Repackaged Microsoft 365, MicrosoftDefenderForEndpoint, Windows Forwarded Events (#7978)
* Repackaged * update rule query
This commit is contained in:
v-atulyadav
GitHub
Родитель
ffa4bd7836
Коммит
30bdd35e39
|
|
@ -1,7 +1,7 @@
|
|||
id: 04384937-e927-4595-8f3c-89ff58ed231f
|
||||
name: Possible STRONTIUM attempted credential harvesting - Sept 2020
|
||||
name: Possible Forest Blizzard attempted credential harvesting - Sept 2020
|
||||
description: |
|
||||
'Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.
|
||||
'Surfaces potential Forest Blizzard group Office365 credential harvesting attempts within OfficeActivity Logon events.
|
||||
References: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.'
|
||||
severity: Low
|
||||
status: Available
|
||||
|
|
@ -31,5 +31,5 @@ query: |
|
|||
| where authAttempts > 2500
|
||||
| extend timestamp = firstAttempt
|
||||
| sort by uniqueAccounts
|
||||
version: 2.0.0
|
||||
version: 2.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -46,13 +46,13 @@
|
|||
"Analytic Rules/RareOfficeOperations.yaml",
|
||||
"Analytic Rules/SharePoint_Downloads_byNewIP.yaml",
|
||||
"Analytic Rules/SharePoint_Downloads_byNewUserAgent.yaml",
|
||||
"Analytic Rules/StrontiumCredHarvesting.yaml",
|
||||
"Analytic Rules/ForestBlizzardCredHarvesting.yaml",
|
||||
"Analytic Rules/exchange_auditlogdisabled.yaml",
|
||||
"Analytic Rules/office_policytampering.yaml"
|
||||
],
|
||||
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\solutions\\Microsoft 365",
|
||||
"Version": "2.0.4",
|
||||
"Version": "2.0.5",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": true
|
||||
|
|
|
|||
Двоичный файл не отображается.
|
|
@ -328,13 +328,13 @@
|
|||
{
|
||||
"name": "analytic12",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Possible STRONTIUM attempted credential harvesting - Sept 2020",
|
||||
"label": "Possible Forest Blizzard attempted credential harvesting - Sept 2020",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic12-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/."
|
||||
"text": "Surfaces potential Forest Blizzard group Office365 credential harvesting attempts within OfficeActivity Logon events.\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/."
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -1,7 +1,7 @@
|
|||
id: 18dbdc22-b69f-4109-9e39-723d9465f45f
|
||||
name: ACTINIUM AV hits - Feb 2022
|
||||
name: Aqua Blizzard AV hits - Feb 2022
|
||||
description: |
|
||||
'Identifies a match in the Security Alert table for MDATP hits related to the ACTINIUM actor'
|
||||
'Identifies a match in the Security Alert table for MDATP hits related to the Aqua Blizzard actor'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
|
|
@ -17,7 +17,7 @@ tactics:
|
|||
relevantTechniques:
|
||||
- T1137
|
||||
tags:
|
||||
- ACTINIUM
|
||||
- Aqua Blizzard
|
||||
query: |
|
||||
let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv"] with (format="csv", ignoreFirstRecord=True);
|
||||
let AVHits = (iocs | where Type =~ "AVDetection"| project IoC);
|
||||
|
|
@ -27,7 +27,7 @@ query: |
|
|||
| where ThreatName_ has_any (AVHits)
|
||||
| extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)
|
||||
| project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName
|
||||
| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256
|
||||
| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256, FileHashType = "SHA256"
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
|
|
@ -43,5 +43,5 @@ entityMappings:
|
|||
columnName: FileHashType
|
||||
- identifier: Value
|
||||
columnName: FileHashCustomEntity
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -7,7 +7,7 @@
|
|||
"Data Connectors/template_MicrosoftDefenderAdvancedThreatProtection.JSON"
|
||||
],
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules/ActiniumAVHits.yaml"
|
||||
"Analytic Rules/AquaBlizzardAVHits.yaml"
|
||||
],
|
||||
"Parsers": [
|
||||
"Parsers/AssignedIPAddress.txt",
|
||||
|
|
@ -43,7 +43,7 @@
|
|||
"Workbooks/MicrosoftDefenderForEndPoint.json"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\MicrosoftDefenderForEndpoint",
|
||||
"Version": "2.0.2",
|
||||
"Version": "2.0.3",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": true
|
||||
|
|
|
|||
Двоичные данные
Solutions/MicrosoftDefenderForEndpoint/Package/2.0.3.zip
Двоичные данные
Solutions/MicrosoftDefenderForEndpoint/Package/2.0.3.zip
Двоичный файл не отображается.
|
|
@ -111,7 +111,7 @@
|
|||
{
|
||||
"name": "workbook1",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "MicrosoftDefenderForEndPoint",
|
||||
"label": "Microsoft Defender For EndPoint",
|
||||
"elements": [
|
||||
{
|
||||
"name": "workbook1-text",
|
||||
|
|
@ -153,13 +153,13 @@
|
|||
{
|
||||
"name": "analytic1",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "ACTINIUM AV hits - Feb 2022",
|
||||
"label": "Aqua Blizzard AV hits - Feb 2022",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Identifies a match in the Security Alert table for MDATP hits related to the ACTINIUM actor"
|
||||
"text": "Identifies a match in the Security Alert table for MDATP hits related to the Aqua Blizzard actor"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -253,4 +253,4 @@
|
|||
"workspace": "[basics('workspace')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -1,7 +1,7 @@
|
|||
id: 066395ac-ef91-4993-8bf6-25c61ab0ca5a
|
||||
name: SOURGUM Actor IOC - July 2021
|
||||
name: Caramel Tsunami Actor IOC - July 2021
|
||||
description: |
|
||||
'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM'
|
||||
'Identifies a match across IOC's related to an actor tracked by Microsoft as Caramel Tsunami'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
|
|
@ -17,7 +17,7 @@ tactics:
|
|||
relevantTechniques:
|
||||
- T1546
|
||||
tags:
|
||||
- SOURGUM
|
||||
- Caramel Tsunami
|
||||
query: |
|
||||
let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv"] with (format="csv", ignoreFirstRecord=True);
|
||||
let file_path1 = (iocs | where Type =~ "filepath1" | project IoC);
|
||||
|
|
@ -59,5 +59,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: ProcessId
|
||||
columnName: ProcessCustomEntity
|
||||
version: 1.0.2
|
||||
version: 1.0.3
|
||||
kind: Scheduled
|
||||
|
|
@ -8,10 +8,10 @@
|
|||
],
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules/ChiaCryptoMining_WindowsEvent.yaml",
|
||||
"Analytic Rules/SOURGUM_IOC_WindowsEvent.yaml"
|
||||
"Analytic Rules/CaramelTsunami_IOC_WindowsEvent.yaml"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Windows Forwarded Events",
|
||||
"Version": "2.0.2",
|
||||
"Version": "2.0.3",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1Pconnector": true
|
||||
|
|
|
|||
Двоичный файл не отображается.
|
|
@ -60,7 +60,7 @@
|
|||
"name": "dataconnectors1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Solution installs the data connector for Windows Forwarded Events. You can get Windows Forwarded Events custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
"text": "The solution installs the data connector to ingest Windows Events Forwarding logs using Azure Monitoring Agent. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
|
|
@ -118,13 +118,13 @@
|
|||
{
|
||||
"name": "analytic2",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "SOURGUM Actor IOC - July 2021",
|
||||
"label": "Caramel Tsunami Actor IOC - July 2021",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic2-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM"
|
||||
"text": "Identifies a match across IOC's related to an actor tracked by Microsoft as Caramel Tsunami"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@
|
|||
"_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
|
||||
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
|
||||
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
|
||||
"analyticRuleVersion2": "1.0.2",
|
||||
"analyticRuleVersion2": "1.0.3",
|
||||
"analyticRulecontentId2": "066395ac-ef91-4993-8bf6-25c61ab0ca5a",
|
||||
"_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
|
||||
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
|
||||
|
|
@ -57,7 +57,7 @@
|
|||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs",
|
||||
"apiVersion": "2021-05-01",
|
||||
"apiVersion": "2022-02-01",
|
||||
"name": "[variables('dataConnectorTemplateSpecName1')]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
|
|
@ -71,7 +71,7 @@
|
|||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs/versions",
|
||||
"apiVersion": "2021-05-01",
|
||||
"apiVersion": "2022-02-01",
|
||||
"name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
|
|
@ -82,7 +82,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Windows Forwarded Events data connector with template version 2.0.2",
|
||||
"description": "Windows Forwarded Events data connector with template version 2.0.3",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('dataConnectorVersion1')]",
|
||||
|
|
@ -219,7 +219,7 @@
|
|||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs",
|
||||
"apiVersion": "2021-05-01",
|
||||
"apiVersion": "2022-02-01",
|
||||
"name": "[variables('analyticRuleTemplateSpecName1')]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
|
|
@ -233,7 +233,7 @@
|
|||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs/versions",
|
||||
"apiVersion": "2021-05-01",
|
||||
"apiVersion": "2022-02-01",
|
||||
"name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
|
|
@ -244,7 +244,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "ChiaCryptoMining_WindowsEvent_AnalyticalRules Analytics Rule with template version 2.0.2",
|
||||
"description": "ChiaCryptoMining_WindowsEvent_AnalyticalRules Analytics Rule with template version 2.0.3",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('analyticRuleVersion1')]",
|
||||
|
|
@ -286,35 +286,35 @@
|
|||
],
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "AccountCustomEntity",
|
||||
"identifier": "FullName"
|
||||
"identifier": "FullName",
|
||||
"columnName": "AccountCustomEntity"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Account"
|
||||
},
|
||||
{
|
||||
"entityType": "Host",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "HostCustomEntity",
|
||||
"identifier": "FullName"
|
||||
"identifier": "FullName",
|
||||
"columnName": "HostCustomEntity"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Host"
|
||||
},
|
||||
{
|
||||
"entityType": "File",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "FileCustomEntity",
|
||||
"identifier": "Name"
|
||||
"identifier": "Name",
|
||||
"columnName": "FileCustomEntity"
|
||||
},
|
||||
{
|
||||
"columnName": "FilePathCustomEntity",
|
||||
"identifier": "Directory"
|
||||
"identifier": "Directory",
|
||||
"columnName": "FilePathCustomEntity"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "File"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -352,7 +352,7 @@
|
|||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs",
|
||||
"apiVersion": "2021-05-01",
|
||||
"apiVersion": "2022-02-01",
|
||||
"name": "[variables('analyticRuleTemplateSpecName2')]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
|
|
@ -366,7 +366,7 @@
|
|||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs/versions",
|
||||
"apiVersion": "2021-05-01",
|
||||
"apiVersion": "2022-02-01",
|
||||
"name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
|
|
@ -377,7 +377,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "SOURGUM_IOC_WindowsEvent_AnalyticalRules Analytics Rule with template version 2.0.2",
|
||||
"description": "CaramelTsunami_IOC_WindowsEvent_AnalyticalRules Analytics Rule with template version 2.0.3",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('analyticRuleVersion2')]",
|
||||
|
|
@ -391,8 +391,8 @@
|
|||
"kind": "Scheduled",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"properties": {
|
||||
"description": "Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM",
|
||||
"displayName": "SOURGUM Actor IOC - July 2021",
|
||||
"description": "Identifies a match across IOC's related to an actor tracked by Microsoft as Caramel Tsunami",
|
||||
"displayName": "Caramel Tsunami Actor IOC - July 2021",
|
||||
"enabled": false,
|
||||
"query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet file_path1 = (iocs | where Type =~ \"filepath1\" | project IoC);\nlet file_path2 = (iocs | where Type =~ \"filepath2\" | project IoC);\nlet file_path3 = (iocs | where Type =~ \"filepath3\" | project IoC);\nlet reg_key = (iocs | where Type =~ \"regkey\" | project IoC);\nWindowsEvent\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any ('reg add') or EventData has_any (reg_key) )\n| extend CommandLine = tostring(EventData.CommandLine)\n| extend NewProcessName = tostring(EventData.NewProcessName)\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n| where (CommandLine has_any (file_path1)) or\n (CommandLine has_any (file_path3)) or\n (CommandLine has 'reg add' and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \n (NewProcessName has_any (file_path1)) or\n (NewProcessName has_any (file_path3)) or\n (ParentProcessName has_any (file_path1)) or \n (ParentProcessName has_any (file_path3)) \n| extend Account = strcat(EventData.SubjectDomainName,\"\\\\\", EventData.SubjectUserName)\n| extend NewProcessId = tostring(EventData.NewProcessId)\n| extend IPCustomEntity = tostring(EventData.IpAddress)\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected'\n",
|
||||
"queryFrequency": "PT6H",
|
||||
|
|
@ -419,40 +419,40 @@
|
|||
],
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "AccountCustomEntity",
|
||||
"identifier": "FullName"
|
||||
"identifier": "FullName",
|
||||
"columnName": "AccountCustomEntity"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Account"
|
||||
},
|
||||
{
|
||||
"entityType": "Host",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "HostCustomEntity",
|
||||
"identifier": "FullName"
|
||||
"identifier": "FullName",
|
||||
"columnName": "HostCustomEntity"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Host"
|
||||
},
|
||||
{
|
||||
"entityType": "IP",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "IPCustomEntity",
|
||||
"identifier": "Address"
|
||||
"identifier": "Address",
|
||||
"columnName": "IPCustomEntity"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "IP"
|
||||
},
|
||||
{
|
||||
"entityType": "Process",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "ProcessCustomEntity",
|
||||
"identifier": "ProcessId"
|
||||
"identifier": "ProcessId",
|
||||
"columnName": "ProcessCustomEntity"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Process"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -493,7 +493,7 @@
|
|||
"apiVersion": "2022-01-01-preview",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"properties": {
|
||||
"version": "2.0.2",
|
||||
"version": "2.0.3",
|
||||
"kind": "Solution",
|
||||
"contentSchemaVersion": "2.0.0",
|
||||
"contentId": "[variables('_solutionId')]",
|
||||
|
|
|
|||
|
|
@ -2690,22 +2690,6 @@
|
|||
"subtitle": "",
|
||||
"provider": "Okta"
|
||||
},
|
||||
{
|
||||
"workbookKey": "MicrosoftDefenderForEndPoint",
|
||||
"logoFileName": "",
|
||||
"description": "A wokbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through M365 Defender Connector.",
|
||||
"dataTypesDependencies": [],
|
||||
"dataConnectorsDependencies": [],
|
||||
"previewImagesFileNames": [
|
||||
"microsoftdefenderforendpointwhite.png",
|
||||
"microsoftdefenderforendpointblack.png"
|
||||
],
|
||||
"version": "1.0.0",
|
||||
"title": "MicrosoftDefenderForEndPoint",
|
||||
"templateRelativePath": "MicrosoftDefenderForEndPoint.json",
|
||||
"subtitle": "",
|
||||
"provider": "Microsoft Sentinel Community"
|
||||
},
|
||||
{
|
||||
"workbookKey": "Dynamics365Workbooks",
|
||||
"logoFileName": "DynamicsLogo.svg",
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче