Merge pull request #3055 from adarshb20/master

Awake Security - Azure Sentinel Solution
2021-10-06 22:39:57 -07:00 · 2021-10-06 22:39:57 -07:00 · 23492a92a6
--- a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
+++ b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
@ -6,6 +6,7 @@
  "AlcideKAudit",
  "AlsidForAD",
  "ApacheHTTPServer",
+  "AristaAwakeSecurity",
  "ArubaClearPass",
  "AzureActiveDirectory",
  "AzureActiveDirectoryIdentityProtection",
--- a/Logos/AristaAwakeSecurity.svg
+++ b/Logos/AristaAwakeSecurity.svg
@ -0,0 +1,24 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1147.36 765.39">
+  <defs>
+    <style>.cls-1{fill:#352e92;}.cls-2{fill:#6c60ec;}</style>
+  </defs>
+  <g id="1828d4cc-f19f-4f85-90ff-72abc847eafe">
+    <path class="cls-1" d="M873.11,454a10.56,10.56,0,0,1-10.56-10.56V323.3a10.56,10.56,0,1,1,21.12,0V443.46A10.56,10.56,0,0,1,873.11,454Z"/>
+    <path class="cls-2" d="M948.43,393.94H873.11a10.56,10.56,0,0,1,0-21.12h75.32a10.56,10.56,0,1,1,0,21.12Z"/>
+    <path class="cls-2" d="M873.11,333.86a10.56,10.56,0,0,1,0-21.12l86-.15h0a10.56,10.56,0,0,1,0,21.12l-86.06.15Z"/>
+    <path class="cls-2" d="M873.11,454.16a10.56,10.56,0,0,1,0-21.12l86-.14h0a10.56,10.56,0,0,1,0,21.12l-86.06.14Z"/>
+    <path class="cls-1" d="M375.8,453.89a10.56,10.56,0,0,1-9.91-6.91L321.54,326.82a10.56,10.56,0,0,1,19.81-7.31L385.7,439.67a10.56,10.56,0,0,1-6.25,13.56A10.67,10.67,0,0,1,375.8,453.89Z"/>
+    <path class="cls-1" d="M464.51,453.89A10.56,10.56,0,0,1,454.6,447L410.25,326.82a10.56,10.56,0,0,1,19.81-7.31l44.35,120.16a10.58,10.58,0,0,1-9.9,14.22Z"/>
+    <path class="cls-2" d="M375.8,453.89a10.45,10.45,0,0,1-3.66-.66,10.56,10.56,0,0,1-6.25-13.56l44.35-120.16a10.56,10.56,0,0,1,19.81,7.31L385.7,447A10.57,10.57,0,0,1,375.8,453.89Z"/>
+    <path class="cls-2" d="M464.51,453.89a10.45,10.45,0,0,1-3.66-.66,10.56,10.56,0,0,1-6.25-13.56L499,319.51a10.56,10.56,0,0,1,19.81,7.31L474.41,447A10.57,10.57,0,0,1,464.51,453.89Z"/>
+    <path class="cls-1" d="M291.87,453.89a10.55,10.55,0,0,1-9.7-6.39L230.36,327.34a10.56,10.56,0,0,1,19.4-8.36l51.8,120.16a10.57,10.57,0,0,1-9.69,14.75Z"/>
+    <path class="cls-2" d="M188.19,453.89a10.58,10.58,0,0,1-9.7-14.75L230.3,319a10.56,10.56,0,0,1,19.4,8.36L197.89,447.5A10.55,10.55,0,0,1,188.19,453.89Z"/>
+    <path class="cls-2" d="M275.93,417.66H203.81a10.56,10.56,0,1,1,0-21.12h72.12a10.56,10.56,0,1,1,0,21.12Z"/>
+    <path class="cls-1" d="M651.72,453.89A10.57,10.57,0,0,1,642,447.5l-51.8-120.16A10.56,10.56,0,0,1,609.6,319l51.81,120.16a10.58,10.58,0,0,1-9.69,14.75Z"/>
+    <path class="cls-2" d="M548,453.89a10.57,10.57,0,0,1-9.69-14.75L590.14,319a10.56,10.56,0,0,1,19.4,8.36L557.73,447.5A10.55,10.55,0,0,1,548,453.89Z"/>
+    <path class="cls-2" d="M635.77,417.66H563.65a10.56,10.56,0,1,1,0-21.12h72.12a10.56,10.56,0,1,1,0,21.12Z"/>
+    <path class="cls-1" d="M804.47,453.35a10.56,10.56,0,0,1-7.92-3.57l-60.32-68.17a10.56,10.56,0,0,1,15.82-14l60.32,68.17a10.57,10.57,0,0,1-7.9,17.56Z"/>
+    <path class="cls-2" d="M719.57,453.88A10.56,10.56,0,0,1,709,443.32V323.16a10.56,10.56,0,1,1,21.12,0V443.32A10.56,10.56,0,0,1,719.57,453.88Z"/>
+    <path class="cls-2" d="M719.57,408a10.56,10.56,0,0,1-7.18-18.3l81.54-75.61a10.56,10.56,0,0,1,14.36,15.48l-81.54,75.61A10.52,10.52,0,0,1,719.57,408Z"/>
+  </g>
+</svg>
--- a/Data/AristaAwakeSampleData.csv
+++ b/Data/AristaAwakeSampleData.csv
@ -0,0 +1,16 @@
+TenantId,SourceSystem,TimeGenerated [UTC],DeviceVendor,DeviceProduct,DeviceEventClassID,LogSeverity,Computer,DestinationIP,SourceIP,DeviceVersion,Activity,EventCount,DestinationHostName,SourceHostName,EventType,DeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,Type
+2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:17.084 PM",Arista Networks,Awake Security,2418947b-33a3-00a2-fdf8-5cd5d24fa1af,6,awakesecurity,178.62.72.123,192.168.122.142,4.1.1,C2: Beacons to Live Posh C2 Servers,14,advertyzing.co.uk,UnnamedDevice_7242dcd6,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%282418947b-33a3-00a2-fdf8-5cd5d24fa1af%29+%26%26+device.guid+%3D%3D+af2ea299-1fce-b38f-2cdb-a0b97242dcd6%29,DeviceUrlPath,,,,,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
+2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:17.257 PM",Arista Networks,Awake Security,2418947b-33a3-00a2-fdf8-5cd5d24fa1af,6,awakesecurity,178.62.72.123,192.168.122.142,4.1.1,C2: Beacons to Live Posh C2 Servers,14,advertyzing.co.uk,UnnamedDevice_70e180c2,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%282418947b-33a3-00a2-fdf8-5cd5d24fa1af%29+%26%26+device.guid+%3D%3D+d524960f-4da0-caeb-e34d-2e4c70e180c2%29,DeviceUrlPath,,,,,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
+2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:17.417 PM",Arista Networks,Awake Security,2418947b-33a3-00a2-fdf8-5cd5d24fa1af,6,awakesecurity,178.62.72.123,192.168.122.142,4.1.1,C2: Beacons to Live Posh C2 Servers,14,advertyzing.co.uk,UnnamedDevice_6871a55c,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%282418947b-33a3-00a2-fdf8-5cd5d24fa1af%29+%26%26+device.guid+%3D%3D+4c85e765-e60b-26bd-4979-dd056871a55c%29,DeviceUrlPath,,,,,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
+2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:17.597 PM",Arista Networks,Awake Security,2418947b-33a3-00a2-fdf8-5cd5d24fa1af,6,awakesecurity,178.62.72.123,192.168.122.142,4.1.1,C2: Beacons to Live Posh C2 Servers,14,advertyzing.co.uk,UnnamedDevice_427567e5,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%282418947b-33a3-00a2-fdf8-5cd5d24fa1af%29+%26%26+device.guid+%3D%3D+7b4353ce-5b4c-dc57-8326-e8e2427567e5%29,DeviceUrlPath,,,,,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
+2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:17.777 PM",Arista Networks,Awake Security,2418947b-33a3-00a2-fdf8-5cd5d24fa1af,6,awakesecurity,178.62.72.123,192.168.122.142,4.1.1,C2: Beacons to Live Posh C2 Servers,14,advertyzing.co.uk,UnnamedDevice_12a6a671,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%282418947b-33a3-00a2-fdf8-5cd5d24fa1af%29+%26%26+device.guid+%3D%3D+40ad6773-170c-a34e-924e-5e8f12a6a671%29,DeviceUrlPath,,,,,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
+2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:17.957 PM",Arista Networks,Awake Security,2418947b-33a3-00a2-fdf8-5cd5d24fa1af,6,awakesecurity,178.62.72.123,192.168.122.142,4.1.1,C2: Beacons to Live Posh C2 Servers,14,advertyzing.co.uk,UnnamedDevice_b5568117,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%282418947b-33a3-00a2-fdf8-5cd5d24fa1af%29+%26%26+device.guid+%3D%3D+10724290-7da1-d35c-c408-b637b5568117%29,DeviceUrlPath,,,,,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
+2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:18.137 PM",Arista Networks,Awake Security,2418947b-33a3-00a2-fdf8-5cd5d24fa1af,6,awakesecurity,178.62.72.123,192.168.122.142,4.1.1,C2: Beacons to Live Posh C2 Servers,14,advertyzing.co.uk,UnnamedDevice_9f9b8efb,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%282418947b-33a3-00a2-fdf8-5cd5d24fa1af%29+%26%26+device.guid+%3D%3D+83ec5aa5-5c3a-d8dd-bb18-cb049f9b8efb%29,DeviceUrlPath,,,,,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
+2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:18.317 PM",Arista Networks,Awake Security,76cd4c89-1e12-2503-d6f3-cc0ee809b0b6,6,awakesecurity,10.199.100.101,10.199.100.105,4.1.1,Lateral Movement: Psexec Like Activity,20,,sys8414-w10,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%2876cd4c89-1e12-2503-d6f3-cc0ee809b0b6%29+%26%26+device.guid+%3D%3D+9d21f0f5-3129-cc30-4f13-1afdfa43e2ba%29,DeviceUrlPath,,,Server,DeviceType,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
+2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:19.177 PM",Arista Networks,Awake Security,76cd4c89-1e12-2503-d6f3-cc0ee809b0b6,6,awakesecurity,10.199.100.101,10.199.100.105,4.1.1,Lateral Movement: Psexec Like Activity,20,,sys8414-w10,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%2876cd4c89-1e12-2503-d6f3-cc0ee809b0b6%29+%26%26+device.guid+%3D%3D+cec9e413-6a8f-f225-c96a-06dc134d5a6a%29,DeviceUrlPath,,,Server,DeviceType,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
+2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:19.357 PM",Arista Networks,Awake Security,fdef48bb-87e7-d60d-9a9a-175980a74154,6,awakesecurity,10.199.100.101,10.199.100.105,4.1.1,Lateral Movement: Suspicious File Creation Attempt in Windows Directory,32,,sys8414-w10,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%28fdef48bb-87e7-d60d-9a9a-175980a74154%29+%26%26+device.guid+%3D%3D+cec9e413-6a8f-f225-c96a-06dc134d5a6a%29,DeviceUrlPath,,,Server,DeviceType,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
+2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:19.537 PM",Arista Networks,Awake Security,fdef48bb-87e7-d60d-9a9a-175980a74154,6,awakesecurity,10.199.100.101,10.199.100.105,4.1.1,Lateral Movement: Suspicious File Creation Attempt in Windows Directory,32,,sys8414-w10,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%28fdef48bb-87e7-d60d-9a9a-175980a74154%29+%26%26+device.guid+%3D%3D+9d21f0f5-3129-cc30-4f13-1afdfa43e2ba%29,DeviceUrlPath,,,Server,DeviceType,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
+2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:19.717 PM",Arista Networks,Awake Security,505d0927-3b9f-b028-d15b-4192a6676bb4,5,awakesecurity,104.236.16.69,10.1.12.103,4.1.1,Download: Exe Downloaded From Ip,68,,Windows Device_b76ff469,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%28505d0927-3b9f-b028-d15b-4192a6676bb4%29+%26%26+device.guid+%3D%3D+0eb7a04f-cfcc-a8f2-2905-922ab76ff469%29,DeviceUrlPath,Windows,OperatingSystem,Windows Device,DeviceType,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
+2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:19.898 PM",Arista Networks,Awake Security,505d0927-3b9f-b028-d15b-4192a6676bb4,5,awakesecurity,93.79.152.158,192.168.122.126,4.1.1,Download: Exe Downloaded From Ip,68,,Windows Device_ad0e0147,2,1,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%28505d0927-3b9f-b028-d15b-4192a6676bb4%29+%26%26+device.guid+%3D%3D+28f3134f-f0e9-6a30-c952-bc51ad0e0147%29,DeviceUrlPath,Windows,OperatingSystem,Windows Device,DeviceType,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
+2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:20.077 PM",Arista Networks,Awake Security,505d0927-3b9f-b028-d15b-4192a6676bb4,5,awakesecurity,196.0.10.19,192.168.10.37,4.1.1,Download: Exe Downloaded From Ip,68,,UnnamedDevice_2ac7fac2,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%28505d0927-3b9f-b028-d15b-4192a6676bb4%29+%26%26+device.guid+%3D%3D+3b6edf71-c80e-b7e2-8d4c-7f0e2ac7fac2%29,DeviceUrlPath,,,,,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
+2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:20.257 PM",Arista Networks,Awake Security,505d0927-3b9f-b028-d15b-4192a6676bb4,5,awakesecurity,93.79.152.158,192.168.122.126,4.1.1,Download: Exe Downloaded From Ip,68,,Windows Device_42369b6b,2,1,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%28505d0927-3b9f-b028-d15b-4192a6676bb4%29+%26%26+device.guid+%3D%3D+ba4daf96-490f-6ffb-be47-a37b42369b6b%29,DeviceUrlPath,Windows,OperatingSystem,Windows Device,DeviceType,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
--- a/Solutions/AristaAwakeSecurity/Analytic
+++ b/Solutions/AristaAwakeSecurity/Analytic
@ -0,0 +1,64 @@
+id: 90b7ac11-dd6c-4ba1-a99b-737061873859
+name: Awake Security - High Match Counts By Device
+description: This query searches for devices with unexpectedly large number of activity match.
+severity: Medium
+requiredDataConnectors:
+  - connectorId: AristaAwakeSecurity
+    dataTypes:
+      - CommonSecurityLog (AwakeSecurity)
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics: []
+relevantTechniques: []
+query: |
+  CommonSecurityLog
+  | where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security"
+  | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
+    DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName
+  | where ModelMatchCount > 1000 and MaxSeverity > 2
+  | extend SeverityName=iff(MaxSeverity == 0, "Informational", iff(MaxSeverity < 5, "Low", iff(MaxSeverity < 8, "Medium", "High")))
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+alertDetailsOverride:
+  alertDisplayNameFormat: Awake Security - High Model Match Counts On Device {{SourceHostName}}
+  alertDescriptionFormat: |-
+    The following Awake model(s):
+
+    {{Models}}
+
+    matched {{ModelMatchCount}} activities, an unexpectedly large number. The destination IPs associated with these matches were:
+
+    {{DestinationIPs}}
+  alertTacticsColumnName: null
+  alertSeverityColumnName: SeverityName
+customDetails:
+  Matched_Models: Models
+  Matches_ASP_URLs: ASPMatchURLs
+  Device: SourceHostName
+  Matches_Count: ModelMatchCount
+  Matches_Max_Severity: MaxSeverity
+  Matches_Dest_IPs: DestinationIPs
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPs
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: true
+    lookbackDuration: 3d
+    matchingMethod: Selected
+    groupByEntities:
+      - Host
+    groupByAlertDetails: []
+    groupByCustomDetails:
+      - Device
+version: 1.0.0
--- a/Rules/HighSeverityMatchesByDevice.yaml
+++ b/Rules/HighSeverityMatchesByDevice.yaml
@ -0,0 +1,62 @@
+id: d5e012c2-29ba-4a02-a813-37b928aafe2d
+name: Awake Security - High Severity Matches By Device
+description: This query searches for devices with high severity event(s).
+severity: Medium
+requiredDataConnectors:
+  - connectorId: AristaAwakeSecurity
+    dataTypes:
+      - CommonSecurityLog (AwakeSecurity)
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics: []
+relevantTechniques: []
+query: |
+  CommonSecurityLog
+  | where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security" and toint(LogSeverity) > 6
+  | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
+    DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(todecimal  (LogSeverity)) by SourceHostName
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+alertDetailsOverride:
+  alertDisplayNameFormat: Awake Security - High Severity Matches On Device {{SourceHostName}}
+  alertDescriptionFormat: |
+    Device {{SourceHostName}} matched the following high-severity Awake model(s):
+
+    {{Models}}
+
+    The destination IPs associated with these matches were:
+
+    {{DestinationIPs}}
+  alertTacticsColumnName: null
+  alertSeverityColumnName: MaxSeverity
+customDetails:
+  Matched_Models: Models
+  Matches_ASP_URLs: ASPMatchURLs
+  Device: SourceHostName
+  Matches_Count: ModelMatchCount
+  Matches_Max_Severity: MaxSeverity
+  Matches_Dest_IPs: DestinationIPs
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPs
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: true
+    lookbackDuration: 3d
+    matchingMethod: Selected
+    groupByEntities:
+      - Host
+    groupByAlertDetails: []
+    groupByCustomDetails:
+      - Device
+version: 1.0.0
--- a/Rules/ModelMatchesWithMultipleDestinationsByDevice.yaml
+++ b/Rules/ModelMatchesWithMultipleDestinationsByDevice.yaml
@ -0,0 +1,62 @@
+id: dfa3ec92-bdae-410f-b675-fe1814e4d43e
+name: Awake Security - Model With Multiple Destinations
+description: This query searches for devices with multiple possibly malicious destinations.
+severity: Medium
+requiredDataConnectors:
+  - connectorId: AristaAwakeSecurity
+    dataTypes:
+      - CommonSecurityLog (AwakeSecurity)
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics: []
+relevantTechniques: []
+query: |
+  CommonSecurityLog | where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security"
+  | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
+    DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName
+  | where array_length(DestinationIPs) > 1
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+alertDetailsOverride:
+  alertDisplayNameFormat: Awake Security - Model Matches With Multiple Destinations On Device {{SourceHostName}}
+  alertDescriptionFormat: |
+    Device {{SourceHostName}} communicated with multiple possibly malicious destinations.  The destination IPs were:
+
+    {{DestinationIPs}}
+
+    The associated with Awake model(s) were:
+
+    {{Models}}
+  alertTacticsColumnName: null
+  alertSeverityColumnName: null
+customDetails:
+  Matched_Models: Models
+  Matches_ASP_URLs: ASPMatchURLs
+  Device: SourceHostName
+  Matches_Count: ModelMatchCount
+  Matches_Max_Severity: MaxSeverity
+  Matches_Dest_IPs: DestinationIPs
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPs
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: true
+    lookbackDuration: 3d
+    matchingMethod: Selected
+    groupByEntities:
+      - Host
+    groupByAlertDetails: []
+    groupByCustomDetails:
+      - Device
+version: 1.0.0
--- a/Connectors/Connector_AristaAwakeSecurity_CEF.json
+++ b/Connectors/Connector_AristaAwakeSecurity_CEF.json
@ -0,0 +1,137 @@
+{
+    "id": "AristaAwakeSecurity",
+    "title": "Awake Security",
+    "publisher": "Arista Networks",
+    "descriptionMarkdown": "The Awake Security CEF connector allows users to send detection model matches from the Awake Security Platform to Azure Sentinel. Remediate threats quickly with the power of network detection and response and speed up investigations with deep visibility especially into unmanaged entities including users, devices and applications on your network. The connector also enables the creation of network security-focused custom alerts, incidents, workbooks and notebooks that align with your existing security operations workflows. ",
+    "graphQueries": [
+        {
+            "metricName": "Total data received",
+            "legend": "AwakeSecurity",
+            "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\"\n| where DeviceProduct == \"Awake Security\""
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description" : "Top 5 Adversarial Model Matches by Severity",
+            "query": "union CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize  TotalActivities=sum(EventCount) by Activity,LogSeverity\n| top 5 by LogSeverity desc"
+        },
+        {
+            "description" : "Top 5 Devices by Device Risk Score",
+            "query": "union CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize MaxDeviceRiskScore=max(DeviceCustomNumber1),TimesAlerted=count() by SourceHostName=coalesce(SourceHostName,\"Unknown\")\n| top 5 by MaxDeviceRiskScore desc"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "CommonSecurityLog (AwakeSecurity)",
+            "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\"\n| where DeviceProduct == \"Awake Security\"\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\"\n| where DeviceProduct == \"Awake Security\"\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
+            ]
+        }
+    ],
+    "availability": {
+        "status": 1,
+        "isPreview": true
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "read": true,
+                    "write": true,
+                    "delete": true
+                }
+            },
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "action": true
+                }
+            }
+        ]
+    },
+    "instructionSteps": [
+        {
+            "title": "1. Linux Syslog agent configuration",
+            "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
+            "innerSteps": [
+                {
+                    "title": "1.1 Select or create a Linux machine",
+                    "description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your security solution and Azure Sentinel this machine can be on your on-prem environment, Azure or other clouds."
+                },
+                {
+                    "title": "1.2 Install the CEF collector on the Linux machine",
+                    "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
+                    "instructions": [
+                        {
+                            "parameters": {
+                                "fillWith": [
+                                    "WorkspaceId",
+                                    "PrimaryKey"
+                                ],
+                                "label": "Run the following command to install and apply the CEF collector:",
+                                "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
+                            },
+                            "type": "CopyableLabel"
+                        }
+                    ]
+                }
+            ]
+        },
+        {
+            "title": "2. Forward Awake Adversarial Model match results to a CEF collector.",
+            "description": "Perform the following steps to forward Awake Adversarial Model match results to a CEF collector listening on TCP port **514** at IP **192.168.0.1**:\n- Navigate to the Detection Management Skills page in the Awake UI.\n- Click + Add New Skill.\n- Set the Expression field to,\n>integrations.cef.tcp { destination: \"192.168.0.1\", port: 514, secure: false, severity: Warning }\n- Set the Title field to a descriptive name like,\n>Forward Awake Adversarial Model match result to Azure Sentinel.\n- Set the Reference Identifier to something easily discoverable like,\n>integrations.cef.sentinel-forwarder\n- Click Save.\n\nNote: Within a few minutes of saving the definition and other fields the system will begin sending new model match results to the CEF events collector as they are detected.\n\nFor more information, refer to the **Adding a Security Information and Event Management Push Integration** page from the Help Documentation in the Awake UI."
+        },
+        {
+            "title": "3. Validate connection",
+            "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
+            "instructions": [
+                {
+                    "parameters": {
+                        "fillWith": [
+                            "WorkspaceId"
+                        ],
+                        "label": "Run the following command to validate your connectivity:",
+                        "value": "sudo wget  -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py  {0}"
+                    },
+                    "type": "CopyableLabel"
+                }
+            ]
+        },
+        {
+            "title": "4. Secure your machine ",
+            "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
+        }
+    ],
+    "metadata": {
+        "id": "69203ebb-3834-43bf-9cdd-2936c4e6ae79",
+        "version": "1.0.0",
+        "kind": "dataConnector",
+        "source": {
+            "kind": "solution",
+            "name": "Awake Security"
+        },
+        "author": {
+            "name": "Awake Security"
+        },
+        "support": {
+            "tier": "developer",
+            "name": "Arista - Awake Security",
+            "email": "support-security@arista.com",
+            "link": "https://awakesecurity.com/"
+        }
+    }
+}
+
--- a/Solutions/AristaAwakeSecurity/Workbooks/AristaAwakeSecurityWorkbook.json
+++ b/Solutions/AristaAwakeSecurity/Workbooks/AristaAwakeSecurityWorkbook.json
@ -0,0 +1,666 @@
+{
+  "version": "Notebook/1.0",
+  "items": [
+    {
+      "type": 9,
+      "content": {
+        "version": "KqlParameterItem/1.0",
+        "parameters": [
+          {
+            "id": "96834e0b-c240-4603-b8ce-ab5c8e051a8c",
+            "version": "KqlParameterItem/1.0",
+            "name": "TimeRange",
+            "label": "Time Range",
+            "type": 4,
+            "isRequired": true,
+            "value": {
+              "durationMs": 172800000
+            },
+            "typeSettings": {
+              "selectableValues": [
+                {
+                  "durationMs": 3600000
+                },
+                {
+                  "durationMs": 43200000
+                },
+                {
+                  "durationMs": 86400000
+                },
+                {
+                  "durationMs": 172800000
+                },
+                {
+                  "durationMs": 604800000
+                },
+                {
+                  "durationMs": 2592000000
+                },
+                {
+                  "durationMs": 5184000000
+                }
+              ],
+              "allowCustom": true
+            },
+            "timeContext": {
+              "durationMs": 86400000
+            }
+          },
+          {
+            "id": "66925847-0d36-4795-bdfe-1ad0e6fa92a8",
+            "version": "KqlParameterItem/1.0",
+            "name": "SortBy",
+            "label": "Sort By",
+            "type": 2,
+            "isRequired": true,
+            "typeSettings": {
+              "additionalResourceOptions": [],
+              "showDefault": false
+            },
+            "jsonData": "[\n\n    { \"value\":\"Count\", \"label\":\"Count\"},\n    { \"value\":\"Severity\", \"label\":\"Severity\", \"selected\":true}\n]"
+          },
+          {
+            "id": "39594a16-ba63-4c67-8be3-00b4e415bb19",
+            "version": "KqlParameterItem/1.0",
+            "name": "HostName",
+            "label": "Host Name",
+            "type": 1,
+            "isRequired": true,
+            "value": "dogfood-rc.mv.awakenetworks.net"
+          }
+        ],
+        "style": "pills",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "name": "parameters - 8"
+    },
+    {
+      "type": 11,
+      "content": {
+        "version": "LinkItem/1.0",
+        "style": "tabs",
+        "links": [
+          {
+            "id": "bc6350d6-4f87-4575-9057-6e80072afdc1",
+            "cellValue": "Tab",
+            "linkTarget": "parameter",
+            "linkLabel": "Overview",
+            "subTarget": "Overview",
+            "style": "link"
+          },
+          {
+            "id": "b90a2ef4-07db-4f55-b8f1-fcafa493ab16",
+            "cellValue": "Tab",
+            "linkTarget": "parameter",
+            "linkLabel": "Models",
+            "subTarget": "Models",
+            "style": "link"
+          },
+          {
+            "id": "e097203d-20ea-48de-af3d-d367e704dd61",
+            "cellValue": "Tab",
+            "linkTarget": "parameter",
+            "linkLabel": "Devices",
+            "subTarget": "Devices",
+            "style": "link"
+          }
+        ]
+      },
+      "name": "links - 11"
+    },
+    {
+      "type": 12,
+      "content": {
+        "version": "NotebookGroup/1.0",
+        "groupType": "editable",
+        "items": [
+          {
+            "type": 1,
+            "content": {
+              "json": "---\n### Adversarial Model Matches by Severity Level for {TimeRange}"
+            },
+            "customWidth": "30",
+            "name": "Overview_Pie_Label"
+          },
+          {
+            "type": 1,
+            "content": {
+              "json": "\n\n\n---\n### Adversarial Models Matches for {TimeRange}"
+            },
+            "customWidth": "70",
+            "name": "Overview_Chart_Label"
+          },
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "union CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n//| summarize by bin(TimeGenerated,3h),Activity,LogSeverity\n//| summarize by bin(TimeGenerated,case(datetime_diff('day',{TimeRange:end},{TimeRange:start})>1,3h,case(datetime_diff('hour',{TimeRange:end},{TimeRange:start})>3,1h,10m))),Activity,LogSeverity\n| summarize by bin(TimeGenerated,floor(({TimeRange:end}-{TimeRange:start})/30,1m)),Activity,LogSeverity\n| summarize Count=count() by Severity=iif(toint(LogSeverity) between (0 .. 3),\"1\",iif(toint(LogSeverity) between (4 .. 6),\"2\",iif(toint(LogSeverity) between (7 .. 8),\"3\",iif(toint(LogSeverity) between (9 .. 10),\"4\",\"5\")))) \n| where toint(Severity)<5\n| order by toint(Severity) desc",
+              "size": 2,
+              "timeContext": {
+                "durationMs": 172800000
+              },
+              "timeContextFromParameter": "TimeRange",
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces",
+              "visualization": "piechart",
+              "sortBy": [],
+              "tileSettings": {
+                "titleContent": {
+                  "columnMatch": "Severity",
+                  "formatter": 18,
+                  "formatOptions": {
+                    "thresholdsOptions": "colors",
+                    "thresholdsGrid": [
+                      {
+                        "operator": "==",
+                        "thresholdValue": "4",
+                        "representation": "redBright",
+                        "text": "Critical"
+                      },
+                      {
+                        "operator": "==",
+                        "thresholdValue": "3",
+                        "representation": "orange",
+                        "text": "High"
+                      },
+                      {
+                        "operator": "==",
+                        "thresholdValue": "2",
+                        "representation": "yellow",
+                        "text": "Medium"
+                      },
+                      {
+                        "operator": "==",
+                        "thresholdValue": "1",
+                        "representation": "green",
+                        "text": "Low"
+                      },
+                      {
+                        "operator": "Default",
+                        "thresholdValue": null,
+                        "representation": null,
+                        "text": "{0}{1}"
+                      }
+                    ],
+                    "compositeBarSettings": {
+                      "labelText": "",
+                      "columnSettings": [
+                        {
+                          "columnName": "status",
+                          "color": "green"
+                        },
+                        {
+                          "columnName": "status_count",
+                          "color": "lightBlue"
+                        }
+                      ]
+                    }
+                  }
+                },
+                "leftContent": {
+                  "columnMatch": "Count",
+                  "formatter": 12,
+                  "formatOptions": {
+                    "palette": "none"
+                  }
+                },
+                "showBorder": true,
+                "sortOrderField": 1,
+                "size": "auto"
+              },
+              "graphSettings": {
+                "type": 0
+              },
+              "chartSettings": {
+                "yAxis": [
+                  "Count"
+                ],
+                "createOtherGroup": null,
+                "seriesLabelSettings": [
+                  {
+                    "seriesName": "1",
+                    "label": "Low",
+                    "color": "green"
+                  },
+                  {
+                    "seriesName": "2",
+                    "label": "Medium",
+                    "color": "yellow"
+                  },
+                  {
+                    "seriesName": "4",
+                    "label": "Critical",
+                    "color": "redBright"
+                  },
+                  {
+                    "seriesName": "3",
+                    "label": "High",
+                    "color": "orange"
+                  }
+                ]
+              }
+            },
+            "customWidth": "30",
+            "name": "Adversarial Model Matches by Severity"
+          },
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "//union CommonSecurityLog\n//|  summarize Requests = dcount(Activity) by bin(TimeGenerated, 3h)\n\nunion CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n//| summarize by bin(TimeGenerated,case(datetime_diff('day',{TimeRange:end},{TimeRange:start})>1,3h,case(datetime_diff('hour',{TimeRange:end},{TimeRange:start})>3,1h,10m))),Activity,LogSeverity\n| summarize by bin(TimeGenerated,floor(({TimeRange:end}-{TimeRange:start})/30,1m)),Activity,LogSeverity\n//| summarize by bin(TimeGenerated,3h),Activity,LogSeverity\n| summarize Critical=countif(toint(LogSeverity) between (9 .. 10)),High=countif(toint(LogSeverity) between (7 .. 8)),Medium=countif(toint(LogSeverity) between (4 .. 6)),Low=countif(toint(LogSeverity) between (0 .. 3)) by TimeGenerated,LogSeverity\n\n",
+              "size": 2,
+              "timeContext": {
+                "durationMs": 172800000
+              },
+              "timeContextFromParameter": "TimeRange",
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces",
+              "visualization": "categoricalbar",
+              "graphSettings": {
+                "type": 0
+              },
+              "chartSettings": {
+                "xAxis": "TimeGenerated",
+                "seriesLabelSettings": [
+                  {
+                    "seriesName": "High",
+                    "color": "orange"
+                  },
+                  {
+                    "seriesName": "Critical",
+                    "color": "redBright"
+                  },
+                  {
+                    "seriesName": "Medium",
+                    "color": "yellow"
+                  },
+                  {
+                    "seriesName": "Low",
+                    "color": "green"
+                  }
+                ]
+              }
+            },
+            "customWidth": "70",
+            "name": "Overview_Chart"
+          },
+          {
+            "type": 1,
+            "content": {
+              "json": "\n\n\n---\n###### Links"
+            },
+            "name": "Overview_Links_Label"
+          },
+          {
+            "type": 11,
+            "content": {
+              "version": "LinkItem/1.0",
+              "style": "bullets",
+              "links": [
+                {
+                  "id": "49514376-7f9d-40d5-9e71-be047648b095",
+                  "cellValue": "https://awakesecurity.com/",
+                  "linkTarget": "Url",
+                  "linkLabel": "Awake-Security",
+                  "preText": "",
+                  "postText": "",
+                  "style": "link"
+                },
+                {
+                  "id": "5f591858-9562-423f-b082-c8946fd74727",
+                  "cellValue": "https://{HostName}/",
+                  "linkTarget": "Url",
+                  "linkLabel": "Awake-Platform",
+                  "style": "link"
+                }
+              ]
+            },
+            "name": "Overview_Links"
+          }
+        ]
+      },
+      "conditionalVisibility": {
+        "parameterName": "Tab",
+        "comparison": "isEqualTo",
+        "value": "Overview"
+      },
+      "name": "Overview_Group"
+    },
+    {
+      "type": 12,
+      "content": {
+        "version": "NotebookGroup/1.0",
+        "groupType": "editable",
+        "items": [
+          {
+            "type": 1,
+            "content": {
+              "json": "---\n### Top 5 Adversarial Models Activities for {TimeRange}"
+            },
+            "name": "Models_Chart_Label"
+          },
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "\nunion CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize d=arg_max(DeviceEventClassID,LogSeverity),TriggeredCount=sum(EventCount) by  Activity\n| top 5 by case(\"{SortBy}\"==\"Count\",TriggeredCount,toint(LogSeverity))\n\n\n//union CommonSecurityLog\n//| summarize TriggeredCount=sum(EventCount) by Activity\n//    ,SeverityInt=iif(toint(LogSeverity) between (0 .. 3),1,iif(toint(LogSeverity) between (4 .. 6),2,iif(toint(LogSeverity) between (7 .. 8),3,4)))\n//| top 5 by case(\"{SortBy}\"==\"Count\",TriggeredCount,SeverityInt)\n\n//union CommonSecurityLog\n//| summarize TriggeredCount=dcount(Activity) by Activity,DeviceEventClassID,toint(LogSeverity)\n//    ,SeverityInt=iif(toint(LogSeverity) between (0 .. 3),1,iif(toint(LogSeverity) between (4 .. 6),2,iif(toint(LogSeverity) between (7 .. 8),3,4)))\n| top 5 by case(\"{SortBy}\"==\"Count\",TriggeredCount,toint(LogSeverity))\n",
+              "size": 0,
+              "timeContext": {
+                "durationMs": 0
+              },
+              "timeContextFromParameter": "TimeRange",
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces",
+              "visualization": "barchart",
+              "sortBy": [],
+              "chartSettings": {
+                "xAxis": "Activity",
+                "yAxis": [
+                  "TriggeredCount"
+                ]
+              }
+            },
+            "name": "Models_Chart"
+          },
+          {
+            "type": 1,
+            "content": {
+              "json": "---\n\n### Detailed: Top 50 Adversarial Model Matches for {TimeRange}"
+            },
+            "name": "Models_Grid_Label"
+          },
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "union CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize arg_max(TimeGenerated,Severity=toint(LogSeverity),DeviceCustomDate2,DeviceEventClassID),arg_min(TimeGenerated, DeviceCustomDate1),\nUniqueDevices= dcount(coalesce(SourceHostName,'Unknown')),TotalActivities=sum(EventCount) by Activity\n| extend  ModelPath= strcat(\"https://{HostName}/app/workbench/?startTime=\",DeviceCustomDate1,\"&endTime=\",DeviceCustomDate2,\"&query=(dataset.threat_behavior%20\",DeviceEventClassID,\")%20%26%26%20(device.threat_behavior%20\",DeviceEventClassID,\")&view=device\")\n| project Activity,ModelPath,Severity,UniqueDevices,TotalActivities\n| top 50 by case(\"{SortBy}\"==\"Count\",TotalActivities,Severity)",
+              "size": 2,
+              "timeContext": {
+                "durationMs": 0
+              },
+              "timeContextFromParameter": "TimeRange",
+              "showExportToExcel": true,
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces",
+              "visualization": "table",
+              "gridSettings": {
+                "formatters": [
+                  {
+                    "columnMatch": "Activity",
+                    "formatter": 1
+                  },
+                  {
+                    "columnMatch": "ModelPath",
+                    "formatter": 7,
+                    "formatOptions": {
+                      "linkTarget": "Url",
+                      "linkLabel": "Awake-Platform: Model Detail"
+                    }
+                  },
+                  {
+                    "columnMatch": "Severity",
+                    "formatter": 18,
+                    "formatOptions": {
+                      "thresholdsOptions": "colors",
+                      "thresholdsGrid": [
+                        {
+                          "operator": "<=",
+                          "thresholdValue": "3",
+                          "representation": "green",
+                          "text": "Low"
+                        },
+                        {
+                          "operator": "<=",
+                          "thresholdValue": "6",
+                          "representation": "yellow",
+                          "text": "Medium"
+                        },
+                        {
+                          "operator": "<=",
+                          "thresholdValue": "8",
+                          "representation": "orange",
+                          "text": "High"
+                        },
+                        {
+                          "operator": "Default",
+                          "thresholdValue": null,
+                          "representation": "redBright",
+                          "text": "Critical"
+                        }
+                      ],
+                      "compositeBarSettings": {
+                        "labelText": "",
+                        "columnSettings": [
+                          {
+                            "columnName": "SeverityInt",
+                            "color": "redBright"
+                          }
+                        ]
+                      }
+                    }
+                  },
+                  {
+                    "columnMatch": "TimeGenerated",
+                    "formatter": 5
+                  },
+                  {
+                    "columnMatch": "SeverityInt",
+                    "formatter": 5
+                  },
+                  {
+                    "columnMatch": "DeviceEventClassID",
+                    "formatter": 5
+                  },
+                  {
+                    "columnMatch": "mints",
+                    "formatter": 5
+                  },
+                  {
+                    "columnMatch": "maxts",
+                    "formatter": 5
+                  }
+                ],
+                "labelSettings": [
+                  {
+                    "columnId": "Activity"
+                  },
+                  {
+                    "columnId": "ModelPath",
+                    "label": "Model Path"
+                  },
+                  {
+                    "columnId": "Severity"
+                  },
+                  {
+                    "columnId": "UniqueDevices",
+                    "label": "Unique Devices"
+                  },
+                  {
+                    "columnId": "TotalActivities",
+                    "label": "Total Activities"
+                  }
+                ]
+              },
+              "sortBy": []
+            },
+            "name": "Models_Grid"
+          }
+        ]
+      },
+      "conditionalVisibility": {
+        "parameterName": "Tab",
+        "comparison": "isEqualTo",
+        "value": "Models"
+      },
+      "name": "Models_Group"
+    },
+    {
+      "type": 12,
+      "content": {
+        "version": "NotebookGroup/1.0",
+        "groupType": "editable",
+        "items": [
+          {
+            "type": 1,
+            "content": {
+              "json": "---\n### Top 10 Devices by Model Matches for {TimeRange}"
+            },
+            "name": "Devices_Chart_Label"
+          },
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "//union CommonSecurityLog\n//| extend Source = strcat(Sour.ceHostName,\" \", \"(\" ,SourceIP, \")\"),Destination= strcat(DestinationHostName,\" \", \"(\" ,DestinationIP, \")\")\n//| summarize TimesAlerted=count() by SourceHostName //, //avg(DeviceCustomNumber1) by SourceHostName\n//| top 10 by TimesAlerted\n//| sort by TimesAlerted desc\n\nunion CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize \n    MaxDeviceRiskScore=max(DeviceCustomNumber1),UniqueDeviceTypeCount=dcount(DeviceCustomString4),\n    TimesAlerted=count() by SourceHostName=coalesce(SourceHostName,\"Unknown\")\n//| where UniqueDeviceTypeCount<2\n| top 10 by case(\"{SortBy}\"==\"Count\",TimesAlerted,MaxDeviceRiskScore)\n",
+              "size": 0,
+              "timeContext": {
+                "durationMs": 172800000
+              },
+              "timeContextFromParameter": "TimeRange",
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces",
+              "visualization": "barchart",
+              "chartSettings": {
+                "xAxis": "SourceHostName",
+                "yAxis": [
+                  "TimesAlerted"
+                ]
+              }
+            },
+            "name": "Devices_Chart"
+          },
+          {
+            "type": 1,
+            "content": {
+              "json": "---\n### Detailed: Top 50 Devices by Model Matches for {TimeRange}"
+            },
+            "name": "Devices_Grid_Label"
+          },
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "union CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize DevicePath=take_anyif(strcat(\"https://{HostName}/app/workbench/device/\",substring(DeviceCustomString2,-39,36)),DeviceCustomString2!=\"\"),\n    DeviceType=strcat_array(make_set_if(DeviceCustomString4, strlen(DeviceCustomString4) > 0),\", \"),UniqueDeviceTypeCount=dcount(DeviceCustomString4),\n    OperatingSystem=strcat_array(make_set_if(DeviceCustomString3, strlen(DeviceCustomString3) > 0),\", \"),\n    IPsFound= dcount(SourceIP),//strcat_array(make_set(SourceIP),\", \"),\n//    AverageDeviceRiskScore=round(avgif(DeviceCustomNumber1,DeviceCustomNumber1>0)),\n    MaxDeviceRiskScore=max(DeviceCustomNumber1),\n    TimesAlerted=count() by SourceHostName=coalesce(SourceHostName,\"Unknown\")//,DevicePath\n//| where UniqueDeviceTypeCount<2\n| top 50 by case(\"{SortBy}\"==\"Count\",TimesAlerted,MaxDeviceRiskScore)\n//| order by MaxDeviceRiskScore desc\n",
+              "size": 2,
+              "timeContext": {
+                "durationMs": 172800000
+              },
+              "timeContextFromParameter": "TimeRange",
+              "showExportToExcel": true,
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces",
+              "visualization": "table",
+              "gridSettings": {
+                "formatters": [
+                  {
+                    "columnMatch": "DevicePath",
+                    "formatter": 7,
+                    "formatOptions": {
+                      "linkTarget": "Url",
+                      "linkLabel": "Awake-Platform: Device Detail"
+                    }
+                  },
+                  {
+                    "columnMatch": "UniqueDeviceTypeCount",
+                    "formatter": 5
+                  },
+                  {
+                    "columnMatch": "MaxDeviceRiskScore",
+                    "formatter": 18,
+                    "formatOptions": {
+                      "thresholdsOptions": "colors",
+                      "thresholdsGrid": [
+                        {
+                          "operator": "<",
+                          "thresholdValue": "33",
+                          "representation": "green",
+                          "text": "Low"
+                        },
+                        {
+                          "operator": ">=",
+                          "thresholdValue": "75",
+                          "representation": "redBright",
+                          "text": "High"
+                        },
+                        {
+                          "operator": ">=",
+                          "thresholdValue": "33",
+                          "representation": "orange",
+                          "text": "Medium"
+                        },
+                        {
+                          "operator": "Default",
+                          "thresholdValue": null,
+                          "text": "{0}{1}"
+                        }
+                      ],
+                      "compositeBarSettings": {
+                        "labelText": "",
+                        "columnSettings": [
+                          {
+                            "columnName": "IPsFound",
+                            "color": "blue"
+                          },
+                          {
+                            "columnName": "MaxDeviceRiskScore",
+                            "color": "brown"
+                          }
+                        ]
+                      }
+                    }
+                  }
+                ],
+                "labelSettings": [
+                  {
+                    "columnId": "SourceHostName",
+                    "label": "Source HostName"
+                  },
+                  {
+                    "columnId": "DevicePath",
+                    "label": "Device Path"
+                  },
+                  {
+                    "columnId": "DeviceType",
+                    "label": "Device Type"
+                  },
+                  {
+                    "columnId": "UniqueDeviceTypeCount"
+                  },
+                  {
+                    "columnId": "OperatingSystem",
+                    "label": "Operating System"
+                  },
+                  {
+                    "columnId": "IPsFound",
+                    "label": "Distinct IPs"
+                  },
+                  {
+                    "columnId": "MaxDeviceRiskScore",
+                    "label": "Device Risk Score (Max)"
+                  },
+                  {
+                    "columnId": "TimesAlerted",
+                    "label": "Total Activities"
+                  }
+                ]
+              },
+              "sortBy": []
+            },
+            "name": "Devices_Grid"
+          }
+        ]
+      },
+      "conditionalVisibility": {
+        "parameterName": "Tab",
+        "comparison": "isEqualTo",
+        "value": "Devices"
+      },
+      "name": "Devices_Group"
+    }
+  ],
+  "fallbackResourceIds": [],
+  "styleSettings": {}, 
+  "fromTemplateId": "sentinel-AristaAwakeSecurityWorkbook",
+  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+}
--- a/Solutions/AristaAwakeSecurity/Workbooks/Images/Logos/AristaAwakeSecurity.svg
+++ b/Solutions/AristaAwakeSecurity/Workbooks/Images/Logos/AristaAwakeSecurity.svg
@ -0,0 +1,24 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1147.36 765.39">
+  <defs>
+    <style>.cls-1{fill:#352e92;}.cls-2{fill:#6c60ec;}</style>
+  </defs>
+  <g id="1828d4cc-f19f-4f85-90ff-72abc847eafe">
+    <path class="cls-1" d="M873.11,454a10.56,10.56,0,0,1-10.56-10.56V323.3a10.56,10.56,0,1,1,21.12,0V443.46A10.56,10.56,0,0,1,873.11,454Z"/>
+    <path class="cls-2" d="M948.43,393.94H873.11a10.56,10.56,0,0,1,0-21.12h75.32a10.56,10.56,0,1,1,0,21.12Z"/>
+    <path class="cls-2" d="M873.11,333.86a10.56,10.56,0,0,1,0-21.12l86-.15h0a10.56,10.56,0,0,1,0,21.12l-86.06.15Z"/>
+    <path class="cls-2" d="M873.11,454.16a10.56,10.56,0,0,1,0-21.12l86-.14h0a10.56,10.56,0,0,1,0,21.12l-86.06.14Z"/>
+    <path class="cls-1" d="M375.8,453.89a10.56,10.56,0,0,1-9.91-6.91L321.54,326.82a10.56,10.56,0,0,1,19.81-7.31L385.7,439.67a10.56,10.56,0,0,1-6.25,13.56A10.67,10.67,0,0,1,375.8,453.89Z"/>
+    <path class="cls-1" d="M464.51,453.89A10.56,10.56,0,0,1,454.6,447L410.25,326.82a10.56,10.56,0,0,1,19.81-7.31l44.35,120.16a10.58,10.58,0,0,1-9.9,14.22Z"/>
+    <path class="cls-2" d="M375.8,453.89a10.45,10.45,0,0,1-3.66-.66,10.56,10.56,0,0,1-6.25-13.56l44.35-120.16a10.56,10.56,0,0,1,19.81,7.31L385.7,447A10.57,10.57,0,0,1,375.8,453.89Z"/>
+    <path class="cls-2" d="M464.51,453.89a10.45,10.45,0,0,1-3.66-.66,10.56,10.56,0,0,1-6.25-13.56L499,319.51a10.56,10.56,0,0,1,19.81,7.31L474.41,447A10.57,10.57,0,0,1,464.51,453.89Z"/>
+    <path class="cls-1" d="M291.87,453.89a10.55,10.55,0,0,1-9.7-6.39L230.36,327.34a10.56,10.56,0,0,1,19.4-8.36l51.8,120.16a10.57,10.57,0,0,1-9.69,14.75Z"/>
+    <path class="cls-2" d="M188.19,453.89a10.58,10.58,0,0,1-9.7-14.75L230.3,319a10.56,10.56,0,0,1,19.4,8.36L197.89,447.5A10.55,10.55,0,0,1,188.19,453.89Z"/>
+    <path class="cls-2" d="M275.93,417.66H203.81a10.56,10.56,0,1,1,0-21.12h72.12a10.56,10.56,0,1,1,0,21.12Z"/>
+    <path class="cls-1" d="M651.72,453.89A10.57,10.57,0,0,1,642,447.5l-51.8-120.16A10.56,10.56,0,0,1,609.6,319l51.81,120.16a10.58,10.58,0,0,1-9.69,14.75Z"/>
+    <path class="cls-2" d="M548,453.89a10.57,10.57,0,0,1-9.69-14.75L590.14,319a10.56,10.56,0,0,1,19.4,8.36L557.73,447.5A10.55,10.55,0,0,1,548,453.89Z"/>
+    <path class="cls-2" d="M635.77,417.66H563.65a10.56,10.56,0,1,1,0-21.12h72.12a10.56,10.56,0,1,1,0,21.12Z"/>
+    <path class="cls-1" d="M804.47,453.35a10.56,10.56,0,0,1-7.92-3.57l-60.32-68.17a10.56,10.56,0,0,1,15.82-14l60.32,68.17a10.57,10.57,0,0,1-7.9,17.56Z"/>
+    <path class="cls-2" d="M719.57,453.88A10.56,10.56,0,0,1,709,443.32V323.16a10.56,10.56,0,1,1,21.12,0V443.32A10.56,10.56,0,0,1,719.57,453.88Z"/>
+    <path class="cls-2" d="M719.57,408a10.56,10.56,0,0,1-7.18-18.3l81.54-75.61a10.56,10.56,0,0,1,14.36,15.48l-81.54,75.61A10.52,10.52,0,0,1,719.57,408Z"/>
+  </g>
+</svg>
--- a/Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityDevicesBlack.png
+++ b/Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityDevicesBlack.png
--- a/Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityDevicesWhite.png
+++ b/Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityDevicesWhite.png
--- a/Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityModelsBlack.png
+++ b/Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityModelsBlack.png
--- a/Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityModelsWhite.png
+++ b/Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityModelsWhite.png
--- a/Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityOverviewBlack.png
+++ b/Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityOverviewBlack.png
--- a/Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityOverviewWhite.png
+++ b/Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityOverviewWhite.png