diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json b/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json index a37c14505c..248f199b12 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json @@ -26,7 +26,7 @@ ], "WatchlistDescription": "ExchOnlineVIP Watchlists contains a list of VIP users identified in Exchange Online that would be more monitored than others. This watchlist is used in the Audit log workbooks to filter activities on those users.", "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Microsoft Exchange Security - Exchange Online", - "Version": "3.1.2", + "Version": "3.1.3", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.1.3.zip b/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.1.3.zip new file mode 100644 index 0000000000..88e5f83c71 Binary files /dev/null and b/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.1.3.zip differ diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json b/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json index 5a7449f61d..216cbc477a 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json @@ -73,7 +73,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Microsoft Exchange Security - Exchange Online", - "_solutionVersion": "3.1.2", + "_solutionVersion": "3.1.3", "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-esionline", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "ESI-ExchangeOnlineCollector", @@ -86,43 +86,43 @@ "dataConnectorVersion1": "1.1.1", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "parserObject1": { - "_parserName1": "[concat(parameters('workspace'),'/','Parser-for-ExchangeConfiguration')]", - "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser-for-ExchangeConfiguration')]", + "_parserName1": "[concat(parameters('workspace'),'/','ExchangeConfiguration')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ExchangeConfiguration')]", "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ExchangeConfiguration-Parser')))]", "parserVersion1": "1.6.1", "parserContentId1": "ExchangeConfiguration-Parser" }, "parserObject2": { - "_parserName2": "[concat(parameters('workspace'),'/','Parser-for-ExchangeEnvironmentList')]", - "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser-for-ExchangeEnvironmentList')]", + "_parserName2": "[concat(parameters('workspace'),'/','ExchangeEnvironmentList')]", + "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ExchangeEnvironmentList')]", "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ExchangeEnvironmentList-Parser')))]", "parserVersion2": "1.0.1", "parserContentId2": "ExchangeEnvironmentList-Parser" }, "parserObject3": { - "_parserName3": "[concat(parameters('workspace'),'/','Parser-for-VIP-Check-for-Exchange')]", - "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser-for-VIP-Check-for-Exchange')]", + "_parserName3": "[concat(parameters('workspace'),'/','MESCheckVIP')]", + "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckVIP')]", "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCheckVIP-Parser')))]", "parserVersion3": "1.0.0", "parserContentId3": "MESCheckVIP-Parser" }, "parserObject4": { - "_parserName4": "[concat(parameters('workspace'),'/','Parser-for-VIP-Check-for-Exchange-Online')]", - "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser-for-VIP-Check-for-Exchange-Online')]", + "_parserName4": "[concat(parameters('workspace'),'/','MESCheckOnlineVIP')]", + "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP')]", "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCheckOnlineVIP-Parser')))]", "parserVersion4": "1.0.0", "parserContentId4": "MESCheckOnlineVIP-Parser" }, "parserObject5": { - "_parserName5": "[concat(parameters('workspace'),'/','Parser-for-MRA-Configuration-Data-Comparison')]", - "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser-for-MRA-Configuration-Data-Comparison')]", + "_parserName5": "[concat(parameters('workspace'),'/','MESCompareDataMRA')]", + "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA')]", "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCompareDataMRA-Parser')))]", "parserVersion5": "1.0.0", "parserContentId5": "MESCompareDataMRA-Parser" }, "parserObject6": { - "_parserName6": "[concat(parameters('workspace'),'/','Parser-for-Office-Activity-Logs')]", - "_parserId6": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser-for-Office-Activity-Logs')]", + "_parserName6": "[concat(parameters('workspace'),'/','MESOfficeActivityLogs')]", + "_parserId6": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs')]", "parserTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESOfficeActivityLogs-Parser')))]", "parserVersion6": "1.0.0", "parserContentId6": "MESOfficeActivityLogs-Parser" @@ -165,7 +165,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Security - Exchange Online data connector with template version 3.1.2", + "description": "Microsoft Exchange Security - Exchange Online data connector with template version 3.1.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -743,7 +743,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeConfiguration Data Parser with template version 3.1.2", + "description": "ExchangeConfiguration Data Parser with template version 3.1.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -761,7 +761,7 @@ "category": "Microsoft Sentinel Parser", "functionAlias": "ExchangeConfiguration", "query": "// Version: 1.6.1\n// Last Updated: 19/12/2023\n// \n// DESCRIPTION:\n// This parser takes raw ESI Exchange Configuration Collector to pivot raw information and retrieve a specific date configuration. This is the same parser for Exchange On-Premises version and Exchange online version of the solution.\n//\n// USAGE:\n// Parameters : 4 parameters to add during creation. \n// 1. SpecificSectionList, type string, default value \"\"\n// 2. SpecificConfigurationDate, type string, default value \"lastdate\"\n// 3. Target, type string, default value \"On-Premises\"\n// 4. SpecificConfigurationEnv, type string, default value \"All\"\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SpecificSectionList = '';\n// let SpecificConfigurationDate = 'lastdate';\n// let SpecificConfigurationEnv = 'All';\n// let Target = 'On-Premises';\n//\n// Parameters definition\nlet _SpecificSectionList = split(SpecificSectionList,',');\nlet _configurationDate = iff(isnull(SpecificConfigurationDate) or isempty(SpecificConfigurationDate),\"lastdate\",tostring(SpecificConfigurationDate));\nlet _configurationEnv = split(iff(isnull(SpecificConfigurationEnv) or isempty(SpecificConfigurationEnv) or tolower(SpecificConfigurationEnv) == \"all\",\"All\",tostring(SpecificConfigurationEnv)),',');\nlet _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\n// Building Base Request\nlet _targetDate = iff(_configurationDate == \"lastdate\", ago(7d), iif(_configurationDate == \"alllife\",ago(1080d),todatetime(_configurationDate)));\nlet baseRequest = materialize (union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange* \n | where TimeGenerated > _targetDate\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target\n | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \n | where ScopedEnvironment in (_configurationEnv)\n | extend EntryDate = todatetime(EntryDate_s)\n | project-away EntryDate_s);\n// Find Config Id (can be multiple id in all)\nlet findConfigDate = baseRequest\n | extend Env =strcat(Source, \"_\",ESIEnvironment_s)\n | summarize count() by GenerationInstanceID_g,Env,EntryDate\n | extend distance = iff(_configurationDate == \"lastdate\" or _configurationDate == \"alllife\", now() - EntryDate, (EntryDate - todatetime(_configurationDate)))\n | top-nested of Env by Ignore0=max(1), \n top-nested 1 of distance by Ignore1 = min(distance) asc nulls last, \n top-nested of GenerationInstanceID_g by Ignore2=max(2) \n | project GenerationInstanceID_g;\n// Parse Result\nlet ParseExchangeConfig = () { baseRequest \n | join kind=leftsemi (findConfigDate) on $left.GenerationInstanceID_g == $right.GenerationInstanceID_g\n | where isempty(_SpecificSectionList[0]) or Section_s in (_SpecificSectionList)\n | extend TimeGenerated = EntryDate\n | extend Identity = IdentityString_s\n | extend CmdletResultValue = parse_json(rawData_s)\n | project-rename ConfigurationInstanceID = GenerationInstanceID_g, ESIEnvironment = ESIEnvironment_s, Section = Section_s, PSCmdlet = PSCmdL_s, CmdletResultType = ExecutionResult_s, WhenChanged = WhenChanged_t, WhenCreated = WhenCreated_t, Name = Name_s\n | project-away TenantId,SourceSystem,Type,EntryDate\n};\nParseExchangeConfig\n", - "functionParameters": "SpecificSectionList:string = \"\", SpecificConfigurationDate:string = \"lastdate\", Target:string = \"On-Premises\", SpecificConfigurationEnv:string = \"All\"", + "functionParameters": "SpecificSectionList:string='',SpecificConfigurationDate:string='lastdate',SpecificConfigurationEnv:string='All',Target:string='On-Premises'", "version": 2, "tags": [ { @@ -779,7 +779,7 @@ "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser-for-ExchangeConfiguration')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ExchangeConfiguration')]", "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", "version": "[variables('parserObject1').parserVersion1]", @@ -808,7 +808,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", - "displayName": "Parser for ExchangeConfiguration", + "displayName": "ExchangeConfiguration", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.6.1')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.6.1')))]", "version": "[variables('parserObject1').parserVersion1]" @@ -825,7 +825,7 @@ "category": "Microsoft Sentinel Parser", "functionAlias": "ExchangeConfiguration", "query": "// Version: 1.6.1\n// Last Updated: 19/12/2023\n// \n// DESCRIPTION:\n// This parser takes raw ESI Exchange Configuration Collector to pivot raw information and retrieve a specific date configuration. This is the same parser for Exchange On-Premises version and Exchange online version of the solution.\n//\n// USAGE:\n// Parameters : 4 parameters to add during creation. \n// 1. SpecificSectionList, type string, default value \"\"\n// 2. SpecificConfigurationDate, type string, default value \"lastdate\"\n// 3. Target, type string, default value \"On-Premises\"\n// 4. SpecificConfigurationEnv, type string, default value \"All\"\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SpecificSectionList = '';\n// let SpecificConfigurationDate = 'lastdate';\n// let SpecificConfigurationEnv = 'All';\n// let Target = 'On-Premises';\n//\n// Parameters definition\nlet _SpecificSectionList = split(SpecificSectionList,',');\nlet _configurationDate = iff(isnull(SpecificConfigurationDate) or isempty(SpecificConfigurationDate),\"lastdate\",tostring(SpecificConfigurationDate));\nlet _configurationEnv = split(iff(isnull(SpecificConfigurationEnv) or isempty(SpecificConfigurationEnv) or tolower(SpecificConfigurationEnv) == \"all\",\"All\",tostring(SpecificConfigurationEnv)),',');\nlet _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\n// Building Base Request\nlet _targetDate = iff(_configurationDate == \"lastdate\", ago(7d), iif(_configurationDate == \"alllife\",ago(1080d),todatetime(_configurationDate)));\nlet baseRequest = materialize (union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange* \n | where TimeGenerated > _targetDate\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target\n | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \n | where ScopedEnvironment in (_configurationEnv)\n | extend EntryDate = todatetime(EntryDate_s)\n | project-away EntryDate_s);\n// Find Config Id (can be multiple id in all)\nlet findConfigDate = baseRequest\n | extend Env =strcat(Source, \"_\",ESIEnvironment_s)\n | summarize count() by GenerationInstanceID_g,Env,EntryDate\n | extend distance = iff(_configurationDate == \"lastdate\" or _configurationDate == \"alllife\", now() - EntryDate, (EntryDate - todatetime(_configurationDate)))\n | top-nested of Env by Ignore0=max(1), \n top-nested 1 of distance by Ignore1 = min(distance) asc nulls last, \n top-nested of GenerationInstanceID_g by Ignore2=max(2) \n | project GenerationInstanceID_g;\n// Parse Result\nlet ParseExchangeConfig = () { baseRequest \n | join kind=leftsemi (findConfigDate) on $left.GenerationInstanceID_g == $right.GenerationInstanceID_g\n | where isempty(_SpecificSectionList[0]) or Section_s in (_SpecificSectionList)\n | extend TimeGenerated = EntryDate\n | extend Identity = IdentityString_s\n | extend CmdletResultValue = parse_json(rawData_s)\n | project-rename ConfigurationInstanceID = GenerationInstanceID_g, ESIEnvironment = ESIEnvironment_s, Section = Section_s, PSCmdlet = PSCmdL_s, CmdletResultType = ExecutionResult_s, WhenChanged = WhenChanged_t, WhenCreated = WhenCreated_t, Name = Name_s\n | project-away TenantId,SourceSystem,Type,EntryDate\n};\nParseExchangeConfig\n", - "functionParameters": "SpecificSectionList:string = \"\", SpecificConfigurationDate:string = \"lastdate\", Target:string = \"On-Premises\", SpecificConfigurationEnv:string = \"All\"", + "functionParameters": "SpecificSectionList:string='',SpecificConfigurationDate:string='lastdate',SpecificConfigurationEnv:string='All',Target:string='On-Premises'", "version": 2, "tags": [ { @@ -844,7 +844,7 @@ "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser-for-ExchangeConfiguration')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ExchangeConfiguration')]", "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", "version": "[variables('parserObject1').parserVersion1]", @@ -873,7 +873,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeEnvironmentList Data Parser with template version 3.1.2", + "description": "ExchangeEnvironmentList Data Parser with template version 3.1.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject2').parserVersion2]", @@ -891,7 +891,7 @@ "category": "Microsoft Sentinel Parser", "functionAlias": "ExchangeEnvironmentList", "query": "// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let Target = 'On-Premises';\n//\n// Parameters definition\nlet _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\nlet ScalarbaseRequest = union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange*\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target;\n// Base Request\nScalarbaseRequest | summarize by ESIEnvironment_s | project-rename ESIEnvironment = ESIEnvironment_s\n", - "functionParameters": "Target:string = \"On-Premises\"", + "functionParameters": "Target:string='On-Premises'", "version": 2, "tags": [ { @@ -909,7 +909,7 @@ "[variables('parserObject2')._parserId2]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser-for-ExchangeEnvironmentList')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ExchangeEnvironmentList')]", "contentId": "[variables('parserObject2').parserContentId2]", "kind": "Parser", "version": "[variables('parserObject2').parserVersion2]", @@ -938,7 +938,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject2').parserContentId2]", "contentKind": "Parser", - "displayName": "Parser for ExchangeEnvironmentList", + "displayName": "ExchangeEnvironmentList", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.1')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.1')))]", "version": "[variables('parserObject2').parserVersion2]" @@ -955,7 +955,7 @@ "category": "Microsoft Sentinel Parser", "functionAlias": "ExchangeEnvironmentList", "query": "// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let Target = 'On-Premises';\n//\n// Parameters definition\nlet _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\nlet ScalarbaseRequest = union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange*\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target;\n// Base Request\nScalarbaseRequest | summarize by ESIEnvironment_s | project-rename ESIEnvironment = ESIEnvironment_s\n", - "functionParameters": "Target:string = \"On-Premises\"", + "functionParameters": "Target:string='On-Premises'", "version": 2, "tags": [ { @@ -974,7 +974,7 @@ "[variables('parserObject2')._parserId2]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser-for-ExchangeEnvironmentList')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ExchangeEnvironmentList')]", "contentId": "[variables('parserObject2').parserContentId2]", "kind": "Parser", "version": "[variables('parserObject2').parserVersion2]", @@ -1003,7 +1003,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MESCheckVIP Data Parser with template version 3.1.2", + "description": "MESCheckVIP Data Parser with template version 3.1.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject3').parserVersion3]", @@ -1021,7 +1021,7 @@ "category": "Microsoft Sentinel Parser", "functionAlias": "MESCheckVIP", "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [\n \"NONE\",\"NONE\",\"NONE\",\"NONE\",\"00000001-0000-1000-0000-100000000000\",\"NONE\",\"NONE\"];\nlet Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != \"00000001-0000-1000-0000-100000000000\" | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ canonicalName \n or _UserToCheck =~ displayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck =~ objectSID \n or _UserToCheck == tostring(objectGUID) \n or _UserToCheck =~ distinguishedName\n or _UserToCheck == \"All\"\n | extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",displayName,\"#\",userPrincipalName,\"#\",sAMAccountName,\"#\",objectGUID,\"#\",objectSID,\"#\",distinguishedName,\"#\"),_UserToCheck);\nSearchUser\n", - "functionParameters": "UserToCheck:string = \"All\"", + "functionParameters": "UserToCheck:string='All'", "version": 2, "tags": [ { @@ -1039,7 +1039,7 @@ "[variables('parserObject3')._parserId3]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser-for-VIP-Check-for-Exchange')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckVIP')]", "contentId": "[variables('parserObject3').parserContentId3]", "kind": "Parser", "version": "[variables('parserObject3').parserVersion3]", @@ -1068,7 +1068,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject3').parserContentId3]", "contentKind": "Parser", - "displayName": "Parser for VIP Check for Exchange", + "displayName": "MESCheckVIP", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]", "version": "[variables('parserObject3').parserVersion3]" @@ -1085,7 +1085,7 @@ "category": "Microsoft Sentinel Parser", "functionAlias": "MESCheckVIP", "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [\n \"NONE\",\"NONE\",\"NONE\",\"NONE\",\"00000001-0000-1000-0000-100000000000\",\"NONE\",\"NONE\"];\nlet Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != \"00000001-0000-1000-0000-100000000000\" | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ canonicalName \n or _UserToCheck =~ displayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck =~ objectSID \n or _UserToCheck == tostring(objectGUID) \n or _UserToCheck =~ distinguishedName\n or _UserToCheck == \"All\"\n | extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",displayName,\"#\",userPrincipalName,\"#\",sAMAccountName,\"#\",objectGUID,\"#\",objectSID,\"#\",distinguishedName,\"#\"),_UserToCheck);\nSearchUser\n", - "functionParameters": "UserToCheck:string = \"All\"", + "functionParameters": "UserToCheck:string='All'", "version": 2, "tags": [ { @@ -1104,7 +1104,7 @@ "[variables('parserObject3')._parserId3]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser-for-VIP-Check-for-Exchange')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckVIP')]", "contentId": "[variables('parserObject3').parserContentId3]", "kind": "Parser", "version": "[variables('parserObject3').parserVersion3]", @@ -1133,7 +1133,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MESCheckOnlineVIP Data Parser with template version 3.1.2", + "description": "MESCheckOnlineVIP Data Parser with template version 3.1.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject4').parserVersion4]", @@ -1151,7 +1151,7 @@ "category": "Microsoft Sentinel Parser", "functionAlias": "MESCheckOnlineVIP", "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ DisplayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck == \"All\"\n| extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",DisplayName,\"#\",userPrincipalName,\"#\",sAMAccountName),_UserToCheck);\nSearchUser\n", - "functionParameters": "UserToCheck:string = \"All\"", + "functionParameters": "UserToCheck:string='All'", "version": 2, "tags": [ { @@ -1169,7 +1169,7 @@ "[variables('parserObject4')._parserId4]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser-for-VIP-Check-for-Exchange-Online')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP')]", "contentId": "[variables('parserObject4').parserContentId4]", "kind": "Parser", "version": "[variables('parserObject4').parserVersion4]", @@ -1198,7 +1198,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject4').parserContentId4]", "contentKind": "Parser", - "displayName": "Parser for VIP Check for Exchange Online", + "displayName": "MESCheckOnlineVIP", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", "version": "[variables('parserObject4').parserVersion4]" @@ -1215,7 +1215,7 @@ "category": "Microsoft Sentinel Parser", "functionAlias": "MESCheckOnlineVIP", "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ DisplayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck == \"All\"\n| extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",DisplayName,\"#\",userPrincipalName,\"#\",sAMAccountName),_UserToCheck);\nSearchUser\n", - "functionParameters": "UserToCheck:string = \"All\"", + "functionParameters": "UserToCheck:string='All'", "version": 2, "tags": [ { @@ -1234,7 +1234,7 @@ "[variables('parserObject4')._parserId4]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser-for-VIP-Check-for-Exchange-Online')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP')]", "contentId": "[variables('parserObject4').parserContentId4]", "kind": "Parser", "version": "[variables('parserObject4').parserVersion4]", @@ -1263,7 +1263,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MESCompareDataMRA Data Parser with template version 3.1.2", + "description": "MESCompareDataMRA Data Parser with template version 3.1.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject5').parserVersion5]", @@ -1281,7 +1281,7 @@ "category": "Microsoft Sentinel Parser", "functionAlias": "MESCompareDataMRA", "query": "// Version: 1.0.0\n// Last Updated: 25/02/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeOnlineConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope,\n RecipientWriteScope,\n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n", - "functionParameters": "SectionCompare:string = \"\",DateCompare:string = \"lastupdate\",CurrentDate:string = \"lastudpate\",EnvList:string = \"All\",TypeEnv:string = \"Online\",CurrentRole:string = \"\",ExclusionsAcct:dynamic = dynamic(\"\")", + "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')", "version": 2, "tags": [ { @@ -1299,7 +1299,7 @@ "[variables('parserObject5')._parserId5]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser-for-MRA-Configuration-Data-Comparison')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA')]", "contentId": "[variables('parserObject5').parserContentId5]", "kind": "Parser", "version": "[variables('parserObject5').parserVersion5]", @@ -1328,7 +1328,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject5').parserContentId5]", "contentKind": "Parser", - "displayName": "Parser for MRA Configuration Data Comparison", + "displayName": "MESCompareDataMRA", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", "version": "[variables('parserObject5').parserVersion5]" @@ -1345,7 +1345,7 @@ "category": "Microsoft Sentinel Parser", "functionAlias": "MESCompareDataMRA", "query": "// Version: 1.0.0\n// Last Updated: 25/02/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeOnlineConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope,\n RecipientWriteScope,\n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n", - "functionParameters": "SectionCompare:string = \"\",DateCompare:string = \"lastupdate\",CurrentDate:string = \"lastudpate\",EnvList:string = \"All\",TypeEnv:string = \"Online\",CurrentRole:string = \"\",ExclusionsAcct:dynamic = dynamic(\"\")", + "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')", "version": 2, "tags": [ { @@ -1364,7 +1364,7 @@ "[variables('parserObject5')._parserId5]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser-for-MRA-Configuration-Data-Comparison')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA')]", "contentId": "[variables('parserObject5').parserContentId5]", "kind": "Parser", "version": "[variables('parserObject5').parserVersion5]", @@ -1393,7 +1393,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MESOfficeActivityLogs Data Parser with template version 3.1.2", + "description": "MESOfficeActivityLogs Data Parser with template version 3.1.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject6').parserVersion6]", @@ -1429,7 +1429,7 @@ "[variables('parserObject6')._parserId6]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser-for-Office-Activity-Logs')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs')]", "contentId": "[variables('parserObject6').parserContentId6]", "kind": "Parser", "version": "[variables('parserObject6').parserVersion6]", @@ -1458,7 +1458,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject6').parserContentId6]", "contentKind": "Parser", - "displayName": "Parser for Office Activity Logs", + "displayName": "MESOfficeActivityLogs", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.0.0')))]", "version": "[variables('parserObject6').parserVersion6]" @@ -1494,7 +1494,7 @@ "[variables('parserObject6')._parserId6]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser-for-Office-Activity-Logs')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs')]", "contentId": "[variables('parserObject6').parserContentId6]", "kind": "Parser", "version": "[variables('parserObject6').parserVersion6]", @@ -1523,7 +1523,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Least Privilege with RBAC - Online Workbook with template version 3.1.2", + "description": "Microsoft Exchange Least Privilege with RBAC - Online Workbook with template version 3.1.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1610,7 +1610,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Security Review - Online Workbook with template version 3.1.2", + "description": "Microsoft Exchange Security Review - Online Workbook with template version 3.1.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -1697,7 +1697,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Admin Activity - Online Workbook with template version 3.1.2", + "description": "Microsoft Exchange Admin Activity - Online Workbook with template version 3.1.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion3')]", @@ -1784,7 +1784,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Search AdminAuditLog - Online Workbook with template version 3.1.2", + "description": "Microsoft Exchange Search AdminAuditLog - Online Workbook with template version 3.1.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion4')]", @@ -1885,7 +1885,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.1.2", + "version": "3.1.3", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Microsoft Exchange Security - Exchange Online", @@ -1972,7 +1972,7 @@ { "kind": "Watchlist", "contentId": "[variables('_Exchange Online VIP')]", - "version": "3.1.2" + "version": "3.1.3" } ] }, diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/ExchangeConfiguration.yaml b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/ExchangeConfiguration.yaml index e7aa831e0c..3198beb4b9 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/ExchangeConfiguration.yaml +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/ExchangeConfiguration.yaml @@ -10,19 +10,19 @@ FunctionParams: - Name: SpecificSectionList Type: string Description: The list of section to query. Default is all. - DefaultValue: '' + Default: '' - Name: SpecificConfigurationDate Type: string Description: The date to query. Default is last 7 days. - DefaultValue: 'lastdate' + Default: 'lastdate' - Name: SpecificConfigurationEnv Type: string Description: The environment to query. Default is all. - DefaultValue: 'All' + Default: 'All' - Name: Target Type: string Description: The target environment to query. Valid values are "On-Premises" or "Online". Default is "On-Premises". - DefaultValue: 'On-Premises' + Default: 'On-Premises' FunctionQuery: | // Version: 1.6.1 // Last Updated: 19/12/2023 diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/ExchangeEnvironmentList.yaml b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/ExchangeEnvironmentList.yaml index 5af32170e7..3cd3ef583d 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/ExchangeEnvironmentList.yaml +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/ExchangeEnvironmentList.yaml @@ -10,7 +10,7 @@ FunctionParams: - Name: Target Type: string Description: The target environment to query. Valid values are "On-Premises" or "Online". Default is "On-Premises". - DefaultValue: 'On-Premises' + Default: 'On-Premises' FunctionQuery: | // Parameters simulation // If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values. diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckOnlineVIP.yaml b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckOnlineVIP.yaml index 8bf5f86c41..617031e51b 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckOnlineVIP.yaml +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckOnlineVIP.yaml @@ -10,7 +10,7 @@ FunctionParams: - Name: UserToCheck Type: string Description: The user to verifiy if is a VIP or not. Default value is "all". - DefaultValue: 'All' + Default: 'All' FunctionQuery: | //let UserToCheck = "SampleEntry"; let _UserToCheck = iif(UserToCheck == "" or UserToCheck == "All","All",tolower(UserToCheck)); diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckVIP.yaml b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckVIP.yaml index 701b9dbffb..f242d0c9b1 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckVIP.yaml +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckVIP.yaml @@ -10,7 +10,7 @@ FunctionParams: - Name: UserToCheck Type: string Description: The user to verifiy if is a VIP or not. Default value is "all". - DefaultValue: 'All' + Default: 'All' FunctionQuery: | //let UserToCheck = "SampleEntry"; let _UserToCheck = iif(UserToCheck == "" or UserToCheck == "All","All",tolower(UserToCheck)); diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml index a6513ffda1..8f5b3cd4e4 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml @@ -10,31 +10,31 @@ FunctionParams: - Name: SectionCompare Type: string Description: The Section to compare. Default value is "". - DefaultValue: '' + Default: '' - Name: DateCompare Type: string Description: The date of the source comparison. Default value is "lastdate". - DefaultValue: 'lastdate' + Default: 'lastdate' - Name: CurrentDate Type: string Description: The date of the target comparison. Default value is "lastdate". - DefaultValue: 'lastdate' + Default: 'lastdate' - Name: EnvList Type: string Description: List of environments to compare. Default value is "All". - DefaultValue: 'All' + Default: 'All' - Name: TypeEnv Type: string Description: Type of environment to compare. Default value is "Online". - DefaultValue: 'Online' + Default: 'Online' - Name: CurrentRole Type: string Description: A specific role to compare. Default value is "". - DefaultValue: '' + Default: '' - Name: ExclusionsAcct Type: dynamic Description: List of actors to exclude. Default value is "dynamic('')". - DefaultValue: dynamic('') + Default: dynamic('') FunctionQuery: | // Version: 1.0.0 // Last Updated: 25/02/2024 diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md b/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md index 84bc3bbf1a..9c7df326ab 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md +++ b/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.1.3 | 25-04-2024 | Repackaged for parser issue with old names | | 3.1.2 | 18-04-2024 | Repackaged for parser issue while update | | 3.1.1 | 19-03-2024 | Manually updated package content | | 3.0.5 | 20-02-2024 | Correct DataConnector last Log indicator | diff --git a/Solutions/Okta Single Sign-On/Package/3.0.7.zip b/Solutions/Okta Single Sign-On/Package/3.0.7.zip new file mode 100644 index 0000000000..d70377f9b7 Binary files /dev/null and b/Solutions/Okta Single Sign-On/Package/3.0.7.zip differ diff --git a/Solutions/Okta Single Sign-On/Package/mainTemplate.json b/Solutions/Okta Single Sign-On/Package/mainTemplate.json index 4a44ac2fe2..4c93e8368a 100644 --- a/Solutions/Okta Single Sign-On/Package/mainTemplate.json +++ b/Solutions/Okta Single Sign-On/Package/mainTemplate.json @@ -55,7 +55,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Okta Single Sign-On", - "_solutionVersion": "3.0.6", + "_solutionVersion": "3.0.7", "solutionId": "azuresentinel.azure-sentinel-solution-okta", "_solutionId": "[variables('solutionId')]", "analyticRuleObject1": { @@ -227,10 +227,10 @@ "_workbookContentId1": "[variables('workbookContentId1')]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "parserObject1": { - "_parserName1": "[concat(parameters('workspace'),'/','Backward-Compatibility-Parser-for-Okta-SSO')]", - "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Backward-Compatibility-Parser-for-Okta-SSO')]", + "_parserName1": "[concat(parameters('workspace'),'/','OktaSSO')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OktaSSO')]", "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('OktaSSO-Parser')))]", - "parserVersion1": "1.0.0", + "parserVersion1": "1.0.1", "parserContentId1": "OktaSSO-Parser" }, "SessionId": "authenticationContext_externalSessionId_s", @@ -247,7 +247,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -275,16 +275,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" - ], - "connectorId": "OktaSSO" + ] }, { + "connectorId": "OktaSSOv2", "dataTypes": [ "OktaSSO" - ], - "connectorId": "OktaSSOv2" + ] } ], "tactics": [ @@ -295,22 +295,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "FullName" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -366,7 +366,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -394,16 +394,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" - ], - "connectorId": "OktaSSO" + ] }, { + "connectorId": "OktaSSOv2", "dataTypes": [ "OktaSSO" - ], - "connectorId": "OktaSSOv2" + ] } ], "tactics": [ @@ -414,13 +414,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -476,7 +476,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -504,16 +504,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" - ], - "connectorId": "OktaSSO" + ] }, { + "connectorId": "OktaSSOv2", "dataTypes": [ "OktaSSO" - ], - "connectorId": "OktaSSOv2" + ] } ], "tactics": [ @@ -524,13 +524,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -586,7 +586,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -614,16 +614,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" - ], - "connectorId": "OktaSSO" + ] }, { + "connectorId": "OktaSSOv2", "dataTypes": [ "OktaSSO" - ], - "connectorId": "OktaSSOv2" + ] } ], "tactics": [ @@ -634,7 +634,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", @@ -644,16 +643,17 @@ "columnName": "actor_displayName_s", "identifier": "DisplayName" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "columnName": "client_ipAddress_s", "identifier": "Address" } - ] + ], + "entityType": "IP" } ], "customDetails": { @@ -713,7 +713,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -741,16 +741,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" - ], - "connectorId": "OktaSSO" + ] }, { + "connectorId": "OktaSSOv2", "dataTypes": [ "OktaSSO" - ], - "connectorId": "OktaSSOv2" + ] } ], "tactics": [ @@ -763,7 +763,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", @@ -773,16 +772,17 @@ "columnName": "actor_displayName_s", "identifier": "DisplayName" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "columnName": "client_ipAddress_s", "identifier": "Address" } - ] + ], + "entityType": "IP" } ], "customDetails": { @@ -846,7 +846,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -874,16 +874,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" - ], - "connectorId": "OktaSSO" + ] }, { + "connectorId": "OktaSSOv2", "dataTypes": [ "OktaSSO" - ], - "connectorId": "OktaSSOv2" + ] } ], "tactics": [ @@ -894,7 +894,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", @@ -904,7 +903,8 @@ "columnName": "actor_displayName_s", "identifier": "DisplayName" } - ] + ], + "entityType": "Account" } ] } @@ -960,7 +960,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -988,16 +988,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" - ], - "connectorId": "OktaSSO" + ] }, { + "connectorId": "OktaSSOv2", "dataTypes": [ "OktaSSO" - ], - "connectorId": "OktaSSOv2" + ] } ], "tactics": [ @@ -1008,7 +1008,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", @@ -1018,16 +1017,17 @@ "columnName": "actor_displayName_s", "identifier": "DisplayName" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "columnName": "client_ipAddress_s", "identifier": "Address" } - ] + ], + "entityType": "IP" } ], "customDetails": { @@ -1086,7 +1086,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1114,16 +1114,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" - ], - "connectorId": "OktaSSO" + ] }, { + "connectorId": "OktaSSOv2", "dataTypes": [ "OktaSSO" - ], - "connectorId": "OktaSSOv2" + ] } ], "tactics": [ @@ -1134,7 +1134,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", @@ -1144,16 +1143,17 @@ "columnName": "actor_displayName_s", "identifier": "DisplayName" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "columnName": "client_ipAddress_s", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1209,7 +1209,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -1237,16 +1237,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" - ], - "connectorId": "OktaSSO" + ] }, { + "connectorId": "OktaSSOv2", "dataTypes": [ "OktaSSO" - ], - "connectorId": "OktaSSOv2" + ] } ], "tactics": [ @@ -1261,7 +1261,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "actor_alternateId_s", @@ -1271,7 +1270,8 @@ "columnName": "actor_displayName_s", "identifier": "DisplayName" } - ] + ], + "entityType": "Account" } ] } @@ -1327,7 +1327,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta Single Sign-On data connector with template version 3.0.6", + "description": "Okta Single Sign-On data connector with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -2677,7 +2677,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.0.6", + "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -2762,7 +2762,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.0.6", + "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -2847,7 +2847,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.0.6", + "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -2932,7 +2932,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.0.6", + "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -3017,7 +3017,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.0.6", + "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -3102,7 +3102,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.0.6", + "description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -3187,7 +3187,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.0.6", + "description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -3272,7 +3272,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.0.6", + "description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -3357,7 +3357,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.0.6", + "description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -3442,7 +3442,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.0.6", + "description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -3527,7 +3527,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OktaCustomConnector Playbook with template version 3.0.6", + "description": "OktaCustomConnector Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -3579,8 +3579,7 @@ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", "playbookContentId1": "OktaCustomConnector", "playbookId1": "[[resourceId('Microsoft.Web/customApis', parameters('CustomConnectorName'))]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + "workspace-name": "[parameters('workspace')]" }, "resources": [ { @@ -4790,7 +4789,7 @@ ], "metadata": { "comments": "This OKTA connector uses okta API to perform different actions on the user accounts.", - "lastUpdateTime": "2024-04-18T14:40:54.954Z", + "lastUpdateTime": "2024-04-25T22:06:10.374Z", "releaseNotes": { "version": "1.0", "title": "[variables('blanks')]", @@ -4822,7 +4821,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.0.6", + "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -4850,8 +4849,7 @@ "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", "_connection-2": "[[variables('connection-2')]", "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + "workspace-name": "[parameters('workspace')]" }, "resources": [ { @@ -4888,7 +4886,7 @@ "hidden-SentinelTemplateName": "UserEnrichment-Okta", "hidden-SentinelTemplateVersion": "1.0", "LogicAppsCategory": "security", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + "hidden-SentinelWorkspaceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" }, "identity": { "type": "SystemAssigned" @@ -5181,7 +5179,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta-PromptUser Playbook with template version 3.0.6", + "description": "Okta-PromptUser Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -5226,8 +5224,7 @@ "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]", "_connection-3": "[[variables('connection-3')]", "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + "workspace-name": "[parameters('workspace')]" }, "resources": [ { @@ -5275,7 +5272,7 @@ "hidden-SentinelTemplateName": "PromptUser-Okta", "hidden-SentinelTemplateVersion": "1.0", "LogicAppsCategory": "security", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + "hidden-SentinelWorkspaceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" }, "identity": { "type": "SystemAssigned" @@ -5632,7 +5629,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta-ResponseFromTeams Playbook with template version 3.0.6", + "description": "Okta-ResponseFromTeams Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -5684,8 +5681,7 @@ "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]", "_connection-3": "[[variables('connection-3')]", "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + "workspace-name": "[parameters('workspace')]" }, "resources": [ { @@ -5733,7 +5729,7 @@ "hidden-SentinelTemplateName": "ResponseOnOktaUserTeams-Okta", "hidden-SentinelTemplateVersion": "1.0", "LogicAppsCategory": "security", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + "hidden-SentinelWorkspaceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" }, "identity": { "type": "SystemAssigned" @@ -6139,7 +6135,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OktaSingleSignOn Workbook with template version 3.0.6", + "description": "OktaSingleSignOn Workbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -6235,7 +6231,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OktaSSO Data Parser with template version 3.0.6", + "description": "OktaSSO Data Parser with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -6252,7 +6248,7 @@ "displayName": "Backward Compatibility Parser for Okta SSO", "category": "Microsoft Sentinel Parser", "functionAlias": "OktaSSO", - "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n actor_alternateId_s:string,\n actor_detailEntry_s:string,\n actor_displayName_s:string,\n actor_id_s:string,\n actor_type_s:string,\n authenticationContext_authenticationProvider_s:string,\n authenticationContext_authenticationStep_d:double,\n authenticationContext_credentialProvider_s:string,\n authenticationContext_credentialType_s:string,\n authenticationContext_externalSessionId_s:string,\n authenticationContext_interface_s:string,\n authenticationContext_issuerId_s:string,\n authenticationContext_issuerType_s:string,\n client_device_s:string,\n client_geographicalContext_city_s:string,\n client_geographicalContext_country_s:string,\n client_geographicalContext_geolocation_lat_d:double,\n client_geographicalContext_geolocation_lon_d:double,\n client_geographicalContext_postalCode_s:string,\n client_geographicalContext_state_s:string,\n client_id_s:string,\n client_ipAddress_s:string,\n client_userAgent_browser_s:string,\n client_userAgent_os_s:string,\n client_userAgent_rawUserAgent_s:string,\n client_zone_s:string,\n debugContext_debugData_s:string,\n displayMessage_s:string,\n eventType_s:string,\n legacyEventType_s:string,\n uuid_g:string,\n outcome_reason_s:string,\n outcome_result_s:string,\n request_ipChain_s:string,\n securityContext_asNumber_d:double,\n securityContext_asOrg_s:string,\n securityContext_domain_s:string,\n securityContext_isp_s:string,\n securityContext_isProxy_b:bool,\n severity_s:string,\n target_s:string,\n transaction_details_s:string,\n transaction_id_s:string,\n transaction_type_s:string,\n version_s:string\n)[];\nlet Oktav2 = OktaV2_CL |\n project TimeGenerated,\n actor_alternateId_s=OriginalActorAlternateId,\n actor_detailEntry_s=tostring(ActorDetailEntry),\n actor_displayName_s=ActorDisplayName,\n actor_id_s=OriginalUserId,\n actor_type_s=OriginalUserType,\n authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n authenticationContext_credentialType_s=LogonMethod,\n authenticationContext_externalSessionId_s=ActorSessionId,\n authenticationContext_interface_s=AuthenticationContextInterface,\n authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n client_device_s=OriginalClientDevice,\n client_geographicalContext_city_s=SrcGeoCity,\n client_geographicalContext_country_s=SrcGeoCountry,\n client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n client_geographicalContext_state_s=SrcGeoRegion,\n client_id_s=SrcDvcId,\n client_ipAddress_s=SrcIpAddr,\n client_userAgent_browser_s=ActingAppName,\n client_userAgent_os_s=SrcDvcOs,\n client_userAgent_rawUserAgent_s=HttpUserAgent,\n client_zone_s=SrcZone,\n debugContext_debugData_s=tostring(DebugData),\n displayMessage_s=EventMessage,\n eventType_s=EventOriginalType,\n legacyEventType_s=LegacyEventType,\n uuid_g=EventOriginalUid,\n outcome_reason_s=EventOriginalResultDetails,\n outcome_result_s=OriginalOutcomeResult,\n request_ipChain_s=tostring(Request),\n securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n securityContext_asOrg_s=SecurityContextAsOrg,\n securityContext_domain_s=SecurityContextDomain,\n securityContext_isp_s=SrcIsp,\n securityContext_isProxy_b=SecurityContextIsProxy,\n severity_s=OriginalSeverity,\n target_s=tostring(OriginalTarget),\n transaction_details_s=tostring(TransactionDetail),\n transaction_id_s=TransactionId,\n transaction_type_s=TransactionType,\n version_s = Version;\n union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n", + "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n actor_alternateId_s:string,\n actor_detailEntry_s:string,\n actor_displayName_s:string,\n actor_id_s:string,\n actor_type_s:string,\n authenticationContext_authenticationProvider_s:string,\n authenticationContext_authenticationStep_d:double,\n authenticationContext_credentialProvider_s:string,\n authenticationContext_credentialType_s:string,\n authenticationContext_externalSessionId_s:string,\n authenticationContext_interface_s:string,\n authenticationContext_issuerId_s:string,\n authenticationContext_issuerType_s:string,\n client_device_s:string,\n client_geographicalContext_city_s:string,\n client_geographicalContext_country_s:string,\n client_geographicalContext_geolocation_lat_d:double,\n client_geographicalContext_geolocation_lon_d:double,\n client_geographicalContext_postalCode_s:string,\n client_geographicalContext_state_s:string,\n client_id_s:string,\n client_ipAddress_s:string,\n client_userAgent_browser_s:string,\n client_userAgent_os_s:string,\n client_userAgent_rawUserAgent_s:string,\n client_zone_s:string,\n debugContext_debugData_s:string,\n displayMessage_s:string,\n eventType_s:string,\n legacyEventType_s:string,\n uuid_g:string,\n outcome_reason_s:string,\n outcome_result_s:string,\n request_ipChain_s:string,\n securityContext_asNumber_d:double,\n securityContext_asOrg_s:string,\n securityContext_domain_s:string,\n securityContext_isp_s:string,\n securityContext_isProxy_b:bool,\n severity_s:string,\n target_s:string,\n transaction_details_s:string,\n transaction_id_s:string,\n transaction_type_s:string,\n version_s:string\n )[];\n let Oktav2_empty = datatable(\n TimeGenerated:datetime,\n OriginalActorAlternateId:string,\n ActorDetailEntry:string,\n ActorDisplayName:string,\n OriginalUserId:string,\n OriginalUserType:string,\n AuthenticationContextAuthenticationProvider:string,\n AuthenticationContextAuthenticationStep: real,\n AuthenticationContextCredentialProvider: string,\n LogonMethod: string,\n ActorSessionId: string,\n AuthenticationContextInterface:string,\n AuthenticationContextIssuerId:string,\n AuthenticationContextIssuerType:string,\n OriginalClientDevice:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude: double,\n SrcGeoLongtitude: double,\n SrcGeoPostalCode: string,\n SrcGeoRegion: string,\n SrcDvcId: string,\n SrcIpAddr: string,\n ActingAppName: string,\n SrcDvcOs: string,\n HttpUserAgent: string,\n SrcZone: string,\n DebugData: string,\n EventMessage: string,\n EventOriginalType: string,\n LegacyEventType: string,\n EventOriginalUid: string,\n EventOriginalResultDetails: string,\n OriginalOutcomeResult: string,\n Request: string,\n SecurityContextAsNumber: real,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SrcIsp: string,\n SecurityContextIsProxy: bool,\n OriginalSeverity: string,\n OriginalTarget: string,\n TransactionDetail: string,\n TransactionId: string,\n TransactionType: string,\n Version: string\n)[];\nlet Oktav2 = union isfuzzy=true Oktav2_empty, OktaV2_CL |\n project TimeGenerated,\n actor_alternateId_s=OriginalActorAlternateId,\n actor_detailEntry_s=tostring(ActorDetailEntry),\n actor_displayName_s=ActorDisplayName,\n actor_id_s=OriginalUserId,\n actor_type_s=OriginalUserType,\n authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n authenticationContext_credentialType_s=LogonMethod,\n authenticationContext_externalSessionId_s=ActorSessionId,\n authenticationContext_interface_s=AuthenticationContextInterface,\n authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n client_device_s=OriginalClientDevice,\n client_geographicalContext_city_s=SrcGeoCity,\n client_geographicalContext_country_s=SrcGeoCountry,\n client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n client_geographicalContext_state_s=SrcGeoRegion,\n client_id_s=SrcDvcId,\n client_ipAddress_s=SrcIpAddr,\n client_userAgent_browser_s=ActingAppName,\n client_userAgent_os_s=SrcDvcOs,\n client_userAgent_rawUserAgent_s=HttpUserAgent,\n client_zone_s=SrcZone,\n debugContext_debugData_s=tostring(DebugData),\n displayMessage_s=EventMessage,\n eventType_s=EventOriginalType,\n legacyEventType_s=LegacyEventType,\n uuid_g=EventOriginalUid,\n outcome_reason_s=EventOriginalResultDetails,\n outcome_result_s=OriginalOutcomeResult,\n request_ipChain_s=tostring(Request),\n securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n securityContext_asOrg_s=SecurityContextAsOrg,\n securityContext_domain_s=SecurityContextDomain,\n securityContext_isp_s=SrcIsp,\n securityContext_isProxy_b=SecurityContextIsProxy,\n severity_s=OriginalSeverity,\n target_s=tostring(OriginalTarget),\n transaction_details_s=tostring(TransactionDetail),\n transaction_id_s=TransactionId,\n transaction_type_s=TransactionType,\n version_s = Version;\n union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n", "functionParameters": "", "version": 2, "tags": [ @@ -6271,7 +6267,7 @@ "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Backward-Compatibility-Parser-for-Okta-SSO')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OktaSSO')]", "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", "version": "[variables('parserObject1').parserVersion1]", @@ -6301,9 +6297,9 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", - "displayName": "Backward Compatibility Parser for Okta SSO", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "displayName": "OktaSSO", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.1')))]", "version": "[variables('parserObject1').parserVersion1]" } }, @@ -6317,7 +6313,7 @@ "displayName": "Backward Compatibility Parser for Okta SSO", "category": "Microsoft Sentinel Parser", "functionAlias": "OktaSSO", - "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n actor_alternateId_s:string,\n actor_detailEntry_s:string,\n actor_displayName_s:string,\n actor_id_s:string,\n actor_type_s:string,\n authenticationContext_authenticationProvider_s:string,\n authenticationContext_authenticationStep_d:double,\n authenticationContext_credentialProvider_s:string,\n authenticationContext_credentialType_s:string,\n authenticationContext_externalSessionId_s:string,\n authenticationContext_interface_s:string,\n authenticationContext_issuerId_s:string,\n authenticationContext_issuerType_s:string,\n client_device_s:string,\n client_geographicalContext_city_s:string,\n client_geographicalContext_country_s:string,\n client_geographicalContext_geolocation_lat_d:double,\n client_geographicalContext_geolocation_lon_d:double,\n client_geographicalContext_postalCode_s:string,\n client_geographicalContext_state_s:string,\n client_id_s:string,\n client_ipAddress_s:string,\n client_userAgent_browser_s:string,\n client_userAgent_os_s:string,\n client_userAgent_rawUserAgent_s:string,\n client_zone_s:string,\n debugContext_debugData_s:string,\n displayMessage_s:string,\n eventType_s:string,\n legacyEventType_s:string,\n uuid_g:string,\n outcome_reason_s:string,\n outcome_result_s:string,\n request_ipChain_s:string,\n securityContext_asNumber_d:double,\n securityContext_asOrg_s:string,\n securityContext_domain_s:string,\n securityContext_isp_s:string,\n securityContext_isProxy_b:bool,\n severity_s:string,\n target_s:string,\n transaction_details_s:string,\n transaction_id_s:string,\n transaction_type_s:string,\n version_s:string\n)[];\nlet Oktav2 = OktaV2_CL |\n project TimeGenerated,\n actor_alternateId_s=OriginalActorAlternateId,\n actor_detailEntry_s=tostring(ActorDetailEntry),\n actor_displayName_s=ActorDisplayName,\n actor_id_s=OriginalUserId,\n actor_type_s=OriginalUserType,\n authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n authenticationContext_credentialType_s=LogonMethod,\n authenticationContext_externalSessionId_s=ActorSessionId,\n authenticationContext_interface_s=AuthenticationContextInterface,\n authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n client_device_s=OriginalClientDevice,\n client_geographicalContext_city_s=SrcGeoCity,\n client_geographicalContext_country_s=SrcGeoCountry,\n client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n client_geographicalContext_state_s=SrcGeoRegion,\n client_id_s=SrcDvcId,\n client_ipAddress_s=SrcIpAddr,\n client_userAgent_browser_s=ActingAppName,\n client_userAgent_os_s=SrcDvcOs,\n client_userAgent_rawUserAgent_s=HttpUserAgent,\n client_zone_s=SrcZone,\n debugContext_debugData_s=tostring(DebugData),\n displayMessage_s=EventMessage,\n eventType_s=EventOriginalType,\n legacyEventType_s=LegacyEventType,\n uuid_g=EventOriginalUid,\n outcome_reason_s=EventOriginalResultDetails,\n outcome_result_s=OriginalOutcomeResult,\n request_ipChain_s=tostring(Request),\n securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n securityContext_asOrg_s=SecurityContextAsOrg,\n securityContext_domain_s=SecurityContextDomain,\n securityContext_isp_s=SrcIsp,\n securityContext_isProxy_b=SecurityContextIsProxy,\n severity_s=OriginalSeverity,\n target_s=tostring(OriginalTarget),\n transaction_details_s=tostring(TransactionDetail),\n transaction_id_s=TransactionId,\n transaction_type_s=TransactionType,\n version_s = Version;\n union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n", + "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n actor_alternateId_s:string,\n actor_detailEntry_s:string,\n actor_displayName_s:string,\n actor_id_s:string,\n actor_type_s:string,\n authenticationContext_authenticationProvider_s:string,\n authenticationContext_authenticationStep_d:double,\n authenticationContext_credentialProvider_s:string,\n authenticationContext_credentialType_s:string,\n authenticationContext_externalSessionId_s:string,\n authenticationContext_interface_s:string,\n authenticationContext_issuerId_s:string,\n authenticationContext_issuerType_s:string,\n client_device_s:string,\n client_geographicalContext_city_s:string,\n client_geographicalContext_country_s:string,\n client_geographicalContext_geolocation_lat_d:double,\n client_geographicalContext_geolocation_lon_d:double,\n client_geographicalContext_postalCode_s:string,\n client_geographicalContext_state_s:string,\n client_id_s:string,\n client_ipAddress_s:string,\n client_userAgent_browser_s:string,\n client_userAgent_os_s:string,\n client_userAgent_rawUserAgent_s:string,\n client_zone_s:string,\n debugContext_debugData_s:string,\n displayMessage_s:string,\n eventType_s:string,\n legacyEventType_s:string,\n uuid_g:string,\n outcome_reason_s:string,\n outcome_result_s:string,\n request_ipChain_s:string,\n securityContext_asNumber_d:double,\n securityContext_asOrg_s:string,\n securityContext_domain_s:string,\n securityContext_isp_s:string,\n securityContext_isProxy_b:bool,\n severity_s:string,\n target_s:string,\n transaction_details_s:string,\n transaction_id_s:string,\n transaction_type_s:string,\n version_s:string\n )[];\n let Oktav2_empty = datatable(\n TimeGenerated:datetime,\n OriginalActorAlternateId:string,\n ActorDetailEntry:string,\n ActorDisplayName:string,\n OriginalUserId:string,\n OriginalUserType:string,\n AuthenticationContextAuthenticationProvider:string,\n AuthenticationContextAuthenticationStep: real,\n AuthenticationContextCredentialProvider: string,\n LogonMethod: string,\n ActorSessionId: string,\n AuthenticationContextInterface:string,\n AuthenticationContextIssuerId:string,\n AuthenticationContextIssuerType:string,\n OriginalClientDevice:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude: double,\n SrcGeoLongtitude: double,\n SrcGeoPostalCode: string,\n SrcGeoRegion: string,\n SrcDvcId: string,\n SrcIpAddr: string,\n ActingAppName: string,\n SrcDvcOs: string,\n HttpUserAgent: string,\n SrcZone: string,\n DebugData: string,\n EventMessage: string,\n EventOriginalType: string,\n LegacyEventType: string,\n EventOriginalUid: string,\n EventOriginalResultDetails: string,\n OriginalOutcomeResult: string,\n Request: string,\n SecurityContextAsNumber: real,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SrcIsp: string,\n SecurityContextIsProxy: bool,\n OriginalSeverity: string,\n OriginalTarget: string,\n TransactionDetail: string,\n TransactionId: string,\n TransactionType: string,\n Version: string\n)[];\nlet Oktav2 = union isfuzzy=true Oktav2_empty, OktaV2_CL |\n project TimeGenerated,\n actor_alternateId_s=OriginalActorAlternateId,\n actor_detailEntry_s=tostring(ActorDetailEntry),\n actor_displayName_s=ActorDisplayName,\n actor_id_s=OriginalUserId,\n actor_type_s=OriginalUserType,\n authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n authenticationContext_credentialType_s=LogonMethod,\n authenticationContext_externalSessionId_s=ActorSessionId,\n authenticationContext_interface_s=AuthenticationContextInterface,\n authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n client_device_s=OriginalClientDevice,\n client_geographicalContext_city_s=SrcGeoCity,\n client_geographicalContext_country_s=SrcGeoCountry,\n client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n client_geographicalContext_state_s=SrcGeoRegion,\n client_id_s=SrcDvcId,\n client_ipAddress_s=SrcIpAddr,\n client_userAgent_browser_s=ActingAppName,\n client_userAgent_os_s=SrcDvcOs,\n client_userAgent_rawUserAgent_s=HttpUserAgent,\n client_zone_s=SrcZone,\n debugContext_debugData_s=tostring(DebugData),\n displayMessage_s=EventMessage,\n eventType_s=EventOriginalType,\n legacyEventType_s=LegacyEventType,\n uuid_g=EventOriginalUid,\n outcome_reason_s=EventOriginalResultDetails,\n outcome_result_s=OriginalOutcomeResult,\n request_ipChain_s=tostring(Request),\n securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n securityContext_asOrg_s=SecurityContextAsOrg,\n securityContext_domain_s=SecurityContextDomain,\n securityContext_isp_s=SrcIsp,\n securityContext_isProxy_b=SecurityContextIsProxy,\n severity_s=OriginalSeverity,\n target_s=tostring(OriginalTarget),\n transaction_details_s=tostring(TransactionDetail),\n transaction_id_s=TransactionId,\n transaction_type_s=TransactionType,\n version_s = Version;\n union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n", "functionParameters": "", "version": 2, "tags": [ @@ -6337,7 +6333,7 @@ "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Backward-Compatibility-Parser-for-Okta-SSO')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OktaSSO')]", "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", "version": "[variables('parserObject1').parserVersion1]", @@ -6363,7 +6359,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.6", + "version": "3.0.7", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Okta Single Sign-On", diff --git a/Solutions/Okta Single Sign-On/ReleaseNotes.md b/Solutions/Okta Single Sign-On/ReleaseNotes.md index f224aa5942..04dc1e847f 100644 --- a/Solutions/Okta Single Sign-On/ReleaseNotes.md +++ b/Solutions/Okta Single Sign-On/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------------------------| +| 3.0.7 | 25-04-2024 | Repackaged for parser issue with old names | | 3.0.6 | 17-04-2024 | Repackaged solution for parser fix | | 3.0.5 | 08-04-2024 | Added Azure Deploy button for government portal deployments | | 3.0.4 | 18-03-2024 | Updated description in data file, data connector and added logo for ccp data connector | diff --git a/Solutions/Okta Single Sign-On/data/Solution_Okta.json b/Solutions/Okta Single Sign-On/data/Solution_Okta.json index d7ae8cbee4..3492166c3c 100644 --- a/Solutions/Okta Single Sign-On/data/Solution_Okta.json +++ b/Solutions/Okta Single Sign-On/data/Solution_Okta.json @@ -44,7 +44,7 @@ ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Okta Single Sign-On\\", - "Version": "3.0.6", + "Version": "3.0.7", "TemplateSpec": true, "Is1PConnector": false } \ No newline at end of file diff --git a/Solutions/Sophos Endpoint Protection/Package/3.0.3.zip b/Solutions/Sophos Endpoint Protection/Package/3.0.3.zip new file mode 100644 index 0000000000..20585d5fd0 Binary files /dev/null and b/Solutions/Sophos Endpoint Protection/Package/3.0.3.zip differ diff --git a/Solutions/Sophos Endpoint Protection/Package/mainTemplate.json b/Solutions/Sophos Endpoint Protection/Package/mainTemplate.json index df143bc31f..ca56cb8220 100644 --- a/Solutions/Sophos Endpoint Protection/Package/mainTemplate.json +++ b/Solutions/Sophos Endpoint Protection/Package/mainTemplate.json @@ -47,12 +47,12 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Sophos Endpoint Protection", - "_solutionVersion": "3.0.2", + "_solutionVersion": "3.0.3", "solutionId": "azuresentinel.azure-sentinel-solution-sophosep", "_solutionId": "[variables('solutionId')]", "parserObject1": { - "_parserName1": "[concat(parameters('workspace'),'/','Parser for SophosEPEvent')]", - "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for SophosEPEvent')]", + "_parserName1": "[concat(parameters('workspace'),'/','Sophos Endpoint Protection Data Parser')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Sophos Endpoint Protection Data Parser')]", "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('SophosEPEvent-Parser')))]", "parserVersion1": "2.0.1", "parserContentId1": "SophosEPEvent-Parser" @@ -84,7 +84,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SophosEPEvent Data Parser with template version 3.0.2", + "description": "SophosEPEvent Data Parser with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -120,7 +120,7 @@ "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for SophosEPEvent')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Sophos Endpoint Protection Data Parser')]", "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", "version": "[variables('parserObject1').parserVersion1]", @@ -186,7 +186,7 @@ "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for SophosEPEvent')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Sophos Endpoint Protection Data Parser')]", "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", "version": "[variables('parserObject1').parserVersion1]", @@ -216,7 +216,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Sophos Endpoint Protection data connector with template version 3.0.2", + "description": "Sophos Endpoint Protection data connector with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -1303,7 +1303,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.2", + "version": "3.0.3", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Sophos Endpoint Protection", diff --git a/Solutions/Sophos Endpoint Protection/ReleaseNotes.md b/Solutions/Sophos Endpoint Protection/ReleaseNotes.md index 4a58501354..0eba3c66a3 100644 --- a/Solutions/Sophos Endpoint Protection/ReleaseNotes.md +++ b/Solutions/Sophos Endpoint Protection/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.3 | 25-04-2024 | Repackaged for parser issue with old names | | 3.0.2 | 12-04-2024 | Repackaged for parser fix in solution package | | 3.0.1 | 12-03-2024 | Updated Sophos Endpoint **Function App** and **Parser**
Added new CCP **Data Connector** | | 3.0.0 | 14-08-2023 | Manual deployment instructions updated for **Data Connector** |