8540c842-5bbc-4a24-9fb2-a836c0e55a51')]",
- "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8540c842-5bbc-4a24-9fb2-a836c0e55a51')))]",
- "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8540c842-5bbc-4a24-9fb2-a836c0e55a51','-', '1.0.1')))]"
- },
- "analyticRuleObject38": {
- "analyticRuleVersion38": "1.0.2",
- "_analyticRulecontentId38": "29e99017-e28d-47be-8b9a-c8c711f8a903",
- "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '29e99017-e28d-47be-8b9a-c8c711f8a903')]",
- "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('29e99017-e28d-47be-8b9a-c8c711f8a903')))]",
- "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','29e99017-e28d-47be-8b9a-c8c711f8a903','-', '1.0.2')))]"
- },
- "analyticRuleObject39": {
- "analyticRuleVersion39": "1.0.4",
- "_analyticRulecontentId39": "b6988c32-4f3b-4a45-8313-b46b33061a74",
- "analyticRuleId39": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b6988c32-4f3b-4a45-8313-b46b33061a74')]",
- "analyticRuleTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b6988c32-4f3b-4a45-8313-b46b33061a74')))]",
- "_analyticRulecontentProductId39": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b6988c32-4f3b-4a45-8313-b46b33061a74','-', '1.0.4')))]"
- },
- "analyticRuleObject40": {
- "analyticRuleVersion40": "1.0.2",
- "_analyticRulecontentId40": "e42e889a-caaf-4dbb-aec6-371b37d64298",
- "analyticRuleId40": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e42e889a-caaf-4dbb-aec6-371b37d64298')]",
- "analyticRuleTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e42e889a-caaf-4dbb-aec6-371b37d64298')))]",
- "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e42e889a-caaf-4dbb-aec6-371b37d64298','-', '1.0.2')))]"
- },
- "analyticRuleObject41": {
- "analyticRuleVersion41": "1.0.2",
- "_analyticRulecontentId41": "5db427b2-f406-4274-b413-e9fcb29412f8",
- "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5db427b2-f406-4274-b413-e9fcb29412f8')]",
- "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5db427b2-f406-4274-b413-e9fcb29412f8')))]",
- "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5db427b2-f406-4274-b413-e9fcb29412f8','-', '1.0.2')))]"
- },
- "analyticRuleObject42": {
- "analyticRuleVersion42": "1.0.1",
- "_analyticRulecontentId42": "14f6da04-2f96-44ee-9210-9ccc1be6401e",
- "analyticRuleId42": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '14f6da04-2f96-44ee-9210-9ccc1be6401e')]",
- "analyticRuleTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('14f6da04-2f96-44ee-9210-9ccc1be6401e')))]",
- "_analyticRulecontentProductId42": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','14f6da04-2f96-44ee-9210-9ccc1be6401e','-', '1.0.1')))]"
- },
- "analyticRuleObject43": {
- "analyticRuleVersion43": "1.0.4",
- "_analyticRulecontentId43": "70fc7201-f28e-4ba7-b9ea-c04b96701f13",
- "analyticRuleId43": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '70fc7201-f28e-4ba7-b9ea-c04b96701f13')]",
- "analyticRuleTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('70fc7201-f28e-4ba7-b9ea-c04b96701f13')))]",
- "_analyticRulecontentProductId43": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','70fc7201-f28e-4ba7-b9ea-c04b96701f13','-', '1.0.4')))]"
- },
- "analyticRuleObject44": {
- "analyticRuleVersion44": "1.0.7",
- "_analyticRulecontentId44": "7d7e20f8-3384-4b71-811c-f5e950e8306c",
- "analyticRuleId44": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7d7e20f8-3384-4b71-811c-f5e950e8306c')]",
- "analyticRuleTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7d7e20f8-3384-4b71-811c-f5e950e8306c')))]",
- "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7d7e20f8-3384-4b71-811c-f5e950e8306c','-', '1.0.7')))]"
- },
- "analyticRuleObject45": {
- "analyticRuleVersion45": "1.0.4",
- "_analyticRulecontentId45": "34c5aff9-a8c2-4601-9654-c7e46342d03b",
- "analyticRuleId45": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '34c5aff9-a8c2-4601-9654-c7e46342d03b')]",
- "analyticRuleTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('34c5aff9-a8c2-4601-9654-c7e46342d03b')))]",
- "_analyticRulecontentProductId45": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','34c5aff9-a8c2-4601-9654-c7e46342d03b','-', '1.0.4')))]"
- },
- "analyticRuleObject46": {
- "analyticRuleVersion46": "1.0.4",
- "_analyticRulecontentId46": "269435e3-1db8-4423-9dfc-9bf59997da1c",
- "analyticRuleId46": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '269435e3-1db8-4423-9dfc-9bf59997da1c')]",
- "analyticRuleTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('269435e3-1db8-4423-9dfc-9bf59997da1c')))]",
- "_analyticRulecontentProductId46": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','269435e3-1db8-4423-9dfc-9bf59997da1c','-', '1.0.4')))]"
- },
- "analyticRuleObject47": {
- "analyticRuleVersion47": "1.1.4",
- "_analyticRulecontentId47": "83ba3057-9ea3-4759-bf6a-933f2e5bc7ee",
- "analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '83ba3057-9ea3-4759-bf6a-933f2e5bc7ee')]",
- "analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('83ba3057-9ea3-4759-bf6a-933f2e5bc7ee')))]",
- "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','83ba3057-9ea3-4759-bf6a-933f2e5bc7ee','-', '1.1.4')))]"
- },
- "analyticRuleObject48": {
- "analyticRuleVersion48": "1.0.3",
- "_analyticRulecontentId48": "fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba",
- "analyticRuleId48": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba')]",
- "analyticRuleTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba')))]",
- "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba','-', '1.0.3')))]"
- },
- "analyticRuleObject49": {
- "analyticRuleVersion49": "1.0.2",
- "_analyticRulecontentId49": "d3980830-dd9d-40a5-911f-76b44dfdce16",
- "analyticRuleId49": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd3980830-dd9d-40a5-911f-76b44dfdce16')]",
- "analyticRuleTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d3980830-dd9d-40a5-911f-76b44dfdce16')))]",
- "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d3980830-dd9d-40a5-911f-76b44dfdce16','-', '1.0.2')))]"
- },
- "analyticRuleObject50": {
- "analyticRuleVersion50": "2.1.3",
- "_analyticRulecontentId50": "500c103a-0319-4d56-8e99-3cec8d860757",
- "analyticRuleId50": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '500c103a-0319-4d56-8e99-3cec8d860757')]",
- "analyticRuleTemplateSpecName50": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('500c103a-0319-4d56-8e99-3cec8d860757')))]",
- "_analyticRulecontentProductId50": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','500c103a-0319-4d56-8e99-3cec8d860757','-', '2.1.3')))]"
- },
- "analyticRuleObject51": {
- "analyticRuleVersion51": "2.1.3",
- "_analyticRulecontentId51": "28b42356-45af-40a6-a0b4-a554cdfd5d8a",
- "analyticRuleId51": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '28b42356-45af-40a6-a0b4-a554cdfd5d8a')]",
- "analyticRuleTemplateSpecName51": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('28b42356-45af-40a6-a0b4-a554cdfd5d8a')))]",
- "_analyticRulecontentProductId51": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','28b42356-45af-40a6-a0b4-a554cdfd5d8a','-', '2.1.3')))]"
- },
- "analyticRuleObject52": {
- "analyticRuleVersion52": "1.0.6",
- "_analyticRulecontentId52": "48607a29-a26a-4abf-8078-a06dbdd174a4",
- "analyticRuleId52": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '48607a29-a26a-4abf-8078-a06dbdd174a4')]",
- "analyticRuleTemplateSpecName52": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('48607a29-a26a-4abf-8078-a06dbdd174a4')))]",
- "_analyticRulecontentProductId52": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','48607a29-a26a-4abf-8078-a06dbdd174a4','-', '1.0.6')))]"
- },
- "analyticRuleObject53": {
- "analyticRuleVersion53": "2.1.7",
- "_analyticRulecontentId53": "02ef8d7e-fc3a-4d86-a457-650fa571d8d2",
- "analyticRuleId53": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '02ef8d7e-fc3a-4d86-a457-650fa571d8d2')]",
- "analyticRuleTemplateSpecName53": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('02ef8d7e-fc3a-4d86-a457-650fa571d8d2')))]",
- "_analyticRulecontentProductId53": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','02ef8d7e-fc3a-4d86-a457-650fa571d8d2','-', '2.1.7')))]"
- },
- "analyticRuleObject54": {
- "analyticRuleVersion54": "1.0.2",
- "_analyticRulecontentId54": "3a3c6835-0086-40ca-b033-a93bf26d878f",
- "analyticRuleId54": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3a3c6835-0086-40ca-b033-a93bf26d878f')]",
- "analyticRuleTemplateSpecName54": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3a3c6835-0086-40ca-b033-a93bf26d878f')))]",
- "_analyticRulecontentProductId54": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3a3c6835-0086-40ca-b033-a93bf26d878f','-', '1.0.2')))]"
- },
- "analyticRuleObject55": {
- "analyticRuleVersion55": "1.0.1",
- "_analyticRulecontentId55": "3533f74c-9207-4047-96e2-0eb9383be587",
- "analyticRuleId55": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3533f74c-9207-4047-96e2-0eb9383be587')]",
- "analyticRuleTemplateSpecName55": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3533f74c-9207-4047-96e2-0eb9383be587')))]",
- "_analyticRulecontentProductId55": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3533f74c-9207-4047-96e2-0eb9383be587','-', '1.0.1')))]"
- },
- "analyticRuleObject56": {
- "analyticRuleVersion56": "1.0.2",
- "_analyticRulecontentId56": "6852d9da-8015-4b95-8ecf-d9572ee0395d",
- "analyticRuleId56": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6852d9da-8015-4b95-8ecf-d9572ee0395d')]",
- "analyticRuleTemplateSpecName56": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6852d9da-8015-4b95-8ecf-d9572ee0395d')))]",
- "_analyticRulecontentProductId56": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6852d9da-8015-4b95-8ecf-d9572ee0395d','-', '1.0.2')))]"
- },
- "analyticRuleObject57": {
- "analyticRuleVersion57": "1.0.0",
- "_analyticRulecontentId57": "aec77100-25c5-4254-a20a-8027ed92c46c",
- "analyticRuleId57": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'aec77100-25c5-4254-a20a-8027ed92c46c')]",
- "analyticRuleTemplateSpecName57": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('aec77100-25c5-4254-a20a-8027ed92c46c')))]",
- "_analyticRulecontentProductId57": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','aec77100-25c5-4254-a20a-8027ed92c46c','-', '1.0.0')))]"
- },
- "analyticRuleObject58": {
- "analyticRuleVersion58": "1.0.8",
- "_analyticRulecontentId58": "acc4c247-aaf7-494b-b5da-17f18863878a",
- "analyticRuleId58": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'acc4c247-aaf7-494b-b5da-17f18863878a')]",
- "analyticRuleTemplateSpecName58": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('acc4c247-aaf7-494b-b5da-17f18863878a')))]",
- "_analyticRulecontentProductId58": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','acc4c247-aaf7-494b-b5da-17f18863878a','-', '1.0.8')))]"
- },
- "analyticRuleObject59": {
- "analyticRuleVersion59": "2.0.3",
- "_analyticRulecontentId59": "3a9d5ede-2b9d-43a2-acc4-d272321ff77c",
- "analyticRuleId59": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3a9d5ede-2b9d-43a2-acc4-d272321ff77c')]",
- "analyticRuleTemplateSpecName59": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3a9d5ede-2b9d-43a2-acc4-d272321ff77c')))]",
- "_analyticRulecontentProductId59": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3a9d5ede-2b9d-43a2-acc4-d272321ff77c','-', '2.0.3')))]"
- },
- "analyticRuleObject60": {
- "analyticRuleVersion60": "1.0.5",
- "_analyticRulecontentId60": "4d94d4a9-dc96-410a-8dea-4d4d4584188b",
- "analyticRuleId60": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d94d4a9-dc96-410a-8dea-4d4d4584188b')]",
- "analyticRuleTemplateSpecName60": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4d94d4a9-dc96-410a-8dea-4d4d4584188b')))]",
- "_analyticRulecontentProductId60": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d94d4a9-dc96-410a-8dea-4d4d4584188b','-', '1.0.5')))]"
- },
- "analyticRuleObject61": {
- "analyticRuleVersion61": "1.0.0",
- "_analyticRulecontentId61": "746ddb63-f51b-4563-b449-a8b13cf302ec",
- "analyticRuleId61": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '746ddb63-f51b-4563-b449-a8b13cf302ec')]",
- "analyticRuleTemplateSpecName61": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('746ddb63-f51b-4563-b449-a8b13cf302ec')))]",
- "_analyticRulecontentProductId61": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','746ddb63-f51b-4563-b449-a8b13cf302ec','-', '1.0.0')))]"
- },
- "analyticRuleObject62": {
- "analyticRuleVersion62": "1.0.9",
- "_analyticRulecontentId62": "050b9b3d-53d0-4364-a3da-1b678b8211ec",
- "analyticRuleId62": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '050b9b3d-53d0-4364-a3da-1b678b8211ec')]",
- "analyticRuleTemplateSpecName62": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('050b9b3d-53d0-4364-a3da-1b678b8211ec')))]",
- "_analyticRulecontentProductId62": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','050b9b3d-53d0-4364-a3da-1b678b8211ec','-', '1.0.9')))]"
- },
+ "analyticRuleVersion1": "1.0.3",
+ "analyticRulecontentId1": "bb616d82-108f-47d3-9dec-9652ea0d3bf6",
+ "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
+ "analyticRuleVersion2": "1.0.2",
+ "analyticRulecontentId2": "6d63efa6-7c25-4bd4-a486-aa6bf50fde8a",
+ "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
+ "analyticRuleVersion3": "1.0.1",
+ "analyticRulecontentId3": "95dc4ae3-e0f2-48bd-b996-cdd22b90f9af",
+ "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
+ "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
+ "analyticRuleVersion4": "1.0.1",
+ "analyticRulecontentId4": "5533fe80-905e-49d5-889a-df27d2c3976d",
+ "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
+ "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]",
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]",
+ "analyticRuleVersion5": "1.0.4",
+ "analyticRulecontentId5": "f80d951a-eddc-4171-b9d0-d616bb83efdc",
+ "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
+ "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
+ "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]",
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]",
+ "analyticRuleVersion6": "2.0.1",
+ "analyticRulecontentId6": "7cb8f77d-c52f-4e46-b82f-3cf2e106224a",
+ "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
+ "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
+ "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]",
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]",
+ "analyticRuleVersion7": "1.0.9",
+ "analyticRulecontentId7": "694c91ee-d606-4ba9-928e-405a2dd0ff0f",
+ "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
+ "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
+ "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]",
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]",
+ "analyticRuleVersion8": "1.0.3",
+ "analyticRulecontentId8": "50574fac-f8d1-4395-81c7-78a463ff0c52",
+ "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
+ "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
+ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]",
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]",
+ "analyticRuleVersion9": "1.0.5",
+ "analyticRulecontentId9": "1ff56009-db01-4615-8211-d4fda21da02d",
+ "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
+ "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
+ "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]",
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]",
+ "analyticRuleVersion10": "2.0.1",
+ "analyticRulecontentId10": "87210ca1-49a4-4a7d-bb4a-4988752f978c",
+ "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
+ "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
+ "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]",
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]",
+ "analyticRuleVersion11": "2.0.1",
+ "analyticRulecontentId11": "97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06",
+ "_analyticRulecontentId11": "[variables('analyticRulecontentId11')]",
+ "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId11'))]",
+ "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId11'))))]",
+ "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId11'),'-', variables('analyticRuleVersion11'))))]",
+ "analyticRuleVersion12": "2.0.0",
+ "analyticRulecontentId12": "3fbc20a4-04c4-464e-8fcb-6667f53e4987",
+ "_analyticRulecontentId12": "[variables('analyticRulecontentId12')]",
+ "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId12'))]",
+ "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId12'))))]",
+ "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId12'),'-', variables('analyticRuleVersion12'))))]",
+ "analyticRuleVersion13": "1.0.4",
+ "analyticRulecontentId13": "218f60de-c269-457a-b882-9966632b9dc6",
+ "_analyticRulecontentId13": "[variables('analyticRulecontentId13')]",
+ "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId13'))]",
+ "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId13'))))]",
+ "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId13'),'-', variables('analyticRuleVersion13'))))]",
+ "analyticRuleVersion14": "1.0.5",
+ "analyticRulecontentId14": "3af9285d-bb98-4a35-ad29-5ea39ba0c628",
+ "_analyticRulecontentId14": "[variables('analyticRulecontentId14')]",
+ "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId14'))]",
+ "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId14'))))]",
+ "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId14'),'-', variables('analyticRuleVersion14'))))]",
+ "analyticRuleVersion15": "1.0.2",
+ "analyticRulecontentId15": "707494a5-8e44-486b-90f8-155d1797a8eb",
+ "_analyticRulecontentId15": "[variables('analyticRulecontentId15')]",
+ "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId15'))]",
+ "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId15'))))]",
+ "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId15'),'-', variables('analyticRuleVersion15'))))]",
+ "analyticRuleVersion16": "1.0.2",
+ "analyticRulecontentId16": "757e6a79-6d23-4ae6-9845-4dac170656b5",
+ "_analyticRulecontentId16": "[variables('analyticRulecontentId16')]",
+ "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId16'))]",
+ "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId16'))))]",
+ "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId16'),'-', variables('analyticRuleVersion16'))))]",
+ "analyticRuleVersion17": "1.0.2",
+ "analyticRulecontentId17": "eb8a9c1c-f532-4630-817c-1ecd8a60ed80",
+ "_analyticRulecontentId17": "[variables('analyticRulecontentId17')]",
+ "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId17'))]",
+ "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId17'))))]",
+ "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId17'),'-', variables('analyticRuleVersion17'))))]",
+ "analyticRuleVersion18": "1.0.1",
+ "analyticRulecontentId18": "c895c5b9-0fc6-40ce-9830-e8818862f2d5",
+ "_analyticRulecontentId18": "[variables('analyticRulecontentId18')]",
+ "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId18'))]",
+ "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId18'))))]",
+ "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId18'),'-', variables('analyticRuleVersion18'))))]",
+ "analyticRuleVersion19": "1.0.1",
+ "analyticRulecontentId19": "276d5190-38de-4eb2-9933-b3b72f4a5737",
+ "_analyticRulecontentId19": "[variables('analyticRulecontentId19')]",
+ "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId19'))]",
+ "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId19'))))]",
+ "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId19'),'-', variables('analyticRuleVersion19'))))]",
+ "analyticRuleVersion20": "1.0.1",
+ "analyticRulecontentId20": "229f71ba-d83b-42a5-b83b-11a641049ed1",
+ "_analyticRulecontentId20": "[variables('analyticRulecontentId20')]",
+ "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId20'))]",
+ "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId20'))))]",
+ "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId20'),'-', variables('analyticRuleVersion20'))))]",
+ "analyticRuleVersion21": "1.0.1",
+ "analyticRulecontentId21": "0101e08d-99cd-4a97-a9e0-27649c4369ad",
+ "_analyticRulecontentId21": "[variables('analyticRulecontentId21')]",
+ "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId21'))]",
+ "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId21'))))]",
+ "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId21'),'-', variables('analyticRuleVersion21'))))]",
+ "analyticRuleVersion22": "1.0.2",
+ "analyticRulecontentId22": "75ea5c39-93e5-489b-b1e1-68fa6c9d2d04",
+ "_analyticRulecontentId22": "[variables('analyticRulecontentId22')]",
+ "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId22'))]",
+ "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId22'))))]",
+ "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId22'),'-', variables('analyticRuleVersion22'))))]",
+ "analyticRuleVersion23": "1.0.3",
+ "analyticRulecontentId23": "bfb1c90f-8006-4325-98be-c7fffbc254d6",
+ "_analyticRulecontentId23": "[variables('analyticRulecontentId23')]",
+ "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId23'))]",
+ "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId23'))))]",
+ "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId23'),'-', variables('analyticRuleVersion23'))))]",
+ "analyticRuleVersion24": "1.0.3",
+ "analyticRulecontentId24": "a22740ec-fc1e-4c91-8de6-c29c6450ad00",
+ "_analyticRulecontentId24": "[variables('analyticRulecontentId24')]",
+ "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId24'))]",
+ "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId24'))))]",
+ "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId24'),'-', variables('analyticRuleVersion24'))))]",
+ "analyticRuleVersion25": "1.0.0",
+ "analyticRulecontentId25": "54e22fed-0ec6-4fb2-8312-2a3809a93f63",
+ "_analyticRulecontentId25": "[variables('analyticRulecontentId25')]",
+ "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId25'))]",
+ "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId25'))))]",
+ "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId25'),'-', variables('analyticRuleVersion25'))))]",
+ "analyticRuleVersion26": "1.0.5",
+ "analyticRulecontentId26": "223db5c1-1bf8-47d8-8806-bed401b356a4",
+ "_analyticRulecontentId26": "[variables('analyticRulecontentId26')]",
+ "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId26'))]",
+ "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId26'))))]",
+ "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId26'),'-', variables('analyticRuleVersion26'))))]",
+ "analyticRuleVersion27": "1.1.4",
+ "analyticRulecontentId27": "2cfc3c6e-f424-4b88-9cc9-c89f482d016a",
+ "_analyticRulecontentId27": "[variables('analyticRulecontentId27')]",
+ "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId27'))]",
+ "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId27'))))]",
+ "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId27'),'-', variables('analyticRuleVersion27'))))]",
+ "analyticRuleVersion28": "1.0.5",
+ "analyticRulecontentId28": "6ab1f7b2-61b8-442f-bc81-96afe7ad8c53",
+ "_analyticRulecontentId28": "[variables('analyticRulecontentId28')]",
+ "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId28'))]",
+ "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId28'))))]",
+ "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId28'),'-', variables('analyticRuleVersion28'))))]",
+ "analyticRuleVersion29": "1.0.3",
+ "analyticRulecontentId29": "2560515c-07d1-434e-87fb-ebe3af267760",
+ "_analyticRulecontentId29": "[variables('analyticRulecontentId29')]",
+ "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId29'))]",
+ "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId29'))))]",
+ "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId29'),'-', variables('analyticRuleVersion29'))))]",
+ "analyticRuleVersion30": "1.1.1",
+ "analyticRulecontentId30": "f948a32f-226c-4116-bddd-d95e91d97eb9",
+ "_analyticRulecontentId30": "[variables('analyticRulecontentId30')]",
+ "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId30'))]",
+ "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId30'))))]",
+ "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId30'),'-', variables('analyticRuleVersion30'))))]",
+ "analyticRuleVersion31": "1.0.1",
+ "analyticRulecontentId31": "39198934-62a0-4781-8416-a81265c03fd6",
+ "_analyticRulecontentId31": "[variables('analyticRulecontentId31')]",
+ "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId31'))]",
+ "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId31'))))]",
+ "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId31'),'-', variables('analyticRuleVersion31'))))]",
+ "analyticRuleVersion32": "2.0.1",
+ "analyticRulecontentId32": "d99cf5c3-d660-436c-895b-8a8f8448da23",
+ "_analyticRulecontentId32": "[variables('analyticRulecontentId32')]",
+ "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId32'))]",
+ "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId32'))))]",
+ "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId32'),'-', variables('analyticRuleVersion32'))))]",
+ "analyticRuleVersion33": "1.0.2",
+ "analyticRulecontentId33": "a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b",
+ "_analyticRulecontentId33": "[variables('analyticRulecontentId33')]",
+ "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId33'))]",
+ "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId33'))))]",
+ "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId33'),'-', variables('analyticRuleVersion33'))))]",
+ "analyticRuleVersion34": "1.0.1",
+ "analyticRulecontentId34": "cda5928c-2c1e-4575-9dfa-07568bc27a4f",
+ "_analyticRulecontentId34": "[variables('analyticRulecontentId34')]",
+ "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId34'))]",
+ "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId34'))))]",
+ "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId34'),'-', variables('analyticRuleVersion34'))))]",
+ "analyticRuleVersion35": "1.0.0",
+ "analyticRulecontentId35": "4f42b94f-b210-42d1-a023-7fa1c51d969f",
+ "_analyticRulecontentId35": "[variables('analyticRulecontentId35')]",
+ "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId35'))]",
+ "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId35'))))]",
+ "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId35'),'-', variables('analyticRuleVersion35'))))]",
+ "analyticRuleVersion36": "1.1.1",
+ "analyticRulecontentId36": "79566f41-df67-4e10-a703-c38a6213afd8",
+ "_analyticRulecontentId36": "[variables('analyticRulecontentId36')]",
+ "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId36'))]",
+ "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId36'))))]",
+ "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId36'),'-', variables('analyticRuleVersion36'))))]",
+ "analyticRuleVersion37": "1.0.1",
+ "analyticRulecontentId37": "8540c842-5bbc-4a24-9fb2-a836c0e55a51",
+ "_analyticRulecontentId37": "[variables('analyticRulecontentId37')]",
+ "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId37'))]",
+ "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId37'))))]",
+ "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId37'),'-', variables('analyticRuleVersion37'))))]",
+ "analyticRuleVersion38": "1.0.2",
+ "analyticRulecontentId38": "29e99017-e28d-47be-8b9a-c8c711f8a903",
+ "_analyticRulecontentId38": "[variables('analyticRulecontentId38')]",
+ "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId38'))]",
+ "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId38'))))]",
+ "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId38'),'-', variables('analyticRuleVersion38'))))]",
+ "analyticRuleVersion39": "1.0.4",
+ "analyticRulecontentId39": "b6988c32-4f3b-4a45-8313-b46b33061a74",
+ "_analyticRulecontentId39": "[variables('analyticRulecontentId39')]",
+ "analyticRuleId39": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId39'))]",
+ "analyticRuleTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId39'))))]",
+ "_analyticRulecontentProductId39": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId39'),'-', variables('analyticRuleVersion39'))))]",
+ "analyticRuleVersion40": "1.0.2",
+ "analyticRulecontentId40": "e42e889a-caaf-4dbb-aec6-371b37d64298",
+ "_analyticRulecontentId40": "[variables('analyticRulecontentId40')]",
+ "analyticRuleId40": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId40'))]",
+ "analyticRuleTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId40'))))]",
+ "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId40'),'-', variables('analyticRuleVersion40'))))]",
+ "analyticRuleVersion41": "1.0.2",
+ "analyticRulecontentId41": "5db427b2-f406-4274-b413-e9fcb29412f8",
+ "_analyticRulecontentId41": "[variables('analyticRulecontentId41')]",
+ "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId41'))]",
+ "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId41'))))]",
+ "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId41'),'-', variables('analyticRuleVersion41'))))]",
+ "analyticRuleVersion42": "1.0.1",
+ "analyticRulecontentId42": "14f6da04-2f96-44ee-9210-9ccc1be6401e",
+ "_analyticRulecontentId42": "[variables('analyticRulecontentId42')]",
+ "analyticRuleId42": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId42'))]",
+ "analyticRuleTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId42'))))]",
+ "_analyticRulecontentProductId42": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId42'),'-', variables('analyticRuleVersion42'))))]",
+ "analyticRuleVersion43": "1.0.4",
+ "analyticRulecontentId43": "70fc7201-f28e-4ba7-b9ea-c04b96701f13",
+ "_analyticRulecontentId43": "[variables('analyticRulecontentId43')]",
+ "analyticRuleId43": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId43'))]",
+ "analyticRuleTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId43'))))]",
+ "_analyticRulecontentProductId43": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId43'),'-', variables('analyticRuleVersion43'))))]",
+ "analyticRuleVersion44": "1.0.7",
+ "analyticRulecontentId44": "7d7e20f8-3384-4b71-811c-f5e950e8306c",
+ "_analyticRulecontentId44": "[variables('analyticRulecontentId44')]",
+ "analyticRuleId44": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId44'))]",
+ "analyticRuleTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId44'))))]",
+ "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId44'),'-', variables('analyticRuleVersion44'))))]",
+ "analyticRuleVersion45": "1.0.4",
+ "analyticRulecontentId45": "34c5aff9-a8c2-4601-9654-c7e46342d03b",
+ "_analyticRulecontentId45": "[variables('analyticRulecontentId45')]",
+ "analyticRuleId45": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId45'))]",
+ "analyticRuleTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId45'))))]",
+ "_analyticRulecontentProductId45": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId45'),'-', variables('analyticRuleVersion45'))))]",
+ "analyticRuleVersion46": "1.0.4",
+ "analyticRulecontentId46": "269435e3-1db8-4423-9dfc-9bf59997da1c",
+ "_analyticRulecontentId46": "[variables('analyticRulecontentId46')]",
+ "analyticRuleId46": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId46'))]",
+ "analyticRuleTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId46'))))]",
+ "_analyticRulecontentProductId46": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId46'),'-', variables('analyticRuleVersion46'))))]",
+ "analyticRuleVersion47": "1.1.4",
+ "analyticRulecontentId47": "83ba3057-9ea3-4759-bf6a-933f2e5bc7ee",
+ "_analyticRulecontentId47": "[variables('analyticRulecontentId47')]",
+ "analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId47'))]",
+ "analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId47'))))]",
+ "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId47'),'-', variables('analyticRuleVersion47'))))]",
+ "analyticRuleVersion48": "1.0.3",
+ "analyticRulecontentId48": "fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba",
+ "_analyticRulecontentId48": "[variables('analyticRulecontentId48')]",
+ "analyticRuleId48": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId48'))]",
+ "analyticRuleTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId48'))))]",
+ "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId48'),'-', variables('analyticRuleVersion48'))))]",
+ "analyticRuleVersion49": "1.0.2",
+ "analyticRulecontentId49": "d3980830-dd9d-40a5-911f-76b44dfdce16",
+ "_analyticRulecontentId49": "[variables('analyticRulecontentId49')]",
+ "analyticRuleId49": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId49'))]",
+ "analyticRuleTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId49'))))]",
+ "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId49'),'-', variables('analyticRuleVersion49'))))]",
+ "analyticRuleVersion50": "2.1.3",
+ "analyticRulecontentId50": "500c103a-0319-4d56-8e99-3cec8d860757",
+ "_analyticRulecontentId50": "[variables('analyticRulecontentId50')]",
+ "analyticRuleId50": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId50'))]",
+ "analyticRuleTemplateSpecName50": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId50'))))]",
+ "_analyticRulecontentProductId50": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId50'),'-', variables('analyticRuleVersion50'))))]",
+ "analyticRuleVersion51": "2.1.3",
+ "analyticRulecontentId51": "28b42356-45af-40a6-a0b4-a554cdfd5d8a",
+ "_analyticRulecontentId51": "[variables('analyticRulecontentId51')]",
+ "analyticRuleId51": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId51'))]",
+ "analyticRuleTemplateSpecName51": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId51'))))]",
+ "_analyticRulecontentProductId51": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId51'),'-', variables('analyticRuleVersion51'))))]",
+ "analyticRuleVersion52": "1.0.6",
+ "analyticRulecontentId52": "48607a29-a26a-4abf-8078-a06dbdd174a4",
+ "_analyticRulecontentId52": "[variables('analyticRulecontentId52')]",
+ "analyticRuleId52": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId52'))]",
+ "analyticRuleTemplateSpecName52": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId52'))))]",
+ "_analyticRulecontentProductId52": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId52'),'-', variables('analyticRuleVersion52'))))]",
+ "analyticRuleVersion53": "2.1.7",
+ "analyticRulecontentId53": "02ef8d7e-fc3a-4d86-a457-650fa571d8d2",
+ "_analyticRulecontentId53": "[variables('analyticRulecontentId53')]",
+ "analyticRuleId53": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId53'))]",
+ "analyticRuleTemplateSpecName53": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId53'))))]",
+ "_analyticRulecontentProductId53": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId53'),'-', variables('analyticRuleVersion53'))))]",
+ "analyticRuleVersion54": "1.0.2",
+ "analyticRulecontentId54": "3a3c6835-0086-40ca-b033-a93bf26d878f",
+ "_analyticRulecontentId54": "[variables('analyticRulecontentId54')]",
+ "analyticRuleId54": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId54'))]",
+ "analyticRuleTemplateSpecName54": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId54'))))]",
+ "_analyticRulecontentProductId54": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId54'),'-', variables('analyticRuleVersion54'))))]",
+ "analyticRuleVersion55": "1.0.1",
+ "analyticRulecontentId55": "3533f74c-9207-4047-96e2-0eb9383be587",
+ "_analyticRulecontentId55": "[variables('analyticRulecontentId55')]",
+ "analyticRuleId55": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId55'))]",
+ "analyticRuleTemplateSpecName55": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId55'))))]",
+ "_analyticRulecontentProductId55": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId55'),'-', variables('analyticRuleVersion55'))))]",
+ "analyticRuleVersion56": "1.0.2",
+ "analyticRulecontentId56": "6852d9da-8015-4b95-8ecf-d9572ee0395d",
+ "_analyticRulecontentId56": "[variables('analyticRulecontentId56')]",
+ "analyticRuleId56": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId56'))]",
+ "analyticRuleTemplateSpecName56": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId56'))))]",
+ "_analyticRulecontentProductId56": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId56'),'-', variables('analyticRuleVersion56'))))]",
+ "analyticRuleVersion57": "1.0.0",
+ "analyticRulecontentId57": "aec77100-25c5-4254-a20a-8027ed92c46c",
+ "_analyticRulecontentId57": "[variables('analyticRulecontentId57')]",
+ "analyticRuleId57": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId57'))]",
+ "analyticRuleTemplateSpecName57": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId57'))))]",
+ "_analyticRulecontentProductId57": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId57'),'-', variables('analyticRuleVersion57'))))]",
+ "analyticRuleVersion58": "1.0.8",
+ "analyticRulecontentId58": "acc4c247-aaf7-494b-b5da-17f18863878a",
+ "_analyticRulecontentId58": "[variables('analyticRulecontentId58')]",
+ "analyticRuleId58": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId58'))]",
+ "analyticRuleTemplateSpecName58": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId58'))))]",
+ "_analyticRulecontentProductId58": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId58'),'-', variables('analyticRuleVersion58'))))]",
+ "analyticRuleVersion59": "2.0.3",
+ "analyticRulecontentId59": "3a9d5ede-2b9d-43a2-acc4-d272321ff77c",
+ "_analyticRulecontentId59": "[variables('analyticRulecontentId59')]",
+ "analyticRuleId59": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId59'))]",
+ "analyticRuleTemplateSpecName59": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId59'))))]",
+ "_analyticRulecontentProductId59": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId59'),'-', variables('analyticRuleVersion59'))))]",
+ "analyticRuleVersion60": "1.0.5",
+ "analyticRulecontentId60": "4d94d4a9-dc96-410a-8dea-4d4d4584188b",
+ "_analyticRulecontentId60": "[variables('analyticRulecontentId60')]",
+ "analyticRuleId60": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId60'))]",
+ "analyticRuleTemplateSpecName60": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId60'))))]",
+ "_analyticRulecontentProductId60": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId60'),'-', variables('analyticRuleVersion60'))))]",
+ "analyticRuleVersion61": "1.0.0",
+ "analyticRulecontentId61": "746ddb63-f51b-4563-b449-a8b13cf302ec",
+ "_analyticRulecontentId61": "[variables('analyticRulecontentId61')]",
+ "analyticRuleId61": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId61'))]",
+ "analyticRuleTemplateSpecName61": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId61'))))]",
+ "_analyticRulecontentProductId61": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId61'),'-', variables('analyticRuleVersion61'))))]",
+ "analyticRuleVersion62": "1.0.9",
+ "analyticRulecontentId62": "050b9b3d-53d0-4364-a3da-1b678b8211ec",
+ "_analyticRulecontentId62": "[variables('analyticRulecontentId62')]",
+ "analyticRuleId62": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId62'))]",
+ "analyticRuleTemplateSpecName62": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId62'))))]",
+ "_analyticRulecontentProductId62": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId62'),'-', variables('analyticRuleVersion62'))))]",
"Block-AADUser-alert-trigger": "Block-AADUser-alert-trigger",
"_Block-AADUser-alert-trigger": "[variables('Block-AADUser-alert-trigger')]",
"playbookVersion1": "1.1",
@@ -1158,7 +1096,7 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
+ "name": "[variables('analyticRuleTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1167,13 +1105,13 @@
"description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
+ "contentVersion": "[variables('analyticRuleVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "name": "[variables('analyticRulecontentId1')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1192,10 +1130,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -1206,6 +1144,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -1215,17 +1154,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "DeletedByIPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -1233,13 +1171,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 1",
- "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
- "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "parentId": "[variables('analyticRuleId1')]",
+ "contentId": "[variables('_analyticRulecontentId1')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
+ "version": "[variables('analyticRuleVersion1')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -1264,18 +1202,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "contentId": "[variables('_analyticRulecontentId1')]",
"contentKind": "AnalyticsRule",
"displayName": "Account Created and Deleted in Short Timeframe",
- "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
- "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
- "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
+ "contentProductId": "[variables('_analyticRulecontentProductId1')]",
+ "id": "[variables('_analyticRulecontentProductId1')]",
+ "version": "[variables('analyticRuleVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
+ "name": "[variables('analyticRuleTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1284,13 +1222,13 @@
"description": "AccountCreatedDeletedByNonApprovedUser_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
+ "contentVersion": "[variables('analyticRuleVersion2')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "name": "[variables('analyticRulecontentId2')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1309,10 +1247,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -1323,6 +1261,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -1332,17 +1271,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "InitiatedUserIpAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -1350,13 +1288,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 2",
- "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
- "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "parentId": "[variables('analyticRuleId2')]",
+ "contentId": "[variables('_analyticRulecontentId2')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
+ "version": "[variables('analyticRuleVersion2')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -1381,18 +1319,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "contentId": "[variables('_analyticRulecontentId2')]",
"contentKind": "AnalyticsRule",
"displayName": "Account created or deleted by non-approved user",
- "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
- "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
- "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
+ "contentProductId": "[variables('_analyticRulecontentProductId2')]",
+ "id": "[variables('_analyticRulecontentProductId2')]",
+ "version": "[variables('analyticRuleVersion2')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
+ "name": "[variables('analyticRuleTemplateSpecName3')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1401,13 +1339,13 @@
"description": "ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
+ "contentVersion": "[variables('analyticRuleVersion3')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "name": "[variables('analyticRulecontentId3')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1426,10 +1364,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -1437,6 +1375,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -1446,17 +1385,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "InitiatingIpAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -1464,13 +1402,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 3",
- "parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
- "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "parentId": "[variables('analyticRuleId3')]",
+ "contentId": "[variables('_analyticRulecontentId3')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
+ "version": "[variables('analyticRuleVersion3')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -1495,18 +1433,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "contentId": "[variables('_analyticRulecontentId3')]",
"contentKind": "AnalyticsRule",
"displayName": "Modified domain federation trust settings",
- "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
- "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
- "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
+ "contentProductId": "[variables('_analyticRulecontentProductId3')]",
+ "id": "[variables('_analyticRulecontentProductId3')]",
+ "version": "[variables('analyticRuleVersion3')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]",
+ "name": "[variables('analyticRuleTemplateSpecName4')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1515,13 +1453,13 @@
"description": "ADFSSignInLogsPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
+ "contentVersion": "[variables('analyticRuleVersion4')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "name": "[variables('analyticRulecontentId4')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1540,10 +1478,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"ADFSSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -1554,13 +1492,13 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -1568,13 +1506,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 4",
- "parentId": "[variables('analyticRuleObject4').analyticRuleId4]",
- "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "parentId": "[variables('analyticRuleId4')]",
+ "contentId": "[variables('_analyticRulecontentId4')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject4').analyticRuleVersion4]",
+ "version": "[variables('analyticRuleVersion4')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -1599,18 +1537,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "contentId": "[variables('_analyticRulecontentId4')]",
"contentKind": "AnalyticsRule",
"displayName": "Password spray attack against ADFSSignInLogs",
- "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
- "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
- "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
+ "contentProductId": "[variables('_analyticRulecontentProductId4')]",
+ "id": "[variables('_analyticRulecontentProductId4')]",
+ "version": "[variables('analyticRuleVersion4')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]",
+ "name": "[variables('analyticRuleTemplateSpecName5')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1619,13 +1557,13 @@
"description": "AdminPromoAfterRoleMgmtAppPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
+ "contentVersion": "[variables('analyticRuleVersion5')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "name": "[variables('analyticRulecontentId5')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1644,10 +1582,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -1660,15 +1598,16 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "AppDisplayName"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -1678,8 +1617,7 @@
"identifier": "UPNSuffix",
"columnName": "TargetUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -1687,13 +1625,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 5",
- "parentId": "[variables('analyticRuleObject5').analyticRuleId5]",
- "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "parentId": "[variables('analyticRuleId5')]",
+ "contentId": "[variables('_analyticRulecontentId5')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject5').analyticRuleVersion5]",
+ "version": "[variables('analyticRuleVersion5')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -1718,18 +1656,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "contentId": "[variables('_analyticRulecontentId5')]",
"contentKind": "AnalyticsRule",
"displayName": "Admin promotion after Role Management Application Permission Grant",
- "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
- "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
- "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
+ "contentProductId": "[variables('_analyticRulecontentProductId5')]",
+ "id": "[variables('_analyticRulecontentProductId5')]",
+ "version": "[variables('analyticRuleVersion5')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]",
+ "name": "[variables('analyticRuleTemplateSpecName6')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1738,13 +1676,13 @@
"description": "AnomalousUserAppSigninLocationIncrease-detection_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
+ "contentVersion": "[variables('analyticRuleVersion6')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "name": "[variables('analyticRulecontentId6')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1763,16 +1701,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AADNonInteractiveUserSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -1783,6 +1721,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -1796,8 +1735,7 @@
"identifier": "AadUserId",
"columnName": "UserId"
}
- ],
- "entityType": "Account"
+ ]
}
],
"eventGroupingSettings": {
@@ -1807,21 +1745,21 @@
"Application": "AppDisplayName"
},
"alertDetailsOverride": {
- "alertDescriptionFormat": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \ndifferent locations.\n",
- "alertDisplayNameFormat": "Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}"
+ "alertDisplayNameFormat": "Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}",
+ "alertDescriptionFormat": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \ndifferent locations.\n"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 6",
- "parentId": "[variables('analyticRuleObject6').analyticRuleId6]",
- "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "parentId": "[variables('analyticRuleId6')]",
+ "contentId": "[variables('_analyticRulecontentId6')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject6').analyticRuleVersion6]",
+ "version": "[variables('analyticRuleVersion6')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -1846,18 +1784,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "contentId": "[variables('_analyticRulecontentId6')]",
"contentKind": "AnalyticsRule",
"displayName": "Anomalous sign-in location by user account and authenticating application",
- "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
- "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
- "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
+ "contentProductId": "[variables('_analyticRulecontentProductId6')]",
+ "id": "[variables('_analyticRulecontentProductId6')]",
+ "version": "[variables('analyticRuleVersion6')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]",
+ "name": "[variables('analyticRuleTemplateSpecName7')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1866,13 +1804,13 @@
"description": "AuthenticationMethodsChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
+ "contentVersion": "[variables('analyticRuleVersion7')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "name": "[variables('analyticRulecontentId7')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1891,16 +1829,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "BehaviorAnalytics",
"dataTypes": [
"IdentityInfo"
- ]
+ ],
+ "connectorId": "BehaviorAnalytics"
}
],
"tactics": [
@@ -1911,6 +1849,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -1920,10 +1859,10 @@
"identifier": "UPNSuffix",
"columnName": "InitiatorUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -1933,17 +1872,16 @@
"identifier": "UPNSuffix",
"columnName": "TargetUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IP"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -1951,13 +1889,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 7",
- "parentId": "[variables('analyticRuleObject7').analyticRuleId7]",
- "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "parentId": "[variables('analyticRuleId7')]",
+ "contentId": "[variables('_analyticRulecontentId7')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject7').analyticRuleVersion7]",
+ "version": "[variables('analyticRuleVersion7')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -1982,18 +1920,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "contentId": "[variables('_analyticRulecontentId7')]",
"contentKind": "AnalyticsRule",
"displayName": "Authentication Methods Changed for Privileged Account",
- "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
- "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
- "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
+ "contentProductId": "[variables('_analyticRulecontentProductId7')]",
+ "id": "[variables('_analyticRulecontentProductId7')]",
+ "version": "[variables('analyticRuleVersion7')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]",
+ "name": "[variables('analyticRuleTemplateSpecName8')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -2002,13 +1940,13 @@
"description": "AzureAADPowerShellAnomaly_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
+ "contentVersion": "[variables('analyticRuleVersion8')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "name": "[variables('analyticRulecontentId8')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -2027,16 +1965,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AADNonInteractiveUserSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -2047,6 +1985,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -2060,17 +1999,16 @@
"identifier": "AadUserId",
"columnName": "UserId"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -2078,13 +2016,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 8",
- "parentId": "[variables('analyticRuleObject8').analyticRuleId8]",
- "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "parentId": "[variables('analyticRuleId8')]",
+ "contentId": "[variables('_analyticRulecontentId8')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject8').analyticRuleVersion8]",
+ "version": "[variables('analyticRuleVersion8')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -2109,18 +2047,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "contentId": "[variables('_analyticRulecontentId8')]",
"contentKind": "AnalyticsRule",
"displayName": "Microsoft Entra ID PowerShell accessing non-Entra ID resources",
- "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
- "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
- "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
+ "contentProductId": "[variables('_analyticRulecontentProductId8')]",
+ "id": "[variables('_analyticRulecontentProductId8')]",
+ "version": "[variables('analyticRuleVersion8')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]",
+ "name": "[variables('analyticRuleTemplateSpecName9')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -2129,13 +2067,13 @@
"description": "AzureADRoleManagementPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
+ "contentVersion": "[variables('analyticRuleVersion9')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+ "name": "[variables('analyticRulecontentId9')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -2154,10 +2092,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -2170,6 +2108,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -2179,17 +2118,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "AppDisplayName"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -2197,13 +2135,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 9",
- "parentId": "[variables('analyticRuleObject9').analyticRuleId9]",
- "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+ "parentId": "[variables('analyticRuleId9')]",
+ "contentId": "[variables('_analyticRulecontentId9')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject9').analyticRuleVersion9]",
+ "version": "[variables('analyticRuleVersion9')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -2228,18 +2166,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+ "contentId": "[variables('_analyticRulecontentId9')]",
"contentKind": "AnalyticsRule",
"displayName": "Microsoft Entra ID Role Management Permission Grant",
- "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
- "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
- "version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
+ "contentProductId": "[variables('_analyticRulecontentProductId9')]",
+ "id": "[variables('_analyticRulecontentProductId9')]",
+ "version": "[variables('analyticRuleVersion9')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]",
+ "name": "[variables('analyticRuleTemplateSpecName10')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -2248,13 +2186,13 @@
"description": "AzurePortalSigninfromanotherAzureTenant_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
+ "contentVersion": "[variables('analyticRuleVersion10')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+ "name": "[variables('analyticRulecontentId10')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -2273,10 +2211,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -2287,6 +2225,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -2300,35 +2239,34 @@
"identifier": "AadUserId",
"columnName": "UserId"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
],
"alertDetailsOverride": {
- "alertDescriptionFormat": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\nand the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\nto pivot to other tenants leveraging cross-tenant delegated access in this manner.\nIn this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.\n",
- "alertDisplayNameFormat": "Azure Portal sign in by {{UserPrincipalName}} from another Azure Tenant with IP Address {{IPAddress}}"
+ "alertDisplayNameFormat": "Azure Portal sign in by {{UserPrincipalName}} from another Azure Tenant with IP Address {{IPAddress}}",
+ "alertDescriptionFormat": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\nand the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\nto pivot to other tenants leveraging cross-tenant delegated access in this manner.\nIn this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.\n"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 10",
- "parentId": "[variables('analyticRuleObject10').analyticRuleId10]",
- "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+ "parentId": "[variables('analyticRuleId10')]",
+ "contentId": "[variables('_analyticRulecontentId10')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject10').analyticRuleVersion10]",
+ "version": "[variables('analyticRuleVersion10')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -2353,18 +2291,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+ "contentId": "[variables('_analyticRulecontentId10')]",
"contentKind": "AnalyticsRule",
"displayName": "Azure Portal sign in from another Azure Tenant",
- "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]",
- "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]",
- "version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
+ "contentProductId": "[variables('_analyticRulecontentProductId10')]",
+ "id": "[variables('_analyticRulecontentProductId10')]",
+ "version": "[variables('analyticRuleVersion10')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject11').analyticRuleTemplateSpecName11]",
+ "name": "[variables('analyticRuleTemplateSpecName11')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -2373,13 +2311,13 @@
"description": "Brute Force Attack against GitHub Account_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]",
+ "contentVersion": "[variables('analyticRuleVersion11')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject11')._analyticRulecontentId11]",
+ "name": "[variables('analyticRulecontentId11')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -2398,16 +2336,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AADNonInteractiveUserSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -2418,6 +2356,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -2427,8 +2366,7 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -2436,13 +2374,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject11').analyticRuleId11,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId11'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 11",
- "parentId": "[variables('analyticRuleObject11').analyticRuleId11]",
- "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]",
+ "parentId": "[variables('analyticRuleId11')]",
+ "contentId": "[variables('_analyticRulecontentId11')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject11').analyticRuleVersion11]",
+ "version": "[variables('analyticRuleVersion11')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -2467,18 +2405,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]",
+ "contentId": "[variables('_analyticRulecontentId11')]",
"contentKind": "AnalyticsRule",
"displayName": "Brute Force Attack against GitHub Account",
- "contentProductId": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]",
- "id": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]",
- "version": "[variables('analyticRuleObject11').analyticRuleVersion11]"
+ "contentProductId": "[variables('_analyticRulecontentProductId11')]",
+ "id": "[variables('_analyticRulecontentProductId11')]",
+ "version": "[variables('analyticRuleVersion11')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject12').analyticRuleTemplateSpecName12]",
+ "name": "[variables('analyticRuleTemplateSpecName12')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -2487,13 +2425,13 @@
"description": "BruteForceCloudPC_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]",
+ "contentVersion": "[variables('analyticRuleVersion12')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject12')._analyticRulecontentId12]",
+ "name": "[variables('analyticRulecontentId12')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -2512,10 +2450,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -2526,6 +2464,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -2535,17 +2474,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddressFirst"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -2553,13 +2491,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject12').analyticRuleId12,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId12'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 12",
- "parentId": "[variables('analyticRuleObject12').analyticRuleId12]",
- "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]",
+ "parentId": "[variables('analyticRuleId12')]",
+ "contentId": "[variables('_analyticRulecontentId12')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject12').analyticRuleVersion12]",
+ "version": "[variables('analyticRuleVersion12')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -2584,18 +2522,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]",
+ "contentId": "[variables('_analyticRulecontentId12')]",
"contentKind": "AnalyticsRule",
"displayName": "Brute force attack against a Cloud PC",
- "contentProductId": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]",
- "id": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]",
- "version": "[variables('analyticRuleObject12').analyticRuleVersion12]"
+ "contentProductId": "[variables('_analyticRulecontentProductId12')]",
+ "id": "[variables('_analyticRulecontentProductId12')]",
+ "version": "[variables('analyticRuleVersion12')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject13').analyticRuleTemplateSpecName13]",
+ "name": "[variables('analyticRuleTemplateSpecName13')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -2604,13 +2542,13 @@
"description": "BulkChangestoPrivilegedAccountPermissions_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]",
+ "contentVersion": "[variables('analyticRuleVersion13')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject13')._analyticRulecontentId13]",
+ "name": "[variables('analyticRulecontentId13')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -2629,10 +2567,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -2643,6 +2581,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -2652,10 +2591,10 @@
"identifier": "UPNSuffix",
"columnName": "TargetUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -2665,26 +2604,25 @@
"identifier": "UPNSuffix",
"columnName": "InitiatedByUserUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
}
],
"customDetails": {
- "InitiatedByUser": "InitiatedByUser",
- "TargetUser": "Target"
+ "TargetUser": "Target",
+ "InitiatedByUser": "InitiatedByUser"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject13').analyticRuleId13,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId13'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 13",
- "parentId": "[variables('analyticRuleObject13').analyticRuleId13]",
- "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]",
+ "parentId": "[variables('analyticRuleId13')]",
+ "contentId": "[variables('_analyticRulecontentId13')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject13').analyticRuleVersion13]",
+ "version": "[variables('analyticRuleVersion13')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -2709,18 +2647,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]",
+ "contentId": "[variables('_analyticRulecontentId13')]",
"contentKind": "AnalyticsRule",
"displayName": "Bulk Changes to Privileged Account Permissions",
- "contentProductId": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]",
- "id": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]",
- "version": "[variables('analyticRuleObject13').analyticRuleVersion13]"
+ "contentProductId": "[variables('_analyticRulecontentProductId13')]",
+ "id": "[variables('_analyticRulecontentProductId13')]",
+ "version": "[variables('analyticRuleVersion13')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject14').analyticRuleTemplateSpecName14]",
+ "name": "[variables('analyticRuleTemplateSpecName14')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -2729,13 +2667,13 @@
"description": "BypassCondAccessRule_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]",
+ "contentVersion": "[variables('analyticRuleVersion14')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject14')._analyticRulecontentId14]",
+ "name": "[variables('analyticRulecontentId14')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -2754,16 +2692,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AADNonInteractiveUserSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -2776,6 +2714,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -2785,17 +2724,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddresses"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -2803,13 +2741,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject14').analyticRuleId14,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId14'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 14",
- "parentId": "[variables('analyticRuleObject14').analyticRuleId14]",
- "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]",
+ "parentId": "[variables('analyticRuleId14')]",
+ "contentId": "[variables('_analyticRulecontentId14')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject14').analyticRuleVersion14]",
+ "version": "[variables('analyticRuleVersion14')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -2834,18 +2772,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]",
+ "contentId": "[variables('_analyticRulecontentId14')]",
"contentKind": "AnalyticsRule",
"displayName": "Attempt to bypass conditional access rule in Microsoft Entra ID",
- "contentProductId": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]",
- "id": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]",
- "version": "[variables('analyticRuleObject14').analyticRuleVersion14]"
+ "contentProductId": "[variables('_analyticRulecontentProductId14')]",
+ "id": "[variables('_analyticRulecontentProductId14')]",
+ "version": "[variables('analyticRuleVersion14')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject15').analyticRuleTemplateSpecName15]",
+ "name": "[variables('analyticRuleTemplateSpecName15')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -2854,13 +2792,13 @@
"description": "CredentialAddedAfterAdminConsent_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]",
+ "contentVersion": "[variables('analyticRuleVersion15')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject15')._analyticRulecontentId15]",
+ "name": "[variables('analyticRulecontentId15')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -2879,10 +2817,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -2890,6 +2828,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -2899,17 +2838,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "Consent_InitiatingIpAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -2917,13 +2855,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject15').analyticRuleId15,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId15'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 15",
- "parentId": "[variables('analyticRuleObject15').analyticRuleId15]",
- "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]",
+ "parentId": "[variables('analyticRuleId15')]",
+ "contentId": "[variables('_analyticRulecontentId15')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject15').analyticRuleVersion15]",
+ "version": "[variables('analyticRuleVersion15')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -2948,18 +2886,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]",
+ "contentId": "[variables('_analyticRulecontentId15')]",
"contentKind": "AnalyticsRule",
"displayName": "Credential added after admin consented to Application",
- "contentProductId": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]",
- "id": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]",
- "version": "[variables('analyticRuleObject15').analyticRuleVersion15]"
+ "contentProductId": "[variables('_analyticRulecontentProductId15')]",
+ "id": "[variables('_analyticRulecontentProductId15')]",
+ "version": "[variables('analyticRuleVersion15')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject16').analyticRuleTemplateSpecName16]",
+ "name": "[variables('analyticRuleTemplateSpecName16')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -2968,13 +2906,13 @@
"description": "Cross-tenantAccessSettingsOrganizationAdded_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]",
+ "contentVersion": "[variables('analyticRuleVersion16')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject16')._analyticRulecontentId16]",
+ "name": "[variables('analyticRulecontentId16')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -2993,10 +2931,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -3011,6 +2949,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -3020,17 +2959,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "InitiatedByIPAdress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -3038,13 +2976,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject16').analyticRuleId16,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId16'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 16",
- "parentId": "[variables('analyticRuleObject16').analyticRuleId16]",
- "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]",
+ "parentId": "[variables('analyticRuleId16')]",
+ "contentId": "[variables('_analyticRulecontentId16')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject16').analyticRuleVersion16]",
+ "version": "[variables('analyticRuleVersion16')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -3069,18 +3007,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]",
+ "contentId": "[variables('_analyticRulecontentId16')]",
"contentKind": "AnalyticsRule",
"displayName": "Cross-tenant Access Settings Organization Added",
- "contentProductId": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]",
- "id": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]",
- "version": "[variables('analyticRuleObject16').analyticRuleVersion16]"
+ "contentProductId": "[variables('_analyticRulecontentProductId16')]",
+ "id": "[variables('_analyticRulecontentProductId16')]",
+ "version": "[variables('analyticRuleVersion16')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject17').analyticRuleTemplateSpecName17]",
+ "name": "[variables('analyticRuleTemplateSpecName17')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -3089,13 +3027,13 @@
"description": "Cross-tenantAccessSettingsOrganizationDeleted_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]",
+ "contentVersion": "[variables('analyticRuleVersion17')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject17')._analyticRulecontentId17]",
+ "name": "[variables('analyticRulecontentId17')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -3114,10 +3052,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -3132,6 +3070,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -3141,17 +3080,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "InitiatedByIPAdress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -3159,13 +3097,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject17').analyticRuleId17,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId17'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 17",
- "parentId": "[variables('analyticRuleObject17').analyticRuleId17]",
- "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]",
+ "parentId": "[variables('analyticRuleId17')]",
+ "contentId": "[variables('_analyticRulecontentId17')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject17').analyticRuleVersion17]",
+ "version": "[variables('analyticRuleVersion17')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -3190,18 +3128,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]",
+ "contentId": "[variables('_analyticRulecontentId17')]",
"contentKind": "AnalyticsRule",
"displayName": "Cross-tenant Access Settings Organization Deleted",
- "contentProductId": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]",
- "id": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]",
- "version": "[variables('analyticRuleObject17').analyticRuleVersion17]"
+ "contentProductId": "[variables('_analyticRulecontentProductId17')]",
+ "id": "[variables('_analyticRulecontentProductId17')]",
+ "version": "[variables('analyticRuleVersion17')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject18').analyticRuleTemplateSpecName18]",
+ "name": "[variables('analyticRuleTemplateSpecName18')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -3210,13 +3148,13 @@
"description": "Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]",
+ "contentVersion": "[variables('analyticRuleVersion18')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject18')._analyticRulecontentId18]",
+ "name": "[variables('analyticRulecontentId18')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -3235,10 +3173,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -3253,6 +3191,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -3262,17 +3201,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "InitiatedByIPAdress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -3280,13 +3218,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject18').analyticRuleId18,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId18'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 18",
- "parentId": "[variables('analyticRuleObject18').analyticRuleId18]",
- "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]",
+ "parentId": "[variables('analyticRuleId18')]",
+ "contentId": "[variables('_analyticRulecontentId18')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject18').analyticRuleVersion18]",
+ "version": "[variables('analyticRuleVersion18')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -3311,18 +3249,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]",
+ "contentId": "[variables('_analyticRulecontentId18')]",
"contentKind": "AnalyticsRule",
"displayName": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed",
- "contentProductId": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]",
- "id": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]",
- "version": "[variables('analyticRuleObject18').analyticRuleVersion18]"
+ "contentProductId": "[variables('_analyticRulecontentProductId18')]",
+ "id": "[variables('_analyticRulecontentProductId18')]",
+ "version": "[variables('analyticRuleVersion18')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject19').analyticRuleTemplateSpecName19]",
+ "name": "[variables('analyticRuleTemplateSpecName19')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -3331,13 +3269,13 @@
"description": "Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]",
+ "contentVersion": "[variables('analyticRuleVersion19')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject19')._analyticRulecontentId19]",
+ "name": "[variables('analyticRulecontentId19')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -3356,10 +3294,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -3374,6 +3312,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -3383,17 +3322,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "InitiatedByIPAdress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -3401,13 +3339,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject19').analyticRuleId19,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId19'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 19",
- "parentId": "[variables('analyticRuleObject19').analyticRuleId19]",
- "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]",
+ "parentId": "[variables('analyticRuleId19')]",
+ "contentId": "[variables('_analyticRulecontentId19')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject19').analyticRuleVersion19]",
+ "version": "[variables('analyticRuleVersion19')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -3432,18 +3370,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]",
+ "contentId": "[variables('_analyticRulecontentId19')]",
"contentKind": "AnalyticsRule",
"displayName": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed",
- "contentProductId": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]",
- "id": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]",
- "version": "[variables('analyticRuleObject19').analyticRuleVersion19]"
+ "contentProductId": "[variables('_analyticRulecontentProductId19')]",
+ "id": "[variables('_analyticRulecontentProductId19')]",
+ "version": "[variables('analyticRuleVersion19')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject20').analyticRuleTemplateSpecName20]",
+ "name": "[variables('analyticRuleTemplateSpecName20')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -3452,13 +3390,13 @@
"description": "Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]",
+ "contentVersion": "[variables('analyticRuleVersion20')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject20')._analyticRulecontentId20]",
+ "name": "[variables('analyticRulecontentId20')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -3477,10 +3415,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -3495,6 +3433,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -3504,17 +3443,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "InitiatedByIPAdress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -3522,13 +3460,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject20').analyticRuleId20,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId20'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 20",
- "parentId": "[variables('analyticRuleObject20').analyticRuleId20]",
- "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]",
+ "parentId": "[variables('analyticRuleId20')]",
+ "contentId": "[variables('_analyticRulecontentId20')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject20').analyticRuleVersion20]",
+ "version": "[variables('analyticRuleVersion20')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -3553,18 +3491,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]",
+ "contentId": "[variables('_analyticRulecontentId20')]",
"contentKind": "AnalyticsRule",
"displayName": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed",
- "contentProductId": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]",
- "id": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]",
- "version": "[variables('analyticRuleObject20').analyticRuleVersion20]"
+ "contentProductId": "[variables('_analyticRulecontentProductId20')]",
+ "id": "[variables('_analyticRulecontentProductId20')]",
+ "version": "[variables('analyticRuleVersion20')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject21').analyticRuleTemplateSpecName21]",
+ "name": "[variables('analyticRuleTemplateSpecName21')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -3573,13 +3511,13 @@
"description": "Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]",
+ "contentVersion": "[variables('analyticRuleVersion21')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject21')._analyticRulecontentId21]",
+ "name": "[variables('analyticRulecontentId21')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -3598,10 +3536,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -3616,6 +3554,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -3625,17 +3564,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "InitiatedByIPAdress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -3643,13 +3581,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject21').analyticRuleId21,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId21'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 21",
- "parentId": "[variables('analyticRuleObject21').analyticRuleId21]",
- "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]",
+ "parentId": "[variables('analyticRuleId21')]",
+ "contentId": "[variables('_analyticRulecontentId21')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject21').analyticRuleVersion21]",
+ "version": "[variables('analyticRuleVersion21')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -3674,18 +3612,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]",
+ "contentId": "[variables('_analyticRulecontentId21')]",
"contentKind": "AnalyticsRule",
"displayName": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed",
- "contentProductId": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]",
- "id": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]",
- "version": "[variables('analyticRuleObject21').analyticRuleVersion21]"
+ "contentProductId": "[variables('_analyticRulecontentProductId21')]",
+ "id": "[variables('_analyticRulecontentProductId21')]",
+ "version": "[variables('analyticRuleVersion21')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject22').analyticRuleTemplateSpecName22]",
+ "name": "[variables('analyticRuleTemplateSpecName22')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -3694,13 +3632,13 @@
"description": "DisabledAccountSigninsAcrossManyApplications_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]",
+ "contentVersion": "[variables('analyticRuleVersion22')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject22')._analyticRulecontentId22]",
+ "name": "[variables('analyticRulecontentId22')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -3719,16 +3657,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AADNonInteractiveUserSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -3739,6 +3677,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -3748,17 +3687,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -3766,13 +3704,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject22').analyticRuleId22,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId22'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 22",
- "parentId": "[variables('analyticRuleObject22').analyticRuleId22]",
- "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]",
+ "parentId": "[variables('analyticRuleId22')]",
+ "contentId": "[variables('_analyticRulecontentId22')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject22').analyticRuleVersion22]",
+ "version": "[variables('analyticRuleVersion22')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -3797,18 +3735,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]",
+ "contentId": "[variables('_analyticRulecontentId22')]",
"contentKind": "AnalyticsRule",
"displayName": "Attempts to sign in to disabled accounts",
- "contentProductId": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]",
- "id": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]",
- "version": "[variables('analyticRuleObject22').analyticRuleVersion22]"
+ "contentProductId": "[variables('_analyticRulecontentProductId22')]",
+ "id": "[variables('_analyticRulecontentProductId22')]",
+ "version": "[variables('analyticRuleVersion22')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject23').analyticRuleTemplateSpecName23]",
+ "name": "[variables('analyticRuleTemplateSpecName23')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -3817,13 +3755,13 @@
"description": "DistribPassCrackAttempt_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]",
+ "contentVersion": "[variables('analyticRuleVersion23')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject23')._analyticRulecontentId23]",
+ "name": "[variables('analyticRulecontentId23')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -3842,16 +3780,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AADNonInteractiveUserSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -3862,6 +3800,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -3871,17 +3810,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -3889,13 +3827,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject23').analyticRuleId23,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId23'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 23",
- "parentId": "[variables('analyticRuleObject23').analyticRuleId23]",
- "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]",
+ "parentId": "[variables('analyticRuleId23')]",
+ "contentId": "[variables('_analyticRulecontentId23')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject23').analyticRuleVersion23]",
+ "version": "[variables('analyticRuleVersion23')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -3920,18 +3858,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]",
+ "contentId": "[variables('_analyticRulecontentId23')]",
"contentKind": "AnalyticsRule",
"displayName": "Distributed Password cracking attempts in Microsoft Entra ID",
- "contentProductId": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]",
- "id": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]",
- "version": "[variables('analyticRuleObject23').analyticRuleVersion23]"
+ "contentProductId": "[variables('_analyticRulecontentProductId23')]",
+ "id": "[variables('_analyticRulecontentProductId23')]",
+ "version": "[variables('analyticRuleVersion23')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject24').analyticRuleTemplateSpecName24]",
+ "name": "[variables('analyticRuleTemplateSpecName24')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -3940,13 +3878,13 @@
"description": "ExplicitMFADeny_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]",
+ "contentVersion": "[variables('analyticRuleVersion24')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject24')._analyticRulecontentId24]",
+ "name": "[variables('analyticRulecontentId24')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -3965,22 +3903,22 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AADNonInteractiveUserSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceInfo"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -3991,6 +3929,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -4000,35 +3939,34 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "AzureResource",
"fieldMappings": [
{
"identifier": "ResourceID",
"columnName": "ResourceID"
}
- ],
- "entityType": "AzureResource"
+ ]
},
{
+ "entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "ClientAppUsed"
}
- ],
- "entityType": "URL"
+ ]
}
]
}
@@ -4036,13 +3974,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject24').analyticRuleId24,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId24'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 24",
- "parentId": "[variables('analyticRuleObject24').analyticRuleId24]",
- "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]",
+ "parentId": "[variables('analyticRuleId24')]",
+ "contentId": "[variables('_analyticRulecontentId24')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject24').analyticRuleVersion24]",
+ "version": "[variables('analyticRuleVersion24')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -4067,18 +4005,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]",
+ "contentId": "[variables('_analyticRulecontentId24')]",
"contentKind": "AnalyticsRule",
"displayName": "Explicit MFA Deny",
- "contentProductId": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]",
- "id": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]",
- "version": "[variables('analyticRuleObject24').analyticRuleVersion24]"
+ "contentProductId": "[variables('_analyticRulecontentProductId24')]",
+ "id": "[variables('_analyticRulecontentProductId24')]",
+ "version": "[variables('analyticRuleVersion24')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject25').analyticRuleTemplateSpecName25]",
+ "name": "[variables('analyticRuleTemplateSpecName25')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -4087,13 +4025,13 @@
"description": "ExchangeFullAccessGrantedToApp_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]",
+ "contentVersion": "[variables('analyticRuleVersion25')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject25')._analyticRulecontentId25]",
+ "name": "[variables('analyticRulecontentId25')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -4112,10 +4050,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -4126,6 +4064,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -4135,17 +4074,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "GrantIpAddress"
}
- ],
- "entityType": "IP"
+ ]
}
],
"customDetails": {
@@ -4154,21 +4092,21 @@
"OAuthAppId": "AppId"
},
"alertDetailsOverride": {
- "alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{GrantIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n",
- "alertDisplayNameFormat": "User {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}"
+ "alertDisplayNameFormat": "User {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}",
+ "alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{GrantIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject25').analyticRuleId25,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId25'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 25",
- "parentId": "[variables('analyticRuleObject25').analyticRuleId25]",
- "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]",
+ "parentId": "[variables('analyticRuleId25')]",
+ "contentId": "[variables('_analyticRulecontentId25')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject25').analyticRuleVersion25]",
+ "version": "[variables('analyticRuleVersion25')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -4193,18 +4131,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]",
+ "contentId": "[variables('_analyticRulecontentId25')]",
"contentKind": "AnalyticsRule",
"displayName": "full_access_as_app Granted To Application",
- "contentProductId": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]",
- "id": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]",
- "version": "[variables('analyticRuleObject25').analyticRuleVersion25]"
+ "contentProductId": "[variables('_analyticRulecontentProductId25')]",
+ "id": "[variables('_analyticRulecontentProductId25')]",
+ "version": "[variables('analyticRuleVersion25')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject26').analyticRuleTemplateSpecName26]",
+ "name": "[variables('analyticRuleTemplateSpecName26')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -4213,13 +4151,13 @@
"description": "FailedLogonToAzurePortal_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]",
+ "contentVersion": "[variables('analyticRuleVersion26')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject26')._analyticRulecontentId26]",
+ "name": "[variables('analyticRulecontentId26')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -4238,16 +4176,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AADNonInteractiveUserSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -4258,6 +4196,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -4267,17 +4206,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -4285,13 +4223,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject26').analyticRuleId26,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId26'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 26",
- "parentId": "[variables('analyticRuleObject26').analyticRuleId26]",
- "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]",
+ "parentId": "[variables('analyticRuleId26')]",
+ "contentId": "[variables('_analyticRulecontentId26')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject26').analyticRuleVersion26]",
+ "version": "[variables('analyticRuleVersion26')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -4316,18 +4254,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]",
+ "contentId": "[variables('_analyticRulecontentId26')]",
"contentKind": "AnalyticsRule",
"displayName": "Failed login attempts to Azure Portal",
- "contentProductId": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]",
- "id": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]",
- "version": "[variables('analyticRuleObject26').analyticRuleVersion26]"
+ "contentProductId": "[variables('_analyticRulecontentProductId26')]",
+ "id": "[variables('_analyticRulecontentProductId26')]",
+ "version": "[variables('analyticRuleVersion26')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject27').analyticRuleTemplateSpecName27]",
+ "name": "[variables('analyticRuleTemplateSpecName27')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -4336,13 +4274,13 @@
"description": "FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]",
+ "contentVersion": "[variables('analyticRuleVersion27')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject27')._analyticRulecontentId27]",
+ "name": "[variables('analyticRulecontentId27')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -4361,10 +4299,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -4375,6 +4313,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -4384,26 +4323,25 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "InitiatingIpAddress"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "CloudApplication",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "targetDisplayName"
}
- ],
- "entityType": "CloudApplication"
+ ]
}
]
}
@@ -4411,13 +4349,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject27').analyticRuleId27,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId27'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 27",
- "parentId": "[variables('analyticRuleObject27').analyticRuleId27]",
- "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]",
+ "parentId": "[variables('analyticRuleId27')]",
+ "contentId": "[variables('_analyticRulecontentId27')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject27').analyticRuleVersion27]",
+ "version": "[variables('analyticRuleVersion27')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -4442,18 +4380,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]",
+ "contentId": "[variables('_analyticRulecontentId27')]",
"contentKind": "AnalyticsRule",
"displayName": "First access credential added to Application or Service Principal where no credential was present",
- "contentProductId": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]",
- "id": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]",
- "version": "[variables('analyticRuleObject27').analyticRuleVersion27]"
+ "contentProductId": "[variables('_analyticRulecontentProductId27')]",
+ "id": "[variables('_analyticRulecontentProductId27')]",
+ "version": "[variables('analyticRuleVersion27')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject28').analyticRuleTemplateSpecName28]",
+ "name": "[variables('analyticRuleTemplateSpecName28')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -4462,13 +4400,13 @@
"description": "GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]",
+ "contentVersion": "[variables('analyticRuleVersion28')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject28')._analyticRulecontentId28]",
+ "name": "[variables('analyticRulecontentId28')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -4487,10 +4425,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -4505,15 +4443,16 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "InvitedUser"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -4523,17 +4462,29 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "InitiatedByIPAdress"
}
- ],
- "entityType": "IP"
+ ]
+ },
+ {
+ "entityType": "SecurityGroup",
+ "fieldMappings": [
+ {
+ "identifier": "DistinguishedName",
+ "columnName": "AADGroup"
+ },
+ {
+ "identifier": "ObjectGuid",
+ "columnName": "AADGroupId"
+ }
+ ]
}
]
}
@@ -4541,13 +4492,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject28').analyticRuleId28,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId28'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 28",
- "parentId": "[variables('analyticRuleObject28').analyticRuleId28]",
- "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]",
+ "parentId": "[variables('analyticRuleId28')]",
+ "contentId": "[variables('_analyticRulecontentId28')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject28').analyticRuleVersion28]",
+ "version": "[variables('analyticRuleVersion28')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -4572,18 +4523,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]",
+ "contentId": "[variables('_analyticRulecontentId28')]",
"contentKind": "AnalyticsRule",
"displayName": "Guest accounts added in Entra ID Groups other than the ones specified",
- "contentProductId": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]",
- "id": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]",
- "version": "[variables('analyticRuleObject28').analyticRuleVersion28]"
+ "contentProductId": "[variables('_analyticRulecontentProductId28')]",
+ "id": "[variables('_analyticRulecontentProductId28')]",
+ "version": "[variables('analyticRuleVersion28')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject29').analyticRuleTemplateSpecName29]",
+ "name": "[variables('analyticRuleTemplateSpecName29')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -4592,13 +4543,13 @@
"description": "MailPermissionsAddedToApplication_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]",
+ "contentVersion": "[variables('analyticRuleVersion29')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject29')._analyticRulecontentId29]",
+ "name": "[variables('analyticRulecontentId29')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -4617,10 +4568,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -4631,6 +4582,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -4640,17 +4592,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "UserIPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -4658,13 +4609,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject29').analyticRuleId29,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId29'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 29",
- "parentId": "[variables('analyticRuleObject29').analyticRuleId29]",
- "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]",
+ "parentId": "[variables('analyticRuleId29')]",
+ "contentId": "[variables('_analyticRulecontentId29')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject29').analyticRuleVersion29]",
+ "version": "[variables('analyticRuleVersion29')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -4689,18 +4640,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]",
+ "contentId": "[variables('_analyticRulecontentId29')]",
"contentKind": "AnalyticsRule",
"displayName": "Mail.Read Permissions Granted to Application",
- "contentProductId": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]",
- "id": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]",
- "version": "[variables('analyticRuleObject29').analyticRuleVersion29]"
+ "contentProductId": "[variables('_analyticRulecontentProductId29')]",
+ "id": "[variables('_analyticRulecontentProductId29')]",
+ "version": "[variables('analyticRuleVersion29')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject30').analyticRuleTemplateSpecName30]",
+ "name": "[variables('analyticRuleTemplateSpecName30')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -4709,13 +4660,13 @@
"description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]",
+ "contentVersion": "[variables('analyticRuleVersion30')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject30')._analyticRulecontentId30]",
+ "name": "[variables('analyticRulecontentId30')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -4734,10 +4685,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -4750,6 +4701,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -4759,26 +4711,25 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "GrantIpAddress"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "CloudApplication",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "AppDisplayName"
}
- ],
- "entityType": "CloudApplication"
+ ]
}
]
}
@@ -4786,13 +4737,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject30').analyticRuleId30,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId30'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 30",
- "parentId": "[variables('analyticRuleObject30').analyticRuleId30]",
- "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]",
+ "parentId": "[variables('analyticRuleId30')]",
+ "contentId": "[variables('_analyticRulecontentId30')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject30').analyticRuleVersion30]",
+ "version": "[variables('analyticRuleVersion30')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -4817,18 +4768,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]",
+ "contentId": "[variables('_analyticRulecontentId30')]",
"contentKind": "AnalyticsRule",
"displayName": "Suspicious application consent similar to O365 Attack Toolkit",
- "contentProductId": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]",
- "id": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]",
- "version": "[variables('analyticRuleObject30').analyticRuleVersion30]"
+ "contentProductId": "[variables('_analyticRulecontentProductId30')]",
+ "id": "[variables('_analyticRulecontentProductId30')]",
+ "version": "[variables('analyticRuleVersion30')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject31').analyticRuleTemplateSpecName31]",
+ "name": "[variables('analyticRuleTemplateSpecName31')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -4837,13 +4788,13 @@
"description": "MaliciousOAuthApp_PwnAuth_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]",
+ "contentVersion": "[variables('analyticRuleVersion31')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject31')._analyticRulecontentId31]",
+ "name": "[variables('analyticRulecontentId31')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -4862,10 +4813,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -4878,6 +4829,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -4887,17 +4839,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "GrantIpAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -4905,13 +4856,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject31').analyticRuleId31,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId31'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 31",
- "parentId": "[variables('analyticRuleObject31').analyticRuleId31]",
- "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]",
+ "parentId": "[variables('analyticRuleId31')]",
+ "contentId": "[variables('_analyticRulecontentId31')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject31').analyticRuleVersion31]",
+ "version": "[variables('analyticRuleVersion31')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -4936,18 +4887,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]",
+ "contentId": "[variables('_analyticRulecontentId31')]",
"contentKind": "AnalyticsRule",
"displayName": "Suspicious application consent similar to PwnAuth",
- "contentProductId": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]",
- "id": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]",
- "version": "[variables('analyticRuleObject31').analyticRuleVersion31]"
+ "contentProductId": "[variables('_analyticRulecontentProductId31')]",
+ "id": "[variables('_analyticRulecontentProductId31')]",
+ "version": "[variables('analyticRuleVersion31')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject32').analyticRuleTemplateSpecName32]",
+ "name": "[variables('analyticRuleTemplateSpecName32')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -4956,13 +4907,13 @@
"description": "MFARejectedbyUser_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]",
+ "contentVersion": "[variables('analyticRuleVersion32')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject32')._analyticRulecontentId32]",
+ "name": "[variables('analyticRulecontentId32')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -4981,22 +4932,22 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "BehaviorAnalytics",
"dataTypes": [
"BehaviorAnalytics"
- ]
+ ],
+ "connectorId": "BehaviorAnalytics"
},
{
- "connectorId": "BehaviorAnalytics",
"dataTypes": [
"IdentityInfo"
- ]
+ ],
+ "connectorId": "BehaviorAnalytics"
}
],
"tactics": [
@@ -5007,6 +4958,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -5020,17 +4972,16 @@
"identifier": "AadUserId",
"columnName": "UserId"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -5038,13 +4989,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject32').analyticRuleId32,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId32'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 32",
- "parentId": "[variables('analyticRuleObject32').analyticRuleId32]",
- "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]",
+ "parentId": "[variables('analyticRuleId32')]",
+ "contentId": "[variables('_analyticRulecontentId32')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject32').analyticRuleVersion32]",
+ "version": "[variables('analyticRuleVersion32')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -5069,18 +5020,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]",
+ "contentId": "[variables('_analyticRulecontentId32')]",
"contentKind": "AnalyticsRule",
"displayName": "MFA Rejected by User",
- "contentProductId": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]",
- "id": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]",
- "version": "[variables('analyticRuleObject32').analyticRuleVersion32]"
+ "contentProductId": "[variables('_analyticRulecontentProductId32')]",
+ "id": "[variables('_analyticRulecontentProductId32')]",
+ "version": "[variables('analyticRuleVersion32')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject33').analyticRuleTemplateSpecName33]",
+ "name": "[variables('analyticRuleTemplateSpecName33')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -5089,13 +5040,13 @@
"description": "MFASpammingfollowedbySuccessfullogin_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]",
+ "contentVersion": "[variables('analyticRuleVersion33')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject33')._analyticRulecontentId33]",
+ "name": "[variables('analyticRulecontentId33')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -5114,10 +5065,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -5128,6 +5079,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -5137,17 +5089,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -5155,13 +5106,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject33').analyticRuleId33,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId33'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 33",
- "parentId": "[variables('analyticRuleObject33').analyticRuleId33]",
- "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]",
+ "parentId": "[variables('analyticRuleId33')]",
+ "contentId": "[variables('_analyticRulecontentId33')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject33').analyticRuleVersion33]",
+ "version": "[variables('analyticRuleVersion33')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -5186,18 +5137,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]",
+ "contentId": "[variables('_analyticRulecontentId33')]",
"contentKind": "AnalyticsRule",
"displayName": "MFA Spamming followed by Successful login",
- "contentProductId": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]",
- "id": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]",
- "version": "[variables('analyticRuleObject33').analyticRuleVersion33]"
+ "contentProductId": "[variables('_analyticRulecontentProductId33')]",
+ "id": "[variables('_analyticRulecontentProductId33')]",
+ "version": "[variables('analyticRuleVersion33')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject34').analyticRuleTemplateSpecName34]",
+ "name": "[variables('analyticRuleTemplateSpecName34')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -5206,13 +5157,13 @@
"description": "MultipleAdmin_membership_removals_from_NewAdmin_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]",
+ "contentVersion": "[variables('analyticRuleVersion34')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject34')._analyticRulecontentId34]",
+ "name": "[variables('analyticRulecontentId34')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -5231,10 +5182,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -5245,6 +5196,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -5254,8 +5206,7 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -5263,13 +5214,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject34').analyticRuleId34,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId34'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 34",
- "parentId": "[variables('analyticRuleObject34').analyticRuleId34]",
- "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]",
+ "parentId": "[variables('analyticRuleId34')]",
+ "contentId": "[variables('_analyticRulecontentId34')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject34').analyticRuleVersion34]",
+ "version": "[variables('analyticRuleVersion34')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -5294,18 +5245,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]",
+ "contentId": "[variables('_analyticRulecontentId34')]",
"contentKind": "AnalyticsRule",
"displayName": "Multiple admin membership removals from newly created admin.",
- "contentProductId": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]",
- "id": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]",
- "version": "[variables('analyticRuleObject34').analyticRuleVersion34]"
+ "contentProductId": "[variables('_analyticRulecontentProductId34')]",
+ "id": "[variables('_analyticRulecontentProductId34')]",
+ "version": "[variables('analyticRuleVersion34')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject35').analyticRuleTemplateSpecName35]",
+ "name": "[variables('analyticRuleTemplateSpecName35')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -5314,13 +5265,13 @@
"description": "NewOnmicrosoftDomainAdded_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]",
+ "contentVersion": "[variables('analyticRuleVersion35')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject35')._analyticRulecontentId35]",
+ "name": "[variables('analyticRulecontentId35')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -5339,10 +5290,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -5353,6 +5304,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -5366,47 +5318,46 @@
"identifier": "AadUserId",
"columnName": "InitiatingSPID"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "InitiatingIp"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "DNS",
"fieldMappings": [
{
"identifier": "DomainName",
"columnName": "DomainAdded"
}
- ],
- "entityType": "DNS"
+ ]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": {
- "alertDescriptionFormat": "This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing accounts. Domain additions are not a common occurrence and users should validate that {{ActionInitiatedBy}} added {{DomainAdded}} with a legitimate purpose.",
- "alertDisplayNameFormat": "{{DomainAdded}} added to tenant by {{ActionInitiatedBy}}"
+ "alertDisplayNameFormat": "{{DomainAdded}} added to tenant by {{ActionInitiatedBy}}",
+ "alertDescriptionFormat": "This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing accounts. Domain additions are not a common occurrence and users should validate that {{ActionInitiatedBy}} added {{DomainAdded}} with a legitimate purpose."
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject35').analyticRuleId35,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId35'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 35",
- "parentId": "[variables('analyticRuleObject35').analyticRuleId35]",
- "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]",
+ "parentId": "[variables('analyticRuleId35')]",
+ "contentId": "[variables('_analyticRulecontentId35')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject35').analyticRuleVersion35]",
+ "version": "[variables('analyticRuleVersion35')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -5431,18 +5382,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]",
+ "contentId": "[variables('_analyticRulecontentId35')]",
"contentKind": "AnalyticsRule",
"displayName": "New onmicrosoft domain added to tenant",
- "contentProductId": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]",
- "id": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]",
- "version": "[variables('analyticRuleObject35').analyticRuleVersion35]"
+ "contentProductId": "[variables('_analyticRulecontentProductId35')]",
+ "id": "[variables('_analyticRulecontentProductId35')]",
+ "version": "[variables('analyticRuleVersion35')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject36').analyticRuleTemplateSpecName36]",
+ "name": "[variables('analyticRuleTemplateSpecName36')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -5451,13 +5402,13 @@
"description": "NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]",
+ "contentVersion": "[variables('analyticRuleVersion36')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject36')._analyticRulecontentId36]",
+ "name": "[variables('analyticRulecontentId36')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -5476,10 +5427,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -5490,6 +5441,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -5499,17 +5451,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "InitiatingIpAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -5517,13 +5468,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject36').analyticRuleId36,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId36'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 36",
- "parentId": "[variables('analyticRuleObject36').analyticRuleId36]",
- "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]",
+ "parentId": "[variables('analyticRuleId36')]",
+ "contentId": "[variables('_analyticRulecontentId36')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject36').analyticRuleVersion36]",
+ "version": "[variables('analyticRuleVersion36')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -5548,18 +5499,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]",
+ "contentId": "[variables('_analyticRulecontentId36')]",
"contentKind": "AnalyticsRule",
"displayName": "New access credential added to Application or Service Principal",
- "contentProductId": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]",
- "id": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]",
- "version": "[variables('analyticRuleObject36').analyticRuleVersion36]"
+ "contentProductId": "[variables('_analyticRulecontentProductId36')]",
+ "id": "[variables('_analyticRulecontentProductId36')]",
+ "version": "[variables('analyticRuleVersion36')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject37').analyticRuleTemplateSpecName37]",
+ "name": "[variables('analyticRuleTemplateSpecName37')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -5568,13 +5519,13 @@
"description": "NRT_ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]",
+ "contentVersion": "[variables('analyticRuleVersion37')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject37')._analyticRulecontentId37]",
+ "name": "[variables('analyticRulecontentId37')]",
"apiVersion": "2022-04-01-preview",
"kind": "NRT",
"location": "[parameters('workspace-location')]",
@@ -5589,10 +5540,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -5600,6 +5551,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -5609,17 +5561,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "InitiatingIpAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -5627,13 +5578,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject37').analyticRuleId37,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId37'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 37",
- "parentId": "[variables('analyticRuleObject37').analyticRuleId37]",
- "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]",
+ "parentId": "[variables('analyticRuleId37')]",
+ "contentId": "[variables('_analyticRulecontentId37')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject37').analyticRuleVersion37]",
+ "version": "[variables('analyticRuleVersion37')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -5658,18 +5609,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]",
+ "contentId": "[variables('_analyticRulecontentId37')]",
"contentKind": "AnalyticsRule",
"displayName": "NRT Modified domain federation trust settings",
- "contentProductId": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]",
- "id": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]",
- "version": "[variables('analyticRuleObject37').analyticRuleVersion37]"
+ "contentProductId": "[variables('_analyticRulecontentProductId37')]",
+ "id": "[variables('_analyticRulecontentProductId37')]",
+ "version": "[variables('analyticRuleVersion37')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject38').analyticRuleTemplateSpecName38]",
+ "name": "[variables('analyticRuleTemplateSpecName38')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -5678,13 +5629,13 @@
"description": "NRT_AuthenticationMethodsChangedforVIPUsers_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]",
+ "contentVersion": "[variables('analyticRuleVersion38')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject38')._analyticRulecontentId38]",
+ "name": "[variables('analyticRulecontentId38')]",
"apiVersion": "2022-04-01-preview",
"kind": "NRT",
"location": "[parameters('workspace-location')]",
@@ -5699,10 +5650,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -5713,6 +5664,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -5722,17 +5674,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IP"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -5740,13 +5691,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject38').analyticRuleId38,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId38'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 38",
- "parentId": "[variables('analyticRuleObject38').analyticRuleId38]",
- "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]",
+ "parentId": "[variables('analyticRuleId38')]",
+ "contentId": "[variables('_analyticRulecontentId38')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject38').analyticRuleVersion38]",
+ "version": "[variables('analyticRuleVersion38')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -5771,18 +5722,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]",
+ "contentId": "[variables('_analyticRulecontentId38')]",
"contentKind": "AnalyticsRule",
"displayName": "NRT Authentication Methods Changed for VIP Users",
- "contentProductId": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]",
- "id": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]",
- "version": "[variables('analyticRuleObject38').analyticRuleVersion38]"
+ "contentProductId": "[variables('_analyticRulecontentProductId38')]",
+ "id": "[variables('_analyticRulecontentProductId38')]",
+ "version": "[variables('analyticRuleVersion38')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject39').analyticRuleTemplateSpecName39]",
+ "name": "[variables('analyticRuleTemplateSpecName39')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -5791,13 +5742,13 @@
"description": "nrt_FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]",
+ "contentVersion": "[variables('analyticRuleVersion39')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject39')._analyticRulecontentId39]",
+ "name": "[variables('analyticRulecontentId39')]",
"apiVersion": "2022-04-01-preview",
"kind": "NRT",
"location": "[parameters('workspace-location')]",
@@ -5812,10 +5763,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -5826,6 +5777,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -5835,17 +5787,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "InitiatingIpAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -5853,13 +5804,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject39').analyticRuleId39,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId39'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 39",
- "parentId": "[variables('analyticRuleObject39').analyticRuleId39]",
- "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]",
+ "parentId": "[variables('analyticRuleId39')]",
+ "contentId": "[variables('_analyticRulecontentId39')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject39').analyticRuleVersion39]",
+ "version": "[variables('analyticRuleVersion39')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -5884,18 +5835,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]",
+ "contentId": "[variables('_analyticRulecontentId39')]",
"contentKind": "AnalyticsRule",
"displayName": "NRT First access credential added to Application or Service Principal where no credential was present",
- "contentProductId": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]",
- "id": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]",
- "version": "[variables('analyticRuleObject39').analyticRuleVersion39]"
+ "contentProductId": "[variables('_analyticRulecontentProductId39')]",
+ "id": "[variables('_analyticRulecontentProductId39')]",
+ "version": "[variables('analyticRuleVersion39')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject40').analyticRuleTemplateSpecName40]",
+ "name": "[variables('analyticRuleTemplateSpecName40')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -5904,13 +5855,13 @@
"description": "NRT_NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]",
+ "contentVersion": "[variables('analyticRuleVersion40')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject40')._analyticRulecontentId40]",
+ "name": "[variables('analyticRulecontentId40')]",
"apiVersion": "2022-04-01-preview",
"kind": "NRT",
"location": "[parameters('workspace-location')]",
@@ -5925,10 +5876,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -5939,6 +5890,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -5948,17 +5900,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "InitiatingIpAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -5966,13 +5917,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject40').analyticRuleId40,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId40'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 40",
- "parentId": "[variables('analyticRuleObject40').analyticRuleId40]",
- "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]",
+ "parentId": "[variables('analyticRuleId40')]",
+ "contentId": "[variables('_analyticRulecontentId40')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject40').analyticRuleVersion40]",
+ "version": "[variables('analyticRuleVersion40')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -5997,18 +5948,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]",
+ "contentId": "[variables('_analyticRulecontentId40')]",
"contentKind": "AnalyticsRule",
"displayName": "NRT New access credential added to Application or Service Principal",
- "contentProductId": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]",
- "id": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]",
- "version": "[variables('analyticRuleObject40').analyticRuleVersion40]"
+ "contentProductId": "[variables('_analyticRulecontentProductId40')]",
+ "id": "[variables('_analyticRulecontentProductId40')]",
+ "version": "[variables('analyticRuleVersion40')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject41').analyticRuleTemplateSpecName41]",
+ "name": "[variables('analyticRuleTemplateSpecName41')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -6017,13 +5968,13 @@
"description": "NRT_PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]",
+ "contentVersion": "[variables('analyticRuleVersion41')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject41')._analyticRulecontentId41]",
+ "name": "[variables('analyticRulecontentId41')]",
"apiVersion": "2022-04-01-preview",
"kind": "NRT",
"location": "[parameters('workspace-location')]",
@@ -6038,10 +5989,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -6052,6 +6003,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -6061,10 +6013,10 @@
"identifier": "UPNSuffix",
"columnName": "InitiatingUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -6074,17 +6026,16 @@
"identifier": "UPNSuffix",
"columnName": "UserUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "InitiatingIpAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -6092,13 +6043,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject41').analyticRuleId41,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId41'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 41",
- "parentId": "[variables('analyticRuleObject41').analyticRuleId41]",
- "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]",
+ "parentId": "[variables('analyticRuleId41')]",
+ "contentId": "[variables('_analyticRulecontentId41')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject41').analyticRuleVersion41]",
+ "version": "[variables('analyticRuleVersion41')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -6123,18 +6074,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]",
+ "contentId": "[variables('_analyticRulecontentId41')]",
"contentKind": "AnalyticsRule",
"displayName": "NRT PIM Elevation Request Rejected",
- "contentProductId": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]",
- "id": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]",
- "version": "[variables('analyticRuleObject41').analyticRuleVersion41]"
+ "contentProductId": "[variables('_analyticRulecontentProductId41')]",
+ "id": "[variables('_analyticRulecontentProductId41')]",
+ "version": "[variables('analyticRuleVersion41')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject42').analyticRuleTemplateSpecName42]",
+ "name": "[variables('analyticRuleTemplateSpecName42')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -6143,13 +6094,13 @@
"description": "NRT_PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]",
+ "contentVersion": "[variables('analyticRuleVersion42')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject42')._analyticRulecontentId42]",
+ "name": "[variables('analyticRulecontentId42')]",
"apiVersion": "2022-04-01-preview",
"kind": "NRT",
"location": "[parameters('workspace-location')]",
@@ -6164,10 +6115,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -6178,6 +6129,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -6187,17 +6139,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IpAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -6205,13 +6156,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject42').analyticRuleId42,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId42'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 42",
- "parentId": "[variables('analyticRuleObject42').analyticRuleId42]",
- "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]",
+ "parentId": "[variables('analyticRuleId42')]",
+ "contentId": "[variables('_analyticRulecontentId42')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject42').analyticRuleVersion42]",
+ "version": "[variables('analyticRuleVersion42')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -6236,18 +6187,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]",
+ "contentId": "[variables('_analyticRulecontentId42')]",
"contentKind": "AnalyticsRule",
"displayName": "NRT Privileged Role Assigned Outside PIM",
- "contentProductId": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]",
- "id": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]",
- "version": "[variables('analyticRuleObject42').analyticRuleVersion42]"
+ "contentProductId": "[variables('_analyticRulecontentProductId42')]",
+ "id": "[variables('_analyticRulecontentProductId42')]",
+ "version": "[variables('analyticRuleVersion42')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject43').analyticRuleTemplateSpecName43]",
+ "name": "[variables('analyticRuleTemplateSpecName43')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -6256,13 +6207,13 @@
"description": "NRT_UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]",
+ "contentVersion": "[variables('analyticRuleVersion43')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject43')._analyticRulecontentId43]",
+ "name": "[variables('analyticRulecontentId43')]",
"apiVersion": "2022-04-01-preview",
"kind": "NRT",
"location": "[parameters('workspace-location')]",
@@ -6277,10 +6228,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -6293,6 +6244,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -6302,10 +6254,10 @@
"identifier": "UPNSuffix",
"columnName": "AccountUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -6315,8 +6267,7 @@
"identifier": "UPNSuffix",
"columnName": "TargetUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -6324,13 +6275,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject43').analyticRuleId43,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId43'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 43",
- "parentId": "[variables('analyticRuleObject43').analyticRuleId43]",
- "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]",
+ "parentId": "[variables('analyticRuleId43')]",
+ "contentId": "[variables('_analyticRulecontentId43')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject43').analyticRuleVersion43]",
+ "version": "[variables('analyticRuleVersion43')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -6355,18 +6306,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]",
+ "contentId": "[variables('_analyticRulecontentId43')]",
"contentKind": "AnalyticsRule",
"displayName": "NRT User added to Microsoft Entra ID Privileged Groups",
- "contentProductId": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]",
- "id": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]",
- "version": "[variables('analyticRuleObject43').analyticRuleVersion43]"
+ "contentProductId": "[variables('_analyticRulecontentProductId43')]",
+ "id": "[variables('_analyticRulecontentProductId43')]",
+ "version": "[variables('analyticRuleVersion43')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject44').analyticRuleTemplateSpecName44]",
+ "name": "[variables('analyticRuleTemplateSpecName44')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -6375,13 +6326,13 @@
"description": "PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]",
+ "contentVersion": "[variables('analyticRuleVersion44')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject44')._analyticRulecontentId44]",
+ "name": "[variables('analyticRulecontentId44')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -6400,10 +6351,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -6414,6 +6365,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -6423,10 +6375,10 @@
"identifier": "UPNSuffix",
"columnName": "InitiatingUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -6436,17 +6388,16 @@
"identifier": "UPNSuffix",
"columnName": "UserUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "InitiatingIpAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -6454,13 +6405,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject44').analyticRuleId44,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId44'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 44",
- "parentId": "[variables('analyticRuleObject44').analyticRuleId44]",
- "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]",
+ "parentId": "[variables('analyticRuleId44')]",
+ "contentId": "[variables('_analyticRulecontentId44')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject44').analyticRuleVersion44]",
+ "version": "[variables('analyticRuleVersion44')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -6485,18 +6436,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]",
+ "contentId": "[variables('_analyticRulecontentId44')]",
"contentKind": "AnalyticsRule",
"displayName": "PIM Elevation Request Rejected",
- "contentProductId": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]",
- "id": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]",
- "version": "[variables('analyticRuleObject44').analyticRuleVersion44]"
+ "contentProductId": "[variables('_analyticRulecontentProductId44')]",
+ "id": "[variables('_analyticRulecontentProductId44')]",
+ "version": "[variables('analyticRuleVersion44')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject45').analyticRuleTemplateSpecName45]",
+ "name": "[variables('analyticRuleTemplateSpecName45')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -6505,13 +6456,13 @@
"description": "PrivilegedAccountsSigninFailureSpikes_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]",
+ "contentVersion": "[variables('analyticRuleVersion45')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject45')._analyticRulecontentId45]",
+ "name": "[variables('analyticRulecontentId45')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -6530,22 +6481,22 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AADNonInteractiveUserSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "BehaviorAnalytics",
"dataTypes": [
"IdentityInfo"
- ]
+ ],
+ "connectorId": "BehaviorAnalytics"
}
],
"tactics": [
@@ -6556,6 +6507,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -6565,17 +6517,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -6583,13 +6534,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject45').analyticRuleId45,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId45'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 45",
- "parentId": "[variables('analyticRuleObject45').analyticRuleId45]",
- "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]",
+ "parentId": "[variables('analyticRuleId45')]",
+ "contentId": "[variables('_analyticRulecontentId45')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject45').analyticRuleVersion45]",
+ "version": "[variables('analyticRuleVersion45')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -6614,18 +6565,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]",
+ "contentId": "[variables('_analyticRulecontentId45')]",
"contentKind": "AnalyticsRule",
"displayName": "Privileged Accounts - Sign in Failure Spikes",
- "contentProductId": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]",
- "id": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]",
- "version": "[variables('analyticRuleObject45').analyticRuleVersion45]"
+ "contentProductId": "[variables('_analyticRulecontentProductId45')]",
+ "id": "[variables('_analyticRulecontentProductId45')]",
+ "version": "[variables('analyticRuleVersion45')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject46').analyticRuleTemplateSpecName46]",
+ "name": "[variables('analyticRuleTemplateSpecName46')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -6634,13 +6585,13 @@
"description": "PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]",
+ "contentVersion": "[variables('analyticRuleVersion46')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject46')._analyticRulecontentId46]",
+ "name": "[variables('analyticRulecontentId46')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -6659,10 +6610,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -6673,6 +6624,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -6682,17 +6634,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IpAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -6700,13 +6651,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject46').analyticRuleId46,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId46'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 46",
- "parentId": "[variables('analyticRuleObject46').analyticRuleId46]",
- "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]",
+ "parentId": "[variables('analyticRuleId46')]",
+ "contentId": "[variables('_analyticRulecontentId46')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject46').analyticRuleVersion46]",
+ "version": "[variables('analyticRuleVersion46')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -6731,18 +6682,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]",
+ "contentId": "[variables('_analyticRulecontentId46')]",
"contentKind": "AnalyticsRule",
"displayName": "Privileged Role Assigned Outside PIM",
- "contentProductId": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]",
- "id": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]",
- "version": "[variables('analyticRuleObject46').analyticRuleVersion46]"
+ "contentProductId": "[variables('_analyticRulecontentProductId46')]",
+ "id": "[variables('_analyticRulecontentProductId46')]",
+ "version": "[variables('analyticRuleVersion46')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject47').analyticRuleTemplateSpecName47]",
+ "name": "[variables('analyticRuleTemplateSpecName47')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -6751,13 +6702,13 @@
"description": "RareApplicationConsent_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]",
+ "contentVersion": "[variables('analyticRuleVersion47')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject47')._analyticRulecontentId47]",
+ "name": "[variables('analyticRulecontentId47')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -6776,10 +6727,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -6792,6 +6743,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -6801,26 +6753,25 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "CloudApplication",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "TargetResourceName"
}
- ],
- "entityType": "CloudApplication"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IpAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -6828,13 +6779,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject47').analyticRuleId47,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId47'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 47",
- "parentId": "[variables('analyticRuleObject47').analyticRuleId47]",
- "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]",
+ "parentId": "[variables('analyticRuleId47')]",
+ "contentId": "[variables('_analyticRulecontentId47')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject47').analyticRuleVersion47]",
+ "version": "[variables('analyticRuleVersion47')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -6859,18 +6810,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]",
+ "contentId": "[variables('_analyticRulecontentId47')]",
"contentKind": "AnalyticsRule",
"displayName": "Rare application consent",
- "contentProductId": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]",
- "id": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]",
- "version": "[variables('analyticRuleObject47').analyticRuleVersion47]"
+ "contentProductId": "[variables('_analyticRulecontentProductId47')]",
+ "id": "[variables('_analyticRulecontentProductId47')]",
+ "version": "[variables('analyticRuleVersion47')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject48').analyticRuleTemplateSpecName48]",
+ "name": "[variables('analyticRuleTemplateSpecName48')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -6879,13 +6830,13 @@
"description": "SeamlessSSOPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject48').analyticRuleVersion48]",
+ "contentVersion": "[variables('analyticRuleVersion48')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject48')._analyticRulecontentId48]",
+ "name": "[variables('analyticRulecontentId48')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -6904,10 +6855,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AADNonInteractiveUserSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -6918,6 +6869,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -6927,17 +6879,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -6945,13 +6896,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject48').analyticRuleId48,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId48'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 48",
- "parentId": "[variables('analyticRuleObject48').analyticRuleId48]",
- "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]",
+ "parentId": "[variables('analyticRuleId48')]",
+ "contentId": "[variables('_analyticRulecontentId48')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject48').analyticRuleVersion48]",
+ "version": "[variables('analyticRuleVersion48')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -6976,18 +6927,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]",
+ "contentId": "[variables('_analyticRulecontentId48')]",
"contentKind": "AnalyticsRule",
"displayName": "Password spray attack against Microsoft Entra ID Seamless SSO",
- "contentProductId": "[variables('analyticRuleObject48')._analyticRulecontentProductId48]",
- "id": "[variables('analyticRuleObject48')._analyticRulecontentProductId48]",
- "version": "[variables('analyticRuleObject48').analyticRuleVersion48]"
+ "contentProductId": "[variables('_analyticRulecontentProductId48')]",
+ "id": "[variables('_analyticRulecontentProductId48')]",
+ "version": "[variables('analyticRuleVersion48')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject49').analyticRuleTemplateSpecName49]",
+ "name": "[variables('analyticRuleTemplateSpecName49')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -6996,13 +6947,13 @@
"description": "Sign-in Burst from Multiple Locations_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject49').analyticRuleVersion49]",
+ "contentVersion": "[variables('analyticRuleVersion49')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject49')._analyticRulecontentId49]",
+ "name": "[variables('analyticRulecontentId49')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -7021,16 +6972,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AADNonInteractiveUserSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -7041,6 +6992,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -7050,8 +7002,7 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -7059,13 +7010,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject49').analyticRuleId49,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId49'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 49",
- "parentId": "[variables('analyticRuleObject49').analyticRuleId49]",
- "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]",
+ "parentId": "[variables('analyticRuleId49')]",
+ "contentId": "[variables('_analyticRulecontentId49')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject49').analyticRuleVersion49]",
+ "version": "[variables('analyticRuleVersion49')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -7090,18 +7041,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]",
+ "contentId": "[variables('_analyticRulecontentId49')]",
"contentKind": "AnalyticsRule",
"displayName": "GitHub Signin Burst from Multiple Locations",
- "contentProductId": "[variables('analyticRuleObject49')._analyticRulecontentProductId49]",
- "id": "[variables('analyticRuleObject49')._analyticRulecontentProductId49]",
- "version": "[variables('analyticRuleObject49').analyticRuleVersion49]"
+ "contentProductId": "[variables('_analyticRulecontentProductId49')]",
+ "id": "[variables('_analyticRulecontentProductId49')]",
+ "version": "[variables('analyticRuleVersion49')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject50').analyticRuleTemplateSpecName50]",
+ "name": "[variables('analyticRuleTemplateSpecName50')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -7110,13 +7061,13 @@
"description": "SigninAttemptsByIPviaDisabledAccounts_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject50').analyticRuleVersion50]",
+ "contentVersion": "[variables('analyticRuleVersion50')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject50')._analyticRulecontentId50]",
+ "name": "[variables('analyticRulecontentId50')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -7135,22 +7086,22 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AADNonInteractiveUserSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "BehaviorAnalytics",
"dataTypes": [
"BehaviorAnalytics"
- ]
+ ],
+ "connectorId": "BehaviorAnalytics"
}
],
"tactics": [
@@ -7163,13 +7114,13 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -7177,13 +7128,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject50').analyticRuleId50,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId50'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 50",
- "parentId": "[variables('analyticRuleObject50').analyticRuleId50]",
- "contentId": "[variables('analyticRuleObject50')._analyticRulecontentId50]",
+ "parentId": "[variables('analyticRuleId50')]",
+ "contentId": "[variables('_analyticRulecontentId50')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject50').analyticRuleVersion50]",
+ "version": "[variables('analyticRuleVersion50')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -7208,18 +7159,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject50')._analyticRulecontentId50]",
+ "contentId": "[variables('_analyticRulecontentId50')]",
"contentKind": "AnalyticsRule",
"displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts",
- "contentProductId": "[variables('analyticRuleObject50')._analyticRulecontentProductId50]",
- "id": "[variables('analyticRuleObject50')._analyticRulecontentProductId50]",
- "version": "[variables('analyticRuleObject50').analyticRuleVersion50]"
+ "contentProductId": "[variables('_analyticRulecontentProductId50')]",
+ "id": "[variables('_analyticRulecontentProductId50')]",
+ "version": "[variables('analyticRuleVersion50')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject51').analyticRuleTemplateSpecName51]",
+ "name": "[variables('analyticRuleTemplateSpecName51')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -7228,13 +7179,13 @@
"description": "SigninBruteForce-AzurePortal_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject51').analyticRuleVersion51]",
+ "contentVersion": "[variables('analyticRuleVersion51')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject51')._analyticRulecontentId51]",
+ "name": "[variables('analyticRulecontentId51')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -7253,16 +7204,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AADNonInteractiveUserSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -7273,6 +7224,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -7286,17 +7238,16 @@
"identifier": "AadUserId",
"columnName": "UserId"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -7304,13 +7255,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject51').analyticRuleId51,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId51'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 51",
- "parentId": "[variables('analyticRuleObject51').analyticRuleId51]",
- "contentId": "[variables('analyticRuleObject51')._analyticRulecontentId51]",
+ "parentId": "[variables('analyticRuleId51')]",
+ "contentId": "[variables('_analyticRulecontentId51')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject51').analyticRuleVersion51]",
+ "version": "[variables('analyticRuleVersion51')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -7335,18 +7286,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject51')._analyticRulecontentId51]",
+ "contentId": "[variables('_analyticRulecontentId51')]",
"contentKind": "AnalyticsRule",
"displayName": "Brute force attack against Azure Portal",
- "contentProductId": "[variables('analyticRuleObject51')._analyticRulecontentProductId51]",
- "id": "[variables('analyticRuleObject51')._analyticRulecontentProductId51]",
- "version": "[variables('analyticRuleObject51').analyticRuleVersion51]"
+ "contentProductId": "[variables('_analyticRulecontentProductId51')]",
+ "id": "[variables('_analyticRulecontentProductId51')]",
+ "version": "[variables('analyticRuleVersion51')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject52').analyticRuleTemplateSpecName52]",
+ "name": "[variables('analyticRuleTemplateSpecName52')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -7355,13 +7306,13 @@
"description": "SigninPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject52').analyticRuleVersion52]",
+ "contentVersion": "[variables('analyticRuleVersion52')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject52')._analyticRulecontentId52]",
+ "name": "[variables('analyticRulecontentId52')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -7380,16 +7331,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AADNonInteractiveUserSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -7400,13 +7351,13 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -7414,13 +7365,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject52').analyticRuleId52,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId52'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 52",
- "parentId": "[variables('analyticRuleObject52').analyticRuleId52]",
- "contentId": "[variables('analyticRuleObject52')._analyticRulecontentId52]",
+ "parentId": "[variables('analyticRuleId52')]",
+ "contentId": "[variables('_analyticRulecontentId52')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject52').analyticRuleVersion52]",
+ "version": "[variables('analyticRuleVersion52')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -7445,18 +7396,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject52')._analyticRulecontentId52]",
+ "contentId": "[variables('_analyticRulecontentId52')]",
"contentKind": "AnalyticsRule",
"displayName": "Password spray attack against Microsoft Entra ID application",
- "contentProductId": "[variables('analyticRuleObject52')._analyticRulecontentProductId52]",
- "id": "[variables('analyticRuleObject52')._analyticRulecontentProductId52]",
- "version": "[variables('analyticRuleObject52').analyticRuleVersion52]"
+ "contentProductId": "[variables('_analyticRulecontentProductId52')]",
+ "id": "[variables('_analyticRulecontentProductId52')]",
+ "version": "[variables('analyticRuleVersion52')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject53').analyticRuleTemplateSpecName53]",
+ "name": "[variables('analyticRuleTemplateSpecName53')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -7465,13 +7416,13 @@
"description": "SuccessThenFail_DiffIP_SameUserandApp_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject53').analyticRuleVersion53]",
+ "contentVersion": "[variables('analyticRuleVersion53')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject53')._analyticRulecontentId53]",
+ "name": "[variables('analyticRulecontentId53')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -7490,28 +7441,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AADNonInteractiveUserSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "BehaviorAnalytics",
"dataTypes": [
"BehaviorAnalytics"
- ]
+ ],
+ "connectorId": "BehaviorAnalytics"
},
{
- "connectorId": "BehaviorAnalytics",
"dataTypes": [
"IdentityInfo"
- ]
+ ],
+ "connectorId": "BehaviorAnalytics"
}
],
"tactics": [
@@ -7524,6 +7475,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -7533,26 +7485,25 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SuccessIPAddress"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "FailedIPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -7560,13 +7511,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject53').analyticRuleId53,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId53'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 53",
- "parentId": "[variables('analyticRuleObject53').analyticRuleId53]",
- "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]",
+ "parentId": "[variables('analyticRuleId53')]",
+ "contentId": "[variables('_analyticRulecontentId53')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject53').analyticRuleVersion53]",
+ "version": "[variables('analyticRuleVersion53')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -7591,18 +7542,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]",
+ "contentId": "[variables('_analyticRulecontentId53')]",
"contentKind": "AnalyticsRule",
"displayName": "Successful logon from IP and failure from a different IP",
- "contentProductId": "[variables('analyticRuleObject53')._analyticRulecontentProductId53]",
- "id": "[variables('analyticRuleObject53')._analyticRulecontentProductId53]",
- "version": "[variables('analyticRuleObject53').analyticRuleVersion53]"
+ "contentProductId": "[variables('_analyticRulecontentProductId53')]",
+ "id": "[variables('_analyticRulecontentProductId53')]",
+ "version": "[variables('analyticRuleVersion53')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject54').analyticRuleTemplateSpecName54]",
+ "name": "[variables('analyticRuleTemplateSpecName54')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -7611,13 +7562,13 @@
"description": "SuspiciousAADJoinedDeviceUpdate_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject54').analyticRuleVersion54]",
+ "contentVersion": "[variables('analyticRuleVersion54')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject54')._analyticRulecontentId54]",
+ "name": "[variables('analyticRulecontentId54')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -7636,10 +7587,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -7650,58 +7601,58 @@
],
"entityMappings": [
{
+ "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "NewDeviceName"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "OldDeviceName"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "Host",
"fieldMappings": [
{
"identifier": "AzureID",
"columnName": "DeviceId"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "AadUserId",
"columnName": "InitiatedByUser"
}
- ],
- "entityType": "Account"
+ ]
}
],
"alertDetailsOverride": {
- "alertDescriptionFormat": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new device.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n",
- "alertDisplayNameFormat": "Suspicious AAD Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed"
+ "alertDisplayNameFormat": "Suspicious AAD Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed",
+ "alertDescriptionFormat": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new device.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject54').analyticRuleId54,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId54'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 54",
- "parentId": "[variables('analyticRuleObject54').analyticRuleId54]",
- "contentId": "[variables('analyticRuleObject54')._analyticRulecontentId54]",
+ "parentId": "[variables('analyticRuleId54')]",
+ "contentId": "[variables('_analyticRulecontentId54')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject54').analyticRuleVersion54]",
+ "version": "[variables('analyticRuleVersion54')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -7726,18 +7677,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject54')._analyticRulecontentId54]",
+ "contentId": "[variables('_analyticRulecontentId54')]",
"contentKind": "AnalyticsRule",
"displayName": "Suspicious Entra ID Joined Device Update",
- "contentProductId": "[variables('analyticRuleObject54')._analyticRulecontentProductId54]",
- "id": "[variables('analyticRuleObject54')._analyticRulecontentProductId54]",
- "version": "[variables('analyticRuleObject54').analyticRuleVersion54]"
+ "contentProductId": "[variables('_analyticRulecontentProductId54')]",
+ "id": "[variables('_analyticRulecontentProductId54')]",
+ "version": "[variables('analyticRuleVersion54')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject55').analyticRuleTemplateSpecName55]",
+ "name": "[variables('analyticRuleTemplateSpecName55')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -7746,13 +7697,13 @@
"description": "SuspiciousOAuthApp_OfflineAccess_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject55').analyticRuleVersion55]",
+ "contentVersion": "[variables('analyticRuleVersion55')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject55')._analyticRulecontentId55]",
+ "name": "[variables('analyticRulecontentId55')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -7771,10 +7722,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -7785,6 +7736,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -7794,17 +7746,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "GrantIpAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -7812,13 +7763,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject55').analyticRuleId55,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId55'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 55",
- "parentId": "[variables('analyticRuleObject55').analyticRuleId55]",
- "contentId": "[variables('analyticRuleObject55')._analyticRulecontentId55]",
+ "parentId": "[variables('analyticRuleId55')]",
+ "contentId": "[variables('_analyticRulecontentId55')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject55').analyticRuleVersion55]",
+ "version": "[variables('analyticRuleVersion55')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -7843,18 +7794,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject55')._analyticRulecontentId55]",
+ "contentId": "[variables('_analyticRulecontentId55')]",
"contentKind": "AnalyticsRule",
"displayName": "Suspicious application consent for offline access",
- "contentProductId": "[variables('analyticRuleObject55')._analyticRulecontentProductId55]",
- "id": "[variables('analyticRuleObject55')._analyticRulecontentProductId55]",
- "version": "[variables('analyticRuleObject55').analyticRuleVersion55]"
+ "contentProductId": "[variables('_analyticRulecontentProductId55')]",
+ "id": "[variables('_analyticRulecontentProductId55')]",
+ "version": "[variables('analyticRuleVersion55')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject56').analyticRuleTemplateSpecName56]",
+ "name": "[variables('analyticRuleTemplateSpecName56')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -7863,13 +7814,13 @@
"description": "SuspiciousServicePrincipalcreationactivity_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject56').analyticRuleVersion56]",
+ "contentVersion": "[variables('analyticRuleVersion56')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject56')._analyticRulecontentId56]",
+ "name": "[variables('analyticRulecontentId56')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -7888,11 +7839,11 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs",
"AADServicePrincipalSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -7906,40 +7857,40 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "userPrincipalName_creator"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "userPrincipalName_deleter"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "ipAddress_creator"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "ipAddress_deleter"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -7947,13 +7898,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject56').analyticRuleId56,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId56'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 56",
- "parentId": "[variables('analyticRuleObject56').analyticRuleId56]",
- "contentId": "[variables('analyticRuleObject56')._analyticRulecontentId56]",
+ "parentId": "[variables('analyticRuleId56')]",
+ "contentId": "[variables('_analyticRulecontentId56')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject56').analyticRuleVersion56]",
+ "version": "[variables('analyticRuleVersion56')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -7978,18 +7929,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject56')._analyticRulecontentId56]",
+ "contentId": "[variables('_analyticRulecontentId56')]",
"contentKind": "AnalyticsRule",
"displayName": "Suspicious Service Principal creation activity",
- "contentProductId": "[variables('analyticRuleObject56')._analyticRulecontentProductId56]",
- "id": "[variables('analyticRuleObject56')._analyticRulecontentProductId56]",
- "version": "[variables('analyticRuleObject56').analyticRuleVersion56]"
+ "contentProductId": "[variables('_analyticRulecontentProductId56')]",
+ "id": "[variables('_analyticRulecontentProductId56')]",
+ "version": "[variables('analyticRuleVersion56')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject57').analyticRuleTemplateSpecName57]",
+ "name": "[variables('analyticRuleTemplateSpecName57')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -7998,13 +7949,13 @@
"description": "SuspiciousSignInFollowedByMFAModification_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject57').analyticRuleVersion57]",
+ "contentVersion": "[variables('analyticRuleVersion57')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject57')._analyticRulecontentId57]",
+ "name": "[variables('analyticRulecontentId57')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -8023,16 +7974,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "BehaviorAnalytics",
"dataTypes": [
"BehaviorAnalytics"
- ]
+ ],
+ "connectorId": "BehaviorAnalytics"
}
],
"tactics": [
@@ -8045,6 +7996,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "AadUserId",
@@ -8058,10 +8010,10 @@
"identifier": "UPNSuffix",
"columnName": "InitiatorSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "AadUserId",
@@ -8075,47 +8027,46 @@
"identifier": "UPNSuffix",
"columnName": "TargetSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "FromIP"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
- "alertDescriptionFormat": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.\nIn this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.\nThe sign in was from {{SourceIPAddress}}.\n",
- "alertDisplayNameFormat": "Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}"
+ "alertDisplayNameFormat": "Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}",
+ "alertDescriptionFormat": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.\nIn this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.\nThe sign in was from {{SourceIPAddress}}.\n"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject57').analyticRuleId57,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId57'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 57",
- "parentId": "[variables('analyticRuleObject57').analyticRuleId57]",
- "contentId": "[variables('analyticRuleObject57')._analyticRulecontentId57]",
+ "parentId": "[variables('analyticRuleId57')]",
+ "contentId": "[variables('_analyticRulecontentId57')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject57').analyticRuleVersion57]",
+ "version": "[variables('analyticRuleVersion57')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -8140,18 +8091,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject57')._analyticRulecontentId57]",
+ "contentId": "[variables('_analyticRulecontentId57')]",
"contentKind": "AnalyticsRule",
"displayName": "Suspicious Sign In Followed by MFA Modification",
- "contentProductId": "[variables('analyticRuleObject57')._analyticRulecontentProductId57]",
- "id": "[variables('analyticRuleObject57')._analyticRulecontentProductId57]",
- "version": "[variables('analyticRuleObject57').analyticRuleVersion57]"
+ "contentProductId": "[variables('_analyticRulecontentProductId57')]",
+ "id": "[variables('_analyticRulecontentProductId57')]",
+ "version": "[variables('analyticRuleVersion57')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject58').analyticRuleTemplateSpecName58]",
+ "name": "[variables('analyticRuleTemplateSpecName58')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -8160,13 +8111,13 @@
"description": "UnusualGuestActivity_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject58').analyticRuleVersion58]",
+ "contentVersion": "[variables('analyticRuleVersion58')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject58')._analyticRulecontentId58]",
+ "name": "[variables('analyticRulecontentId58')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -8185,16 +8136,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -8209,6 +8160,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -8218,10 +8170,10 @@
"identifier": "UPNSuffix",
"columnName": "InvitedUserUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -8231,17 +8183,16 @@
"identifier": "UPNSuffix",
"columnName": "InitiatedByUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -8249,13 +8200,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject58').analyticRuleId58,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId58'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 58",
- "parentId": "[variables('analyticRuleObject58').analyticRuleId58]",
- "contentId": "[variables('analyticRuleObject58')._analyticRulecontentId58]",
+ "parentId": "[variables('analyticRuleId58')]",
+ "contentId": "[variables('_analyticRulecontentId58')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject58').analyticRuleVersion58]",
+ "version": "[variables('analyticRuleVersion58')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -8280,18 +8231,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject58')._analyticRulecontentId58]",
+ "contentId": "[variables('_analyticRulecontentId58')]",
"contentKind": "AnalyticsRule",
"displayName": "External guest invitation followed by Microsoft Entra ID PowerShell signin",
- "contentProductId": "[variables('analyticRuleObject58')._analyticRulecontentProductId58]",
- "id": "[variables('analyticRuleObject58')._analyticRulecontentProductId58]",
- "version": "[variables('analyticRuleObject58').analyticRuleVersion58]"
+ "contentProductId": "[variables('_analyticRulecontentProductId58')]",
+ "id": "[variables('_analyticRulecontentProductId58')]",
+ "version": "[variables('analyticRuleVersion58')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject59').analyticRuleTemplateSpecName59]",
+ "name": "[variables('analyticRuleTemplateSpecName59')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -8300,13 +8251,13 @@
"description": "UserAccounts-CABlockedSigninSpikes_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject59').analyticRuleVersion59]",
+ "contentVersion": "[variables('analyticRuleVersion59')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject59')._analyticRulecontentId59]",
+ "name": "[variables('analyticRulecontentId59')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -8325,28 +8276,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AADNonInteractiveUserSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "BehaviorAnalytics",
"dataTypes": [
"BehaviorAnalytics"
- ]
+ ],
+ "connectorId": "BehaviorAnalytics"
},
{
- "connectorId": "BehaviorAnalytics",
"dataTypes": [
"IdentityInfo"
- ]
+ ],
+ "connectorId": "BehaviorAnalytics"
}
],
"tactics": [
@@ -8357,6 +8308,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -8366,17 +8318,16 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -8384,13 +8335,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject59').analyticRuleId59,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId59'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 59",
- "parentId": "[variables('analyticRuleObject59').analyticRuleId59]",
- "contentId": "[variables('analyticRuleObject59')._analyticRulecontentId59]",
+ "parentId": "[variables('analyticRuleId59')]",
+ "contentId": "[variables('_analyticRulecontentId59')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject59').analyticRuleVersion59]",
+ "version": "[variables('analyticRuleVersion59')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -8415,18 +8366,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject59')._analyticRulecontentId59]",
+ "contentId": "[variables('_analyticRulecontentId59')]",
"contentKind": "AnalyticsRule",
"displayName": "User Accounts - Sign in Failure due to CA Spikes",
- "contentProductId": "[variables('analyticRuleObject59')._analyticRulecontentProductId59]",
- "id": "[variables('analyticRuleObject59')._analyticRulecontentProductId59]",
- "version": "[variables('analyticRuleObject59').analyticRuleVersion59]"
+ "contentProductId": "[variables('_analyticRulecontentProductId59')]",
+ "id": "[variables('_analyticRulecontentProductId59')]",
+ "version": "[variables('analyticRuleVersion59')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject60').analyticRuleTemplateSpecName60]",
+ "name": "[variables('analyticRuleTemplateSpecName60')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -8435,13 +8386,13 @@
"description": "UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject60').analyticRuleVersion60]",
+ "contentVersion": "[variables('analyticRuleVersion60')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject60')._analyticRulecontentId60]",
+ "name": "[variables('analyticRulecontentId60')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -8460,10 +8411,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -8476,6 +8427,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -8485,10 +8437,10 @@
"identifier": "UPNSuffix",
"columnName": "AccountUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -8498,8 +8450,7 @@
"identifier": "UPNSuffix",
"columnName": "TargetUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -8507,13 +8458,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject60').analyticRuleId60,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId60'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 60",
- "parentId": "[variables('analyticRuleObject60').analyticRuleId60]",
- "contentId": "[variables('analyticRuleObject60')._analyticRulecontentId60]",
+ "parentId": "[variables('analyticRuleId60')]",
+ "contentId": "[variables('_analyticRulecontentId60')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject60').analyticRuleVersion60]",
+ "version": "[variables('analyticRuleVersion60')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -8538,18 +8489,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject60')._analyticRulecontentId60]",
+ "contentId": "[variables('_analyticRulecontentId60')]",
"contentKind": "AnalyticsRule",
"displayName": "User added to Microsoft Entra ID Privileged Groups",
- "contentProductId": "[variables('analyticRuleObject60')._analyticRulecontentProductId60]",
- "id": "[variables('analyticRuleObject60')._analyticRulecontentProductId60]",
- "version": "[variables('analyticRuleObject60').analyticRuleVersion60]"
+ "contentProductId": "[variables('_analyticRulecontentProductId60')]",
+ "id": "[variables('_analyticRulecontentProductId60')]",
+ "version": "[variables('analyticRuleVersion60')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject61').analyticRuleTemplateSpecName61]",
+ "name": "[variables('analyticRuleTemplateSpecName61')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -8558,13 +8509,13 @@
"description": "UserAssignedNewPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject61').analyticRuleVersion61]",
+ "contentVersion": "[variables('analyticRuleVersion61')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject61')._analyticRulecontentId61]",
+ "name": "[variables('analyticRulecontentId61')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -8583,10 +8534,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -8597,6 +8548,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -8606,10 +8558,10 @@
"identifier": "UPNSuffix",
"columnName": "TargetUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -8619,8 +8571,7 @@
"identifier": "UPNSuffix",
"columnName": "InitiatorUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -8628,13 +8579,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject61').analyticRuleId61,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId61'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 61",
- "parentId": "[variables('analyticRuleObject61').analyticRuleId61]",
- "contentId": "[variables('analyticRuleObject61')._analyticRulecontentId61]",
+ "parentId": "[variables('analyticRuleId61')]",
+ "contentId": "[variables('_analyticRulecontentId61')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject61').analyticRuleVersion61]",
+ "version": "[variables('analyticRuleVersion61')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -8659,18 +8610,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject61')._analyticRulecontentId61]",
+ "contentId": "[variables('_analyticRulecontentId61')]",
"contentKind": "AnalyticsRule",
"displayName": "User Assigned New Privileged Role",
- "contentProductId": "[variables('analyticRuleObject61')._analyticRulecontentProductId61]",
- "id": "[variables('analyticRuleObject61')._analyticRulecontentProductId61]",
- "version": "[variables('analyticRuleObject61').analyticRuleVersion61]"
+ "contentProductId": "[variables('_analyticRulecontentProductId61')]",
+ "id": "[variables('_analyticRulecontentProductId61')]",
+ "version": "[variables('analyticRuleVersion61')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject62').analyticRuleTemplateSpecName62]",
+ "name": "[variables('analyticRuleTemplateSpecName62')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -8679,13 +8630,13 @@
"description": "UserAssignedPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject62').analyticRuleVersion62]",
+ "contentVersion": "[variables('analyticRuleVersion62')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject62')._analyticRulecontentId62]",
+ "name": "[variables('analyticRulecontentId62')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -8704,10 +8655,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AuditLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -8718,6 +8669,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -8727,10 +8679,10 @@
"identifier": "UPNSuffix",
"columnName": "TargetUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -8740,8 +8692,7 @@
"identifier": "UPNSuffix",
"columnName": "InitiatorUPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -8749,13 +8700,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject62').analyticRuleId62,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId62'),'/'))))]",
"properties": {
"description": "Microsoft Entra ID Analytics Rule 62",
- "parentId": "[variables('analyticRuleObject62').analyticRuleId62]",
- "contentId": "[variables('analyticRuleObject62')._analyticRulecontentId62]",
+ "parentId": "[variables('analyticRuleId62')]",
+ "contentId": "[variables('_analyticRulecontentId62')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject62').analyticRuleVersion62]",
+ "version": "[variables('analyticRuleVersion62')]",
"source": {
"kind": "Solution",
"name": "Microsoft Entra ID",
@@ -8780,12 +8731,12 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject62')._analyticRulecontentId62]",
+ "contentId": "[variables('_analyticRulecontentId62')]",
"contentKind": "AnalyticsRule",
"displayName": "New User Assigned to Privileged Role",
- "contentProductId": "[variables('analyticRuleObject62')._analyticRulecontentProductId62]",
- "id": "[variables('analyticRuleObject62')._analyticRulecontentProductId62]",
- "version": "[variables('analyticRuleObject62').analyticRuleVersion62]"
+ "contentProductId": "[variables('_analyticRulecontentProductId62')]",
+ "id": "[variables('_analyticRulecontentProductId62')]",
+ "version": "[variables('analyticRuleVersion62')]"
}
},
{
@@ -9334,6 +9285,7 @@
},
"triggers": {
"Microsoft_Sentinel_incident": {
+ "type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
@@ -9344,8 +9296,7 @@
}
},
"path": "/incident-creation"
- },
- "type": "ApiConnectionWebhook"
+ }
}
},
"actions": {
@@ -12709,17 +12660,17 @@
}
},
"triggers": {
- "Microsoft_Sentinel_incident": {
+ "Microsoft_Sentinel_alert": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
- "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
- "path": "/incident-creation"
+ "path": "/subscribe"
},
"type": "ApiConnectionWebhook"
}
@@ -13080,313 +13031,313 @@
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
- "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
+ "contentId": "[variables('analyticRulecontentId1')]",
+ "version": "[variables('analyticRuleVersion1')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
- "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
+ "contentId": "[variables('analyticRulecontentId2')]",
+ "version": "[variables('analyticRuleVersion2')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
- "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
+ "contentId": "[variables('analyticRulecontentId3')]",
+ "version": "[variables('analyticRuleVersion3')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
- "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
+ "contentId": "[variables('analyticRulecontentId4')]",
+ "version": "[variables('analyticRuleVersion4')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
- "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
+ "contentId": "[variables('analyticRulecontentId5')]",
+ "version": "[variables('analyticRuleVersion5')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
- "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
+ "contentId": "[variables('analyticRulecontentId6')]",
+ "version": "[variables('analyticRuleVersion6')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
- "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
+ "contentId": "[variables('analyticRulecontentId7')]",
+ "version": "[variables('analyticRuleVersion7')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
- "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
+ "contentId": "[variables('analyticRulecontentId8')]",
+ "version": "[variables('analyticRuleVersion8')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
- "version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
+ "contentId": "[variables('analyticRulecontentId9')]",
+ "version": "[variables('analyticRuleVersion9')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
- "version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
+ "contentId": "[variables('analyticRulecontentId10')]",
+ "version": "[variables('analyticRuleVersion10')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]",
- "version": "[variables('analyticRuleObject11').analyticRuleVersion11]"
+ "contentId": "[variables('analyticRulecontentId11')]",
+ "version": "[variables('analyticRuleVersion11')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]",
- "version": "[variables('analyticRuleObject12').analyticRuleVersion12]"
+ "contentId": "[variables('analyticRulecontentId12')]",
+ "version": "[variables('analyticRuleVersion12')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]",
- "version": "[variables('analyticRuleObject13').analyticRuleVersion13]"
+ "contentId": "[variables('analyticRulecontentId13')]",
+ "version": "[variables('analyticRuleVersion13')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]",
- "version": "[variables('analyticRuleObject14').analyticRuleVersion14]"
+ "contentId": "[variables('analyticRulecontentId14')]",
+ "version": "[variables('analyticRuleVersion14')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]",
- "version": "[variables('analyticRuleObject15').analyticRuleVersion15]"
+ "contentId": "[variables('analyticRulecontentId15')]",
+ "version": "[variables('analyticRuleVersion15')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]",
- "version": "[variables('analyticRuleObject16').analyticRuleVersion16]"
+ "contentId": "[variables('analyticRulecontentId16')]",
+ "version": "[variables('analyticRuleVersion16')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]",
- "version": "[variables('analyticRuleObject17').analyticRuleVersion17]"
+ "contentId": "[variables('analyticRulecontentId17')]",
+ "version": "[variables('analyticRuleVersion17')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]",
- "version": "[variables('analyticRuleObject18').analyticRuleVersion18]"
+ "contentId": "[variables('analyticRulecontentId18')]",
+ "version": "[variables('analyticRuleVersion18')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]",
- "version": "[variables('analyticRuleObject19').analyticRuleVersion19]"
+ "contentId": "[variables('analyticRulecontentId19')]",
+ "version": "[variables('analyticRuleVersion19')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]",
- "version": "[variables('analyticRuleObject20').analyticRuleVersion20]"
+ "contentId": "[variables('analyticRulecontentId20')]",
+ "version": "[variables('analyticRuleVersion20')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]",
- "version": "[variables('analyticRuleObject21').analyticRuleVersion21]"
+ "contentId": "[variables('analyticRulecontentId21')]",
+ "version": "[variables('analyticRuleVersion21')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]",
- "version": "[variables('analyticRuleObject22').analyticRuleVersion22]"
+ "contentId": "[variables('analyticRulecontentId22')]",
+ "version": "[variables('analyticRuleVersion22')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]",
- "version": "[variables('analyticRuleObject23').analyticRuleVersion23]"
+ "contentId": "[variables('analyticRulecontentId23')]",
+ "version": "[variables('analyticRuleVersion23')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]",
- "version": "[variables('analyticRuleObject24').analyticRuleVersion24]"
+ "contentId": "[variables('analyticRulecontentId24')]",
+ "version": "[variables('analyticRuleVersion24')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]",
- "version": "[variables('analyticRuleObject25').analyticRuleVersion25]"
+ "contentId": "[variables('analyticRulecontentId25')]",
+ "version": "[variables('analyticRuleVersion25')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]",
- "version": "[variables('analyticRuleObject26').analyticRuleVersion26]"
+ "contentId": "[variables('analyticRulecontentId26')]",
+ "version": "[variables('analyticRuleVersion26')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]",
- "version": "[variables('analyticRuleObject27').analyticRuleVersion27]"
+ "contentId": "[variables('analyticRulecontentId27')]",
+ "version": "[variables('analyticRuleVersion27')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]",
- "version": "[variables('analyticRuleObject28').analyticRuleVersion28]"
+ "contentId": "[variables('analyticRulecontentId28')]",
+ "version": "[variables('analyticRuleVersion28')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]",
- "version": "[variables('analyticRuleObject29').analyticRuleVersion29]"
+ "contentId": "[variables('analyticRulecontentId29')]",
+ "version": "[variables('analyticRuleVersion29')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]",
- "version": "[variables('analyticRuleObject30').analyticRuleVersion30]"
+ "contentId": "[variables('analyticRulecontentId30')]",
+ "version": "[variables('analyticRuleVersion30')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]",
- "version": "[variables('analyticRuleObject31').analyticRuleVersion31]"
+ "contentId": "[variables('analyticRulecontentId31')]",
+ "version": "[variables('analyticRuleVersion31')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]",
- "version": "[variables('analyticRuleObject32').analyticRuleVersion32]"
+ "contentId": "[variables('analyticRulecontentId32')]",
+ "version": "[variables('analyticRuleVersion32')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]",
- "version": "[variables('analyticRuleObject33').analyticRuleVersion33]"
+ "contentId": "[variables('analyticRulecontentId33')]",
+ "version": "[variables('analyticRuleVersion33')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]",
- "version": "[variables('analyticRuleObject34').analyticRuleVersion34]"
+ "contentId": "[variables('analyticRulecontentId34')]",
+ "version": "[variables('analyticRuleVersion34')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]",
- "version": "[variables('analyticRuleObject35').analyticRuleVersion35]"
+ "contentId": "[variables('analyticRulecontentId35')]",
+ "version": "[variables('analyticRuleVersion35')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]",
- "version": "[variables('analyticRuleObject36').analyticRuleVersion36]"
+ "contentId": "[variables('analyticRulecontentId36')]",
+ "version": "[variables('analyticRuleVersion36')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]",
- "version": "[variables('analyticRuleObject37').analyticRuleVersion37]"
+ "contentId": "[variables('analyticRulecontentId37')]",
+ "version": "[variables('analyticRuleVersion37')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]",
- "version": "[variables('analyticRuleObject38').analyticRuleVersion38]"
+ "contentId": "[variables('analyticRulecontentId38')]",
+ "version": "[variables('analyticRuleVersion38')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]",
- "version": "[variables('analyticRuleObject39').analyticRuleVersion39]"
+ "contentId": "[variables('analyticRulecontentId39')]",
+ "version": "[variables('analyticRuleVersion39')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]",
- "version": "[variables('analyticRuleObject40').analyticRuleVersion40]"
+ "contentId": "[variables('analyticRulecontentId40')]",
+ "version": "[variables('analyticRuleVersion40')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]",
- "version": "[variables('analyticRuleObject41').analyticRuleVersion41]"
+ "contentId": "[variables('analyticRulecontentId41')]",
+ "version": "[variables('analyticRuleVersion41')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]",
- "version": "[variables('analyticRuleObject42').analyticRuleVersion42]"
+ "contentId": "[variables('analyticRulecontentId42')]",
+ "version": "[variables('analyticRuleVersion42')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]",
- "version": "[variables('analyticRuleObject43').analyticRuleVersion43]"
+ "contentId": "[variables('analyticRulecontentId43')]",
+ "version": "[variables('analyticRuleVersion43')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]",
- "version": "[variables('analyticRuleObject44').analyticRuleVersion44]"
+ "contentId": "[variables('analyticRulecontentId44')]",
+ "version": "[variables('analyticRuleVersion44')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]",
- "version": "[variables('analyticRuleObject45').analyticRuleVersion45]"
+ "contentId": "[variables('analyticRulecontentId45')]",
+ "version": "[variables('analyticRuleVersion45')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]",
- "version": "[variables('analyticRuleObject46').analyticRuleVersion46]"
+ "contentId": "[variables('analyticRulecontentId46')]",
+ "version": "[variables('analyticRuleVersion46')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]",
- "version": "[variables('analyticRuleObject47').analyticRuleVersion47]"
+ "contentId": "[variables('analyticRulecontentId47')]",
+ "version": "[variables('analyticRuleVersion47')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]",
- "version": "[variables('analyticRuleObject48').analyticRuleVersion48]"
+ "contentId": "[variables('analyticRulecontentId48')]",
+ "version": "[variables('analyticRuleVersion48')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]",
- "version": "[variables('analyticRuleObject49').analyticRuleVersion49]"
+ "contentId": "[variables('analyticRulecontentId49')]",
+ "version": "[variables('analyticRuleVersion49')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject50')._analyticRulecontentId50]",
- "version": "[variables('analyticRuleObject50').analyticRuleVersion50]"
+ "contentId": "[variables('analyticRulecontentId50')]",
+ "version": "[variables('analyticRuleVersion50')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject51')._analyticRulecontentId51]",
- "version": "[variables('analyticRuleObject51').analyticRuleVersion51]"
+ "contentId": "[variables('analyticRulecontentId51')]",
+ "version": "[variables('analyticRuleVersion51')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject52')._analyticRulecontentId52]",
- "version": "[variables('analyticRuleObject52').analyticRuleVersion52]"
+ "contentId": "[variables('analyticRulecontentId52')]",
+ "version": "[variables('analyticRuleVersion52')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]",
- "version": "[variables('analyticRuleObject53').analyticRuleVersion53]"
+ "contentId": "[variables('analyticRulecontentId53')]",
+ "version": "[variables('analyticRuleVersion53')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject54')._analyticRulecontentId54]",
- "version": "[variables('analyticRuleObject54').analyticRuleVersion54]"
+ "contentId": "[variables('analyticRulecontentId54')]",
+ "version": "[variables('analyticRuleVersion54')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject55')._analyticRulecontentId55]",
- "version": "[variables('analyticRuleObject55').analyticRuleVersion55]"
+ "contentId": "[variables('analyticRulecontentId55')]",
+ "version": "[variables('analyticRuleVersion55')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject56')._analyticRulecontentId56]",
- "version": "[variables('analyticRuleObject56').analyticRuleVersion56]"
+ "contentId": "[variables('analyticRulecontentId56')]",
+ "version": "[variables('analyticRuleVersion56')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject57')._analyticRulecontentId57]",
- "version": "[variables('analyticRuleObject57').analyticRuleVersion57]"
+ "contentId": "[variables('analyticRulecontentId57')]",
+ "version": "[variables('analyticRuleVersion57')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject58')._analyticRulecontentId58]",
- "version": "[variables('analyticRuleObject58').analyticRuleVersion58]"
+ "contentId": "[variables('analyticRulecontentId58')]",
+ "version": "[variables('analyticRuleVersion58')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject59')._analyticRulecontentId59]",
- "version": "[variables('analyticRuleObject59').analyticRuleVersion59]"
+ "contentId": "[variables('analyticRulecontentId59')]",
+ "version": "[variables('analyticRuleVersion59')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject60')._analyticRulecontentId60]",
- "version": "[variables('analyticRuleObject60').analyticRuleVersion60]"
+ "contentId": "[variables('analyticRulecontentId60')]",
+ "version": "[variables('analyticRuleVersion60')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject61')._analyticRulecontentId61]",
- "version": "[variables('analyticRuleObject61').analyticRuleVersion61]"
+ "contentId": "[variables('analyticRulecontentId61')]",
+ "version": "[variables('analyticRuleVersion61')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject62')._analyticRulecontentId62]",
- "version": "[variables('analyticRuleObject62').analyticRuleVersion62]"
+ "contentId": "[variables('analyticRulecontentId62')]",
+ "version": "[variables('analyticRuleVersion62')]"
},
{
"kind": "Playbook",
diff --git a/Solutions/Microsoft Entra ID/ReleaseNotes.md b/Solutions/Microsoft Entra ID/ReleaseNotes.md
index ffadbf1fa53..99ad6aaef6a 100644
--- a/Solutions/Microsoft Entra ID/ReleaseNotes.md
+++ b/Solutions/Microsoft Entra ID/ReleaseNotes.md
@@ -1,12 +1,13 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 3.0.8 | 21-11-2023 | 1 **Analytic Rules** Fixed issue that was causing multiple triggers for the same event |
-| 3.0.7 | 06-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID |
-| 3.0.6 | 30-10-2023 | 1 **Data Connector** added back in the solution |
-| 3.0.5 | 19-10-2023 | 1 **Analytic Rules** updated in the solution (PIMElevationRequestRejected) |
+| 3.0.9 | 28-11-2023 | 2 **Analytic Rules** Modified by Adding Entity Mapping to (GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml) and Changed timerange of (SigninPasswordSpray.yaml) from 3d to 1d. |
+| 3.0.8 | 21-11-2023 | 1 **Analytic Rules** Fixed issue that was causing multiple triggers for the same event. |
+| 3.0.7 | 06-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID. |
+| 3.0.6 | 30-10-2023 | 1 **Data Connector** added back in the solution. |
+| 3.0.5 | 19-10-2023 | 1 **Analytic Rules** updated in the solution (PIMElevationRequestRejected). |
| 3.0.4 | 16-10-2023 | 1 **Analytic Rules** got added in the solution (SuspiciousSignInFollowedByMFAModification), modified workbook query to fix duplicate locations for the query. |
-| 3.0.3 | 22-09-2023 | 2 **Analytic Rules** updated in the solution (PIM Elevation Request Rejected),(NRT Authentication Methods Changed for VIP Users) |
-| 3.0.2 | 08-08-2023 | 1 **Analytic Rules** updated in the solution (Credential added after admin consented to Application) |
-| 3.0.1 | 01-08-2023 | Added new **Analytic Rule** (New onmicrosoft domain added to tenant) |
-| 3.0.0 | 19-07-2023 | 2 **Analytic Rules** updated in the solution (User Assigned Privileged Role,Successful logon from IP and failure from a different IP) |
+| 3.0.3 | 22-09-2023 | 2 **Analytic Rules** updated in the solution (PIM Elevation Request Rejected),(NRT Authentication Methods Changed for VIP Users). |
+| 3.0.2 | 08-08-2023 | 1 **Analytic Rules** updated in the solution (Credential added after admin consented to Application). |
+| 3.0.1 | 01-08-2023 | Added new **Analytic Rule** (New onmicrosoft domain added to tenant). |
+| 3.0.0 | 19-07-2023 | 2 **Analytic Rules** updated in the solution (User Assigned Privileged Role,Successful logon from IP and failure from a different IP). |
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md b/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md
index fb8635c963e..4c744e467c7 100644
--- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md
@@ -1,5 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.1.0 | 11-01-2023 | Adding Watchlist to track activities on VIPs' Mailboxes. Change ExchangeAuditLog parser to work without watchlist and searching all type of VIP information |
-| 3.0.1 | 09-13-2023 | readme file for parsers and typo correction |
-| 3.0.0 | 08-23-2023 | **ExchangeEnvironmentList** parser name corrected in Workbooks. |
+| 3.1.0 | 01-11-2023 | Added **Watchlist** to track activities on VIPs' Mailboxes. Change ExchangeAuditLog parser to work without watchlist and searching all type of VIP information |
+| 3.0.1 | 13-09-2023 | Readme file for **Parsers** and typo correction |
+| 3.0.0 | 23-08-2023 | ExchangeEnvironmentList parser name corrected in **Workbooks**. |
diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md b/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md
index dc9d76c2c97..4386eec2cdc 100644
--- a/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md
+++ b/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md
@@ -1,5 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.2 | 11-01-2023 | Adding a Parser to verify if user is Microsoft Exchange Security VIP (Watchlist) |
-| 3.0.1 | 09-13-2023 | readme file for parsers and typo correction |
-| 3.0.0 | 08-23-2023 |**ExchangeEnvironmentList** parser name corrected in Workbooks. |
+| 3.0.2 | 01-11-2023 | Added a **Parser** to verify if user is Microsoft Exchange Security VIP (Watchlist) |
+| 3.0.1 | 13-09-2023 | Readme file for parsers added and typo correction |
+| 3.0.0 | 23-08-2023 | ExchangeEnvironmentList parser name corrected in **Workbooks**. |
diff --git a/Solutions/Microsoft Windows SQL Server Database Audit/ReleaseNotes.md b/Solutions/Microsoft Windows SQL Server Database Audit/ReleaseNotes.md
index c9257220b27..50352a101e1 100644
--- a/Solutions/Microsoft Windows SQL Server Database Audit/ReleaseNotes.md
+++ b/Solutions/Microsoft Windows SQL Server Database Audit/ReleaseNotes.md
@@ -1,4 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 10-07-2023 | Updated **parser** to correctly parse failed login events |
-| | | Added Entity mapping and version in all the **hunting queries** |
+| 3.0.0 | 10-07-2023 | Updated **Parser** to correctly parse failed login events |
+| | | Added Entity mapping and version in all the **Hunting Queries** |
diff --git a/Solutions/MicrosoftDefenderForEndpoint/ReleaseNotes.md b/Solutions/MicrosoftDefenderForEndpoint/ReleaseNotes.md
index d6203fc467a..0b29a55b21d 100644
--- a/Solutions/MicrosoftDefenderForEndpoint/ReleaseNotes.md
+++ b/Solutions/MicrosoftDefenderForEndpoint/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 17-07-2023 | Initial Version |
\ No newline at end of file
+| 3.0.0 | 17-07-2023 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/MimecastAudit/ReleaseNotes.md b/Solutions/MimecastAudit/ReleaseNotes.md
index a97fa385729..08138d03c14 100644
--- a/Solutions/MimecastAudit/ReleaseNotes.md
+++ b/Solutions/MimecastAudit/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 23-08-2023 | Initial solution release |
+| 3.0.0 | 23-08-2023 | Initial Solution Release |
diff --git a/Solutions/MimecastSEG/ReleaseNotes.md b/Solutions/MimecastSEG/ReleaseNotes.md
index a97fa385729..08138d03c14 100644
--- a/Solutions/MimecastSEG/ReleaseNotes.md
+++ b/Solutions/MimecastSEG/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 23-08-2023 | Initial solution release |
+| 3.0.0 | 23-08-2023 | Initial Solution Release |
diff --git a/Solutions/MimecastTIRegional/ReleaseNotes.md b/Solutions/MimecastTIRegional/ReleaseNotes.md
index a97fa385729..08138d03c14 100644
--- a/Solutions/MimecastTIRegional/ReleaseNotes.md
+++ b/Solutions/MimecastTIRegional/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 23-08-2023 | Initial solution release |
+| 3.0.0 | 23-08-2023 | Initial Solution Release |
diff --git a/Solutions/MimecastTTP/ReleaseNotes.md b/Solutions/MimecastTTP/ReleaseNotes.md
index a97fa385729..08138d03c14 100644
--- a/Solutions/MimecastTTP/ReleaseNotes.md
+++ b/Solutions/MimecastTTP/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 23-08-2023 | Initial solution release |
+| 3.0.0 | 23-08-2023 | Initial Solution Release |
diff --git a/Solutions/Morphisec/ReleaseNotes.md b/Solutions/Morphisec/ReleaseNotes.md
index cef30081ee5..8bb3f81277d 100644
--- a/Solutions/Morphisec/ReleaseNotes.md
+++ b/Solutions/Morphisec/ReleaseNotes.md
@@ -1,5 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
-| 3.0.0 | 07-09-2023 | Addition of new Morphisec AMA **Data Connector** | |
-
-
+| 3.0.0 | 07-09-2023 | Addition of new Morphisec AMA **Data Connector** |
\ No newline at end of file
diff --git a/Solutions/Nasuni/ReleaseNotes.md b/Solutions/Nasuni/ReleaseNotes.md
index 96db3b8444b..ac829bb797e 100644
--- a/Solutions/Nasuni/ReleaseNotes.md
+++ b/Solutions/Nasuni/ReleaseNotes.md
@@ -1,4 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 14-07-2023 | Initial Version |
-| 3.0.1 | 02-08-2023 | Solution Id and Tier Updated |
\ No newline at end of file
+| 3.0.1 | 02-08-2023 | Solution Id and Tier Updated |
+| 3.0.0 | 14-07-2023 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/Network Session Essentials/ReleaseNotes.md b/Solutions/Network Session Essentials/ReleaseNotes.md
index cad77715b4e..a457f3e1c66 100644
--- a/Solutions/Network Session Essentials/ReleaseNotes.md
+++ b/Solutions/Network Session Essentials/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|------------------------------------------------|
-| 3.0.0 | 24-07-2023 |Updated ApiVersion for Watchlist |
+| 3.0.0 | 24-07-2023 |Updated ApiVersion for **Watchlist** |
diff --git a/Solutions/Netwrix Auditor/ReleaseNotes.md b/Solutions/Netwrix Auditor/ReleaseNotes.md
index 0b1f2f5fd11..6cbf46b2261 100644
--- a/Solutions/Netwrix Auditor/ReleaseNotes.md
+++ b/Solutions/Netwrix Auditor/ReleaseNotes.md
@@ -1,5 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
-| 3.0.0 | 29-08-2023 | Addition of new Netwrix Auditor AMA **Data Connector** | |
-
-
+| 3.0.0 | 29-08-2023 | Addition of new Netwrix Auditor AMA **Data Connector** |
\ No newline at end of file
diff --git a/Solutions/Palo Alto Prisma Cloud CWPP/ReleaseNotes.md b/Solutions/Palo Alto Prisma Cloud CWPP/ReleaseNotes.md
index 4a2ccc0ac61..99b7aff5366 100644
--- a/Solutions/Palo Alto Prisma Cloud CWPP/ReleaseNotes.md
+++ b/Solutions/Palo Alto Prisma Cloud CWPP/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
-| 3.0.0 | 10-10-2023 | Added new files to support CCP CLV2 and its package |
\ No newline at end of file
+| 3.0.0 | 10-10-2023 | Added new files to support CCP CLV2 and its package |
\ No newline at end of file
diff --git a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md
index 9b61ea2a564..d47a6361154 100644
--- a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md
+++ b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
-| 3.0.0 | 06-10-2023 | Fixed Playbooks issue |
\ No newline at end of file
+| 3.0.0 | 06-10-2023 | Fixed **Playbooks** issue |
\ No newline at end of file
diff --git a/Solutions/Prancer PenSuiteAI Integration/ReleaseNotes.md b/Solutions/Prancer PenSuiteAI Integration/ReleaseNotes.md
index 443e5068d61..a23c5b21295 100644
--- a/Solutions/Prancer PenSuiteAI Integration/ReleaseNotes.md
+++ b/Solutions/Prancer PenSuiteAI Integration/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|----------------------------------------------|
-| 3.0.0 | 20-09-2023 | Initial Version Release |
\ No newline at end of file
+| 3.0.0 | 20-09-2023 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/Recorded Future/ReleaseNotes.md b/Solutions/Recorded Future/ReleaseNotes.md
index 556eb84c6c2..30b58335a3c 100644
--- a/Solutions/Recorded Future/ReleaseNotes.md
+++ b/Solutions/Recorded Future/ReleaseNotes.md
@@ -1,11 +1,11 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.2 | 02-11-2023| Encoding Fix to the RecordedFuture-Alert-Importer playbook
Changed defaults in RecordedFuture-Playbook-Alert-Importer |
-| 3.0.1 | 26-10-2023| Fix to the RecordedFuture-ThreatIntelligenceImport playbook |
+| 3.0.2 | 02-11-2023 | Encoding Fix to the RecordedFuture-Alert-Importer playbook
Changed defaults in RecordedFuture-Playbook-Alert-Importer |
+| 3.0.1 | 26-10-2023 | Fix to the RecordedFuture-ThreatIntelligenceImport playbook |
| 3.0.0 | 20-09-2023 | Added workbooks for correlating Recorded Future and logs containing IoC of type IP, DNS, URL and Hash
Generate Markdown/HTML response for enrichment comments.
Recorded Future Playbook Alerts playbook and workbook for visualization.
Recorded Future Classic Alerts playbook and workbook for visualization.
Leveraging new API for importing threat indicators and deprecating old playbooks. |
-| 2.4.0 | 29-05-2023 | Sandbox URL enrichment playbook included in the solution
Sandbox of outlook attachment playbook provided as an example outside the solution.
Sandbox of files in Azure storage accounts provided as example outside the solution.
Fix to IOC enrichment playbook don’t report 404 (not found) as an error. |
-|2.3.0 | 13-02-2023 | Layout improvements to the incident enrichment playbook.
Added detections from collective insights to enrichment playbooks.
IncidentId and MITRE Att&ck code added to collective insights.
Fix for image in incident comment. |
-| 2.2.2 | 23-01-2023 | Fixes for all risk list import playbooks. |
-| 2.2.1 | 23-12-2022 | Display severity for risk rules in enrichment of IOCs.
Sorting of risk rules, showing very malicious rules first. |
-| 2.2.0 | 14-12-2022 | Improvements to the incident enrichment playbook.
Added Recorded Future links to enrichment comment.
Improved layout of the enrichment, adding Recorded Future logo, table layout. |
-| 2.1.0 | 20-09-2022 | Updated all playbooks to use RecordedFutureV2 connector, which requires new API keys.
Added playbooks for importing Ukraine Russia conflict risk lists. |
+| 2.4.0 | 29-05-2023 | Sandbox URL enrichment playbook included in the solution
Sandbox of outlook attachment playbook provided as an example outside the solution.
Sandbox of files in Azure storage accounts provided as example outside the solution.
Fix to IOC enrichment playbook don’t report 404 (not found) as an error. |
+| 2.3.0 | 13-02-2023 | Layout improvements to the incident enrichment playbook.
Added detections from collective insights to enrichment playbooks.
IncidentId and MITRE Att&ck code added to collective insights.
Fix for image in incident comment. |
+| 2.2.2 | 23-01-2023 | Fixes for all risk list import playbooks. |
+| 2.2.1 | 23-12-2022 | Display severity for risk rules in enrichment of IOCs.
Sorting of risk rules, showing very malicious rules first. |
+| 2.2.0 | 14-12-2022 | Improvements to the incident enrichment playbook.
Added Recorded Future links to enrichment comment.
Improved layout of the enrichment, adding Recorded Future logo, table layout. |
+| 2.1.0 | 20-09-2022 | Updated all playbooks to use RecordedFutureV2 connector, which requires new API keys.
Added playbooks for importing Ukraine Russia conflict risk lists. |
diff --git a/Solutions/ReleaseNotesSample.md b/Solutions/ReleaseNotesSample.md
index 0da3bdcba1f..63d412e97c0 100644
--- a/Solutions/ReleaseNotesSample.md
+++ b/Solutions/ReleaseNotesSample.md
@@ -2,4 +2,4 @@
|-------------|--------------------------------|---------------------------------------------|
| 2.0.1 | 01-03-2023 | **Data Connector** UI-only update with improved onboarding instructions \| v 1.0.1
| | | Modified rule logic for **Analytic Rule** \"Successful Brute Force attempt\" for better query performance \| v 1.0.2|
-| 2.0.0 | 10-12-2022 | Initial solution release |
+| 2.0.0 | 10-12-2022 | Initial Solution Release |
diff --git a/Solutions/RidgeSecurity/ReleaseNotes.md b/Solutions/RidgeSecurity/ReleaseNotes.md
index ba9c8858735..f63609248a9 100644
--- a/Solutions/RidgeSecurity/ReleaseNotes.md
+++ b/Solutions/RidgeSecurity/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
-| 3.0.0 | 23-10-2023 | RidgeSecurity Sentinel Initial Solution Release |
\ No newline at end of file
+| 3.0.0 | 23-10-2023 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/RubrikSecurityCloud/ReleaseNotes.md b/Solutions/RubrikSecurityCloud/ReleaseNotes.md
index f8876aca52a..99d0f9c0bda 100644
--- a/Solutions/RubrikSecurityCloud/ReleaseNotes.md
+++ b/Solutions/RubrikSecurityCloud/ReleaseNotes.md
@@ -1,4 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.1.0 | 20-10-2023 | Updated the DataConnector code by implementing Durable Function App. |
+| 3.1.0 | 20-10-2023 | Updated the **DataConnector** code by implementing Durable Function App. |
| 3.0.0 | 14-07-2023 | Updated the title in such a way that user can identify the adaptive card based on incident. |
\ No newline at end of file
diff --git a/Solutions/SOC Handbook/ReleaseNotes.md b/Solutions/SOC Handbook/ReleaseNotes.md
index 8dc0f964259..7e991201e90 100644
--- a/Solutions/SOC Handbook/ReleaseNotes.md
+++ b/Solutions/SOC Handbook/ReleaseNotes.md
@@ -2,4 +2,4 @@
|-------------|--------------------------------|---------------------------------------------|
| 3.0.2 | 21-11-2023 |Updated SecurityOperationsEfficiency **Workbook** to run the query on "set in query" |
| 3.0.1 | 14-07-2023 | Updated **Workbook** to correctly get the drop down for Subscription and Workspace |
-| 3.0.0 | 07-07-2023 | Initial Version |
+| 3.0.0 | 07-07-2023 | Initial Solution Release|
diff --git a/Solutions/SalemCyber/ReleaseNotes.md b/Solutions/SalemCyber/ReleaseNotes.md
index bf76b9043ea..4428d7c8ed4 100644
--- a/Solutions/SalemCyber/ReleaseNotes.md
+++ b/Solutions/SalemCyber/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 14-07-2023 | Initial Version Release |
\ No newline at end of file
+| 3.0.0 | 14-07-2023 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/SentinelSOARessentials/Package/ReleaseNotes.md b/Solutions/SentinelSOARessentials/Package/ReleaseNotes.md
new file mode 100644
index 00000000000..f42fca0c311
--- /dev/null
+++ b/Solutions/SentinelSOARessentials/Package/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modiefied (DD-MM-YYY)** | **Change History** |
+|-------------|--------------------------------|---------------------------------------------|
+| 3.0.0 | 13-07-2023 |Resolved issues for Saving and Selecting Workspace for **Workbook** |
diff --git a/Solutions/SeraphicSecurity/ReleaseNotes.md b/Solutions/SeraphicSecurity/ReleaseNotes.md
index b935fd70a66..f587e43a79b 100644
--- a/Solutions/SeraphicSecurity/ReleaseNotes.md
+++ b/Solutions/SeraphicSecurity/ReleaseNotes.md
@@ -1,4 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYY)** | **Change History** |
|-------------|-------------------------------|--------------------------------------------|
-| 2.0.0 | 17-11-2023 |Initial Release |
+| 2.0.0 | 17-11-2023 |Initial Solution Release |
diff --git a/Solutions/SevcoSecurity/ReleaseNotes.md b/Solutions/SevcoSecurity/ReleaseNotes.md
index 7549222d3f9..6059f00fb16 100644
--- a/Solutions/SevcoSecurity/ReleaseNotes.md
+++ b/Solutions/SevcoSecurity/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 18-07-2023 | Initial solution release |
\ No newline at end of file
+| 3.0.0 | 18-07-2023 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/SlackAudit/ReleaseNotes.md b/Solutions/SlackAudit/ReleaseNotes.md
index 3c66f292cc0..bd7a76374c2 100644
--- a/Solutions/SlackAudit/ReleaseNotes.md
+++ b/Solutions/SlackAudit/ReleaseNotes.md
@@ -1,5 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
-| 3.0.0 | 23-08-2023 | Manual deployment instructions updated for **Data Connector** |
-| | | Convert **Parser** file from text to yaml |
+| 3.0.0 | 23-08-2023 | Manual deployment instructions updated for **Data Connector** & Convert **Parser** from text to yaml |
diff --git a/Solutions/SlashNext SIEM/ReleaseNotes.md b/Solutions/SlashNext SIEM/ReleaseNotes.md
index eaa42c0e116..fb432cff972 100644
--- a/Solutions/SlashNext SIEM/ReleaseNotes.md
+++ b/Solutions/SlashNext SIEM/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-|3.0.0 | 25-07-2023 | Initial Version Release. |
+|3.0.0 | 25-07-2023 | Initial Solution Release. |
diff --git a/Solutions/Snowflake/ReleaseNotes.md b/Solutions/Snowflake/ReleaseNotes.md
index b759abdc0a8..528444c1b64 100644
--- a/Solutions/Snowflake/ReleaseNotes.md
+++ b/Solutions/Snowflake/ReleaseNotes.md
@@ -1,5 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
-| 3.0.0 | 31-08-2023 | Manual deployment instructions updated for **Data Connector** |
-| | | Convert **Parser** file from text to yaml |
+| 3.0.0 | 31-08-2023 | Manual deployment instructions updated for **Data Connector** & Convert **Parser** from text to Yaml|
diff --git a/Solutions/SpyCloud Enterprise Protection/ReleaseNotes.md b/Solutions/SpyCloud Enterprise Protection/ReleaseNotes.md
index 15087e5636e..107deff1cef 100644
--- a/Solutions/SpyCloud Enterprise Protection/ReleaseNotes.md
+++ b/Solutions/SpyCloud Enterprise Protection/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 12-09-2023 | Initial solution release |
+| 3.0.0 | 12-09-2023 | Initial Solution Release |
diff --git a/Solutions/SymantecProxySG/ReleaseNotes.md b/Solutions/SymantecProxySG/ReleaseNotes.md
index a5984b086fa..711597f206f 100644
--- a/Solutions/SymantecProxySG/ReleaseNotes.md
+++ b/Solutions/SymantecProxySG/ReleaseNotes.md
@@ -1,4 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 06-11-2023 | Modified the **Data Connector** with improved onboarding instructions
-| | | Optimized the **Parser** to process the logs with improved performance
\ No newline at end of file
+| 3.0.0 | 06-11-2023 | Modified the **Data Connector** with improved onboarding instructions & Optimized the **Parser** to process the logs with improved performance |
\ No newline at end of file
diff --git a/Solutions/Threat Intelligence/ReleaseNotes.md b/Solutions/Threat Intelligence/ReleaseNotes.md
index c024a79d3fd..1f5d9220cac 100644
--- a/Solutions/Threat Intelligence/ReleaseNotes.md
+++ b/Solutions/Threat Intelligence/ReleaseNotes.md
@@ -1,5 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.1 | 22-08-2023 | Removed (Preview) from Name field in **Analytical Rules** |
+| 3.0.1 | 22-08-2023 | Removed (Preview) from Name field in **Analytic Rules** |
| 3.0.0 | 14-08-2023 | Modified **Analytical Rule** (TI map Domain entity to SecurityAlert). Updated dynamic([1]) to dynamic([1,1]) so as to make result array of array consistent. |
| | | Updated **Hunting Queries** to have descriptions that meet the 255 characters limit. |
diff --git a/Solutions/ThreatConnect/ReleaseNotes.md b/Solutions/ThreatConnect/ReleaseNotes.md
index 65863c2f9e5..7330ed2e5d5 100644
--- a/Solutions/ThreatConnect/ReleaseNotes.md
+++ b/Solutions/ThreatConnect/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|------------------------------------------------|
-| 3.0.0 | 12-10-2023 | Initial Version Release |
\ No newline at end of file
+| 3.0.0 | 12-10-2023 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/Trend Micro Apex One/ReleaseNotes.md b/Solutions/Trend Micro Apex One/ReleaseNotes.md
index f73e5012a1d..6ab6306a294 100644
--- a/Solutions/Trend Micro Apex One/ReleaseNotes.md
+++ b/Solutions/Trend Micro Apex One/ReleaseNotes.md
@@ -1,4 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
| 3.0.1 | 25-10-2023 | **Hunting Query** column corrected |
-| 3.0.0 | 22-09-2023 | Addition of new Trend Micro Apex One AMA **Data connector** | |
+| 3.0.0 | 22-09-2023 | Addition of new Trend Micro Apex One AMA **Data connector** | |
diff --git a/Solutions/Vectra XDR/ReleaseNotes.md b/Solutions/Vectra XDR/ReleaseNotes.md
index 0fdd70f1b0b..cbd6e237c04 100644
--- a/Solutions/Vectra XDR/ReleaseNotes.md
+++ b/Solutions/Vectra XDR/ReleaseNotes.md
@@ -1,5 +1,5 @@
-| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
-|-------------|--------------------------------|------------------------------------|
-| 3.0.0 | 03-08-2023 | Initial solution release |
-| 3.0.1 | 21-08-2023 | **Workbook** metadata issue resolved |
-| 3.0.2 | 04-10-2023 | Enhanced data connector logic to post data into Sentinel |
\ No newline at end of file
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|----------------------------------------------------------------|
+| 3.0.2 | 04-10-2023 | Enhanced **Data Connector** logic to post data into Sentinel |
+| 3.0.1 | 21-08-2023 | **Workbook** metadata issue resolved |
+| 3.0.0 | 03-08-2023 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/Web Session Essentials/ReleaseNotes.md b/Solutions/Web Session Essentials/ReleaseNotes.md
index 4605c7dcd6e..17387bca749 100644
--- a/Solutions/Web Session Essentials/ReleaseNotes.md
+++ b/Solutions/Web Session Essentials/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 11-09-2023 | Initial solution release |
+| 3.0.0 | 11-09-2023 | Initial Solution Release |
diff --git a/Solutions/Windows Firewall/ReleaseNotes.md b/Solutions/Windows Firewall/ReleaseNotes.md
index a0d962eacd0..01dc5d3aae5 100644
--- a/Solutions/Windows Firewall/ReleaseNotes.md
+++ b/Solutions/Windows Firewall/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 19-07-2023 | Initial Version |
+| 3.0.0 | 19-07-2023 | Initial Solution Release |
diff --git a/Solutions/WithSecureElementsViaConnector/ReleaseNotes.md b/Solutions/WithSecureElementsViaConnector/ReleaseNotes.md
index b34257d692f..843e8689ce0 100644
--- a/Solutions/WithSecureElementsViaConnector/ReleaseNotes.md
+++ b/Solutions/WithSecureElementsViaConnector/ReleaseNotes.md
@@ -1,4 +1,4 @@
-| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
-|------------------------------------------------------------------------------------------------------------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
-| 3.0.0 | 31-10-2023 | Updated legacy F-Secure links related to the connector installation and event forwarding configuration with WithSecure links \| **v 3.0.0** |
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|---------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------------|
+| 3.0.0 | 31-10-2023 | Updated legacy F-Secure links related to the connector installation and event forwarding configuration with WithSecure links|
\ No newline at end of file
diff --git a/Solutions/Wiz/ReleaseNotes.md b/Solutions/Wiz/ReleaseNotes.md
index b86376308b0..823ba5dd6b0 100644
--- a/Solutions/Wiz/ReleaseNotes.md
+++ b/Solutions/Wiz/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 2.0.0 | 07-09-2023 | Updated Workbook query in maintemplate |
+| 2.0.0 | 07-09-2023 | Updated **Workbook** query in Maintemplate |
diff --git a/Solutions/Workplace from Facebook/ReleaseNotes.md b/Solutions/Workplace from Facebook/ReleaseNotes.md
index 56f58eab5b8..34b38bf39bf 100644
--- a/Solutions/Workplace from Facebook/ReleaseNotes.md
+++ b/Solutions/Workplace from Facebook/ReleaseNotes.md
@@ -1,4 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 28-09-2023 | Updated Dataconnector with step by step |
-| | | guidelines |
+| 3.0.0 | 28-09-2023 | Updated **Dataconnector** with step by step guidelines|
diff --git a/Solutions/ZeroFox/ReleaseNotes.md b/Solutions/ZeroFox/ReleaseNotes.md
index 869ddfa7c38..8467bbb4f84 100644
--- a/Solutions/ZeroFox/ReleaseNotes.md
+++ b/Solutions/ZeroFox/ReleaseNotes.md
@@ -1,3 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 04-08-2023 | **Data Connector** Added Data Connectors for ZeroFox's Alerts and CTI feeds
\ No newline at end of file
+| 3.0.0 | 04-08-2023 | Added **Data Connectors** for ZeroFox's Alerts and CTI feeds |
\ No newline at end of file
diff --git a/Solutions/ZoomReports/ReleaseNotes.md b/Solutions/ZoomReports/ReleaseNotes.md
index ee5dd4a6058..4154beac9e6 100644
--- a/Solutions/ZoomReports/ReleaseNotes.md
+++ b/Solutions/ZoomReports/ReleaseNotes.md
@@ -1,4 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 04-07-2023 | Fixed broken links for **Data Connector** |
-| | | Added **Workbook** in solution content |
+| 3.0.0 | 04-07-2023 | Fixed broken links for **Data Connector** & Added **Workbook** in Solution content |
diff --git a/Tools/Create-Azure-Sentinel-Solution/pipeline/createSolutionV4.ps1 b/Tools/Create-Azure-Sentinel-Solution/pipeline/createSolutionV4.ps1
index 682e21f0034..5f9d14f6fbd 100644
--- a/Tools/Create-Azure-Sentinel-Solution/pipeline/createSolutionV4.ps1
+++ b/Tools/Create-Azure-Sentinel-Solution/pipeline/createSolutionV4.ps1
@@ -99,6 +99,7 @@ try
foreach ($file in $filesList)
{
Write-Host "Current file is $file"
+ $fileExtension = $file -split '\.' | Select-Object -Last 1
if ($objectProperties.Name.ToLower() -eq "parsers") {
$finalPath = "" + $pipelineBasePath + "Solutions/" + $pipelineSolutionName + "/Parsers/" + $file.Replace("Parsers/", "")
@@ -140,12 +141,28 @@ try
try {
Write-Host "Downloading $finalPath"
- $rawData = (New-Object System.Net.WebClient).DownloadString($finalPath)
+ $isFilePathPresent = Test-Path -Path "$finalPath"
+ Write-Host "Is $finalPath file path present $isFilePathPresent"
+ if ($isFilePathPresent) {
+ $rawData = (New-Object System.Net.WebClient).DownloadString($finalPath)
+ }
+ else {
+ if ($fileExtension -eq "json" -or $fileExtension -eq "JSON") {
+ Write-Host "FinalPath $finalPath not found!"
+ if ($fileExtension -eq "json") {
+ $finalPath = $finalPath.Replace(".json", ".JSON")
+ } else {
+ $finalPath = $finalPath.Replace(".JSON", ".json")
+ }
+ Write-Host "Updated FinalPath is $finalPath"
+ $rawData = (New-Object System.Net.WebClient).DownloadString($finalPath)
+ }
+ }
}
catch {
Write-Host "Failed to download $finalPath -- Please ensure that it exists in $([System.Uri]::EscapeUriString($basePath))" -ForegroundColor Red
Send-AppInsightsExceptionTelemetry -InstrumentationKey $instrumentationKey -Exception $_.Exception -CustomProperties @{ 'RunId'="$runId"; 'PullRequestNumber'= "$pullRequestNumber"; 'ErrorDetails'="CreateSolutionV4 : Error occured in catch block: $_"; 'EventName'="CreateSolutionV4" }
- break;
+ exit 1;
}
try {