ACNCD_DataConnectors_final (#767)

* final PR

* detection corrections

* Revisions

* add default Function app root files

* revisions

DataConnectors/Okta Single Sign-On/AzureFunctionOktaSSO/AzureFunctionOktaSSO/function.json

@@ -0,0 +1,11 @@
+{
+    "bindings": [
+      {
+        "type": "timerTrigger",
+        "name": "Timer",
+        "schedule": "0 */5 * * * *",
+        "direction": "in"
+      }
+    ],
+    "disabled": false
+  }

DataConnectors/Okta Single Sign-On/AzureFunctionOktaSSO/AzureFunctionOktaSSO/run.ps1

@@ -0,0 +1,101 @@
+<#  
+    Title:          Okta Data Connector
+    Language:       PowerShell
+    Version:        1.0
+    Author(s):      Microsoft
+    Last Modified:  5/12/2020
+    Comment:        Inital Release
+
+    DESCRIPTION
+    This Function App calls the Okta System Log API (https://developer.okta.com/docs/reference/api/system-log/) to pull the Okta System logs. The response from the Okta API is recieved in JSON format. This function will build the signature and authorization header 
+    needed to post the data to the Log Analytics workspace via the HTTP Data Connector API. The Function App will post the Okta logs to the Okta_CL table in the Log Analytics workspace.
+#>
+
+# Input bindings are passed in via param block.
+param($Timer)
+# Get the current universal time in the default string format
+$currentUTCtime = (Get-Date).ToUniversalTime()
+# The 'IsPastDue' porperty is 'true' when the current function invocation is later than scheduled.
+if ($Timer.IsPastDue) {
+    Write-Host "PowerShell timer is running late!"
+}
+
+# Build the headers for the Okta API request
+$apiToken = $env:apiToken
+$time = $env:timeInterval
+$uri = $env:uri
+
+$startDate = [System.DateTime]::UtcNow.AddMinutes(-$($time)).ToString("yyyy-MM-dd'T'HH:mm:sssZ")
+$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
+$headers.Add("Content-Type", "application/json")
+$headers.Add("Authorization", "SSWS $apiToken")
+$response = Invoke-RestMethod -uri "$uri$($startDate)"  -Method 'GET' -Headers $headers -Body $body
+
+# Define the Log Analytics Workspace ID and Key and Custom Table Name
+$customerId = $env:workspaceId
+$sharedKey =  $env:workspaceKey
+$LogType = $env:tableName
+$TimeStampField = "DateValue"
+
+# Function to create the authorization signature
+Function Build-Signature ($customerId, $sharedKey, $date, $contentLength, $method, $contentType, $resource)
+{
+    $xHeaders = "x-ms-date:" + $date
+    $stringToHash = $method + "`n" + $contentLength + "`n" + $contentType + "`n" + $xHeaders + "`n" + $resource
+
+    $bytesToHash = [Text.Encoding]::UTF8.GetBytes($stringToHash)
+    $keyBytes = [Convert]::FromBase64String($sharedKey)
+
+    $sha256 = New-Object System.Security.Cryptography.HMACSHA256
+    $sha256.Key = $keyBytes
+    $calculatedHash = $sha256.ComputeHash($bytesToHash)
+    $encodedHash = [Convert]::ToBase64String($calculatedHash)
+    $authorization = 'SharedKey {0}:{1}' -f $customerId,$encodedHash
+    return $authorization
+}
+
+# Function to create and post the request
+Function Post-LogAnalyticsData($customerId, $sharedKey, $body, $logType)
+{
+    $method = "POST"
+    $contentType = "application/json"
+    $resource = "/api/logs"
+    $rfc1123date = [DateTime]::UtcNow.ToString("r")
+    $contentLength = $body.Length
+    $signature = Build-Signature `
+        -customerId $customerId `
+        -sharedKey $sharedKey `
+        -date $rfc1123date `
+        -contentLength $contentLength `
+        -method $method `
+        -contentType $contentType `
+        -resource $resource
+    $uri = "https://" + $customerId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01"
+
+    $headers = @{
+        "Authorization" = $signature;
+        "Log-Type" = $logType;
+        "x-ms-date" = $rfc1123date;
+        "time-generated-field" = $TimeStampField;
+    }
+
+    $response = Invoke-WebRequest -Uri $uri -Method $method -ContentType $contentType -Headers $headers -Body $body -UseBasicParsing
+    return $response.StatusCode
+
+}
+
+$recordCount = $response.Count
+
+if ($recordCount -gt 0) {
+    Write-Output "$recordCount record(s) are avaliable as of $startDate"
+    $json = $response | ConvertTo-Json -Depth 5
+    Post-LogAnalyticsData -customerId $customerId -sharedKey $sharedKey -body ([System.Text.Encoding]::UTF8.GetBytes($json)) -logType $LogType  
+}
+else{
+
+    Write-Output "No new Okta logs are avaliable as of $startDate"
+}
+
+# Write an information log with the current time.
+Write-Host "PowerShell timer trigger function ran! TIME: $currentUTCtime"
+

DataConnectors/Okta Single Sign-On/AzureFunctionOktaSSO/host.json

@@ -0,0 +1,10 @@
+{
+    "version": "2.0",
+    "managedDependency": {
+      "Enabled": true
+    },
+    "extensionBundle": {
+      "id": "Microsoft.Azure.Functions.ExtensionBundle",
+      "version": "[1.*, 2.0.0)"
+    }
+  }

DataConnectors/Okta Single Sign-On/AzureFunctionOktaSSO/profile.ps1

@@ -0,0 +1,20 @@
+# Azure Functions profile.ps1
+#
+# This profile.ps1 will get executed every "cold start" of your Function App.
+# "cold start" occurs when:
+#
+# * A Function App starts up for the very first time
+# * A Function App starts up after being de-allocated due to inactivity
+#
+# You can define helper functions, run commands, or specify environment variables
+# NOTE: any variables defined that are not environment variables will get reset after the first execution
+# Authenticate with Azure PowerShell using MSI.
+# Remove this if you are not planning on using MSI or Azure PowerShell.
+
+if ($env:MSI_SECRET -and (Get-Module -ListAvailable Az.Accounts)) {
+        Connect-AzAccount -Identity
+    }
+    
+    # Uncomment the next line to enable legacy AzureRm alias in Azure PowerShell.
+    # Enable-AzureRmAlias
+    # You can also define functions or aliases that can be referenced in any of your PowerShell functions.

DataConnectors/Okta Single Sign-On/AzureFunctionOktaSSO/requirements.psd1

@@ -0,0 +1,7 @@
+# This file enables modules to be automatically managed by the Functions service.
+# See https://aka.ms/functionsmanageddependency for additional information.
+#
+@{
+    # For latest supported version, go to 'https://www.powershellgallery.com/packages/Az'. 
+    'Az' = '4.*'
+}

DataConnectors/Okta Single Sign-On/Connector_REST_API_FunctionApp_Okta.json

@@ -0,0 +1,130 @@
+{
+    "id": "OktaSSO",
+    "title": "Okta Single Sign-On (Preview)",
+    "publisher": "Okta",
+    "descriptionMarkdown": "The [Okta Single Sign-On (SSO)](https://www.okta.com/products/single-sign-on/) connector provides the capability to ingest audit and event logs from the Okta API into Azure Sentinel. The connector provides visibility into these log types in Azure Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities.",
+    "graphQueries": [
+        {
+            "metricName": "Total data received",
+            "legend": "Okta Logs",
+            "baseQuery": "Okta_CL"
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description" : "Top 10 Active Applications",
+            "query": "Okta_CL \n| mv-expand todynamic(target_s)  \n| where target_s.type == \"AppInstance\"  \n| summarize count() by tostring(target_s.alternateId)  \n| top 10 by count_"
+        },
+        {
+            "description" : "Top 10 Client IP Addresses",
+            "query": "Okta_CL \n| summarize count() by client_ipAddress_s \n| top 10 by count_"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "Okta_CL",
+            "lastDataReceivedQuery": "Okta_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "Okta_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
+            ]
+        }
+    ],
+    "availability": {
+        "status": 1
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "write": true,
+                    "read": true,
+                    "delete": true
+                }
+            },
+            {
+                "provider":"Microsoft.Web/sites",
+                "permissionsDisplayText":"read and write permissions to Azure Functions to create a Function App. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).",
+                "providerDisplayName":"Azure Functions",
+                "scope":"Azure Functions",
+                "requiredPermissions":{
+                    "read": true,
+                    "write": true,
+                    "delete": true
+                }
+            }
+        ],
+        "customs": [
+            {
+                "name": "Okta API Token",
+                "description": "A Okta API Token is required. See the documentation to learn more about the [Okta System Log API](https://developer.okta.com/docs/reference/api/system-log/)."
+            }
+        ]
+    },
+    "instructionSteps": [
+        {
+            "title": "",
+            "description": ">**NOTE:** This connector uses Azure Functions to connect to Okta SSO to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
+        },
+        {
+            "title": "",
+            "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
+        },
+        {
+            "title": "",
+            "description": "**STEP 1 - Configuration steps for the Okta SSO API**\n\n [Follow these instructions](https://developer.okta.com/docs/guides/create-an-api-token/create-the-token/) to create an API Token." 
+        },
+        {
+            "title": "",
+            "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Okta SSO connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Okta SSO API Authorization Token, readily available.", 
+            "instructions":[
+                {
+                    "parameters": {
+                        "fillWith": [
+                            "WorkspaceId"
+                        ],
+                        "label": "Workspace ID"
+                    },
+                    "type": "CopyableLabel"
+                },
+                {
+                    "parameters": {
+                        "fillWith": [
+                            "PrimaryKey"
+                        ],
+                        "label": "Primary Key"
+                    },
+                    "type": "CopyableLabel"
+                }
+            ]
+        },
+        {
+            "title": "Option 1 - Azure Resource Manager (ARM) Template",
+            "description": "This method provides an automated deployment of the Okta SSO connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentineloktaazuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Token**, **URI** and **TimeInterval**. \n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion.\n - Use the following schema for the `uri` value: `https://<OktaDomain>/api/v1/logs?since=` Replace `<OktaDomain>` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time suffix to the URI, the Function App will dynamically append the time value to the URI in the proper format. \n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
+        },
+        {
+            "title": "Option 2 - Manual Deployment of Azure Functions",
+            "description": "Use the following step-by-step instructions to deploy the Okta SSO connector manually with Azure Functions."
+        },
+        {
+            "title": "",
+            "description": "**1. Create a Function App**\n\n1.  From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**."
+        },
+        {
+            "title": "",
+            "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and leave the default cron schedule of every 5 minutes, then click **Create**.\n4. Click on **Code + Test** on the left pane. \n5. Copy the [Function App Code](https://aka.ms/sentineloktaazurefunctioncode) and paste into the Function App `run.ps1` editor.\n5. Click **Save**."
+        },
+        {
+            "title": "",
+            "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following five (5) application settings individually, with their respective string values (case-sensitive): \n\t\tapiToken\n\t\ttimeInterval\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n - Set the `timeInterval` (in minutes) to the default value of `5` to correspond to the default Timer Trigger of every `5` minutes. Note that modifying time interval will require modifying the Function App Timer Trigger accordingly to prevent overlapping data.\n - Use the following schema for the `uri` value: `https://<OktaDomain>/api/v1/logs?since=` Replace `<OktaDomain>` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There is no need to add a time suffix to the URI, the Function App will dynamically append the time value to the URI in the proper format.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Once all application settings have been entered, click **Save**."
+        }
+    ]
+}

DataConnectors/Okta Single Sign-On/azuredeploy_OktaSingleSignOn_API_FunctionApp.json

@@ -0,0 +1,235 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+      "parameters": {
+          "FunctionName": {
+              "defaultValue": "OktaSSOAPI",
+              "type": "string"
+          },  
+          "WorkspaceID": {
+              "type": "string",
+              "defaultValue": "<workspaceID>"
+          },
+          "WorkspaceKey": {
+              "type": "string",
+              "defaultValue": "<workspaceKey>"
+          },
+          "APIToken": {
+              "type": "string",
+              "defaultValue": "<apiToken>"
+          },
+          "Uri": {
+              "type": "string",
+              "defaultValue": "https://<OktaDomain>/api/v1/logs?since="
+          },
+          "TimeInterval": {
+              "type": "string",
+              "defaultValue": "5"
+          }
+      },
+      "variables": {
+      },
+      "resources": [
+          {
+              "type": "Microsoft.Insights/components",
+              "apiVersion": "2015-05-01",
+              "name": "[parameters('FunctionName')]",
+              "location": "[resourceGroup().location]",
+              "kind": "web",
+              "properties": {
+                  "Application_Type": "web",
+                  "ApplicationId": "[parameters('FunctionName')]"
+              }
+          },
+          
+          {
+              "type": "Microsoft.Storage/storageAccounts",
+              "apiVersion": "2019-06-01",
+              "name": "[tolower(parameters('FunctionName'))]",
+              "location": "[resourceGroup().location]",
+              "sku": {
+                  "name": "Standard_LRS",
+                  "tier": "Standard"
+              },
+              "kind": "StorageV2",
+              "properties": {
+                  "networkAcls": {
+                      "bypass": "AzureServices",
+                      "virtualNetworkRules": [
+                      ],
+                      "ipRules": [
+                      ],
+                      "defaultAction": "Allow"
+                  },
+                  "supportsHttpsTrafficOnly": true,
+                  "encryption": {
+                      "services": {
+                          "file": {
+                              "keyType": "Account",
+                              "enabled": true
+                          },
+                          "blob": {
+                              "keyType": "Account",
+                              "enabled": true
+                          }
+                      },
+                      "keySource": "Microsoft.Storage"
+                  }
+              }
+          },
+          {
+              "type": "Microsoft.Web/serverfarms",
+              "apiVersion": "2018-02-01",
+              "name": "[parameters('FunctionName')]",
+              "location": "[resourceGroup().location]",
+              "sku": {
+                  "name": "Y1",
+                  "tier": "Dynamic"
+              },
+              "kind": "functionapp",
+              "properties": {
+                  "name": "[parameters('FunctionName')]",
+                  "workerSize": "0",
+                  "workerSizeId": "0",
+                  "numberOfWorkers": "1"
+              }
+          },
+          {
+              "type": "Microsoft.Storage/storageAccounts/blobServices",
+              "apiVersion": "2019-06-01",
+              "name": "[concat(parameters('FunctionName'), '/default')]",
+              "dependsOn": [
+                  "[resourceId('Microsoft.Storage/storageAccounts', tolower(parameters('FunctionName')))]"
+              ],
+              "sku": {
+                  "name": "Standard_LRS",
+                  "tier": "Standard"
+              },
+              "properties": {
+                  "cors": {
+                      "corsRules": [
+                      ]
+                  },
+                  "deleteRetentionPolicy": {
+                      "enabled": false
+                  }
+              }
+          },
+          {
+              "type": "Microsoft.Storage/storageAccounts/fileServices",
+              "apiVersion": "2019-06-01",
+              "name": "[concat(parameters('FunctionName'), '/default')]",
+              "dependsOn": [
+                  "[resourceId('Microsoft.Storage/storageAccounts', tolower(parameters('FunctionName')))]"
+              ],
+              "sku": {
+                  "name": "Standard_LRS",
+                  "tier": "Standard"
+              },
+              "properties": {
+                  "cors": {
+                      "corsRules": [
+                      ]
+                  }
+              }
+          },
+          {
+              "type": "Microsoft.Web/sites",
+              "apiVersion": "2018-11-01",
+              "name": "[parameters('FunctionName')]",
+              "location": "[resourceGroup().location]",
+              "dependsOn": [
+                  "[resourceId('Microsoft.Storage/storageAccounts', tolower(parameters('FunctionName')))]",
+                  "[resourceId('Microsoft.Web/serverfarms', parameters('FunctionName'))]",
+                  "[resourceId('Microsoft.Insights/components', parameters('FunctionName'))]"
+              ],
+              "kind": "functionapp",
+              "identity": {
+                  "type": "SystemAssigned"
+              },
+              "properties": {
+                  "name": "[parameters('FunctionName')]",
+                  "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('FunctionName'))]",
+                  "httpsOnly": true,
+                  "clientAffinityEnabled": true,
+                   "alwaysOn": true
+              },
+              "resources": [
+                  {
+                      "apiVersion": "2018-11-01",
+                      "type": "config",
+                      "name": "appsettings",
+                      "dependsOn": [
+                          "[concat('Microsoft.Web/sites/', parameters('FunctionName'))]"
+                      ],
+                      "properties": {
+                          "FUNCTIONS_EXTENSION_VERSION": "~3",
+                          "FUNCTIONS_WORKER_RUNTIME": "powershell",
+                          "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', parameters('FunctionName')), '2015-05-01').InstrumentationKey]",
+                          "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', parameters('FunctionName')), '2015-05-01').ConnectionString]",
+                          "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(parameters('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(parameters('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.windows.net')]",
+                          "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(parameters('FunctionName')),';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(parameters('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.windows.net')]",
+                          "WEBSITE_CONTENTSHARE": "[toLower(parameters('FunctionName'))]",
+                          "workspaceID": "[parameters('WorkspaceID')]",
+                          "workspaceKey": "[parameters('WorkspaceKey')]",
+                          "apiToken": "[parameters('APIToken')]",
+                          "uri": "[parameters('Uri')]",
+                          "timeInterval": "[parameters('TimeInterval')]",
+                          "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentineloktafunctionzip"
+
+                                   } 
+                  }
+              ]
+          },
+          {
+              "type": "Microsoft.Web/sites/hostNameBindings",
+              "apiVersion": "2018-11-01",
+              "name": "[concat(parameters('FunctionName'), '/', parameters('FunctionName'), '.azurewebsites.net')]",
+              "location": "[resourceGroup().location]",
+              "dependsOn": [
+                  "[resourceId('Microsoft.Web/sites', parameters('FunctionName'))]"
+              ],
+              "properties": {
+                  "siteName": "[parameters('FunctionName')]",
+                  "hostNameType": "Verified"
+              }
+          },
+          {
+              "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
+              "apiVersion": "2019-06-01",
+              "name": "[concat(parameters('FunctionName'), '/default/azure-webjobs-hosts')]",
+              "dependsOn": [
+                  "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('FunctionName'), 'default')]",
+                  "[resourceId('Microsoft.Storage/storageAccounts', parameters('FunctionName'))]"
+              ],
+              "properties": {
+                  "publicAccess": "None"
+              }
+          },
+          {
+              "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
+              "apiVersion": "2019-06-01",
+              "name": "[concat(parameters('FunctionName'), '/default/azure-webjobs-secrets')]",
+              "dependsOn": [
+                  "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('FunctionName'), 'default')]",
+                  "[resourceId('Microsoft.Storage/storageAccounts', parameters('FunctionName'))]"
+              ],
+              "properties": {
+                  "publicAccess": "None"
+              }
+          },
+          {
+              "type": "Microsoft.Storage/storageAccounts/fileServices/shares",
+              "apiVersion": "2019-06-01",
+              "name": "[concat(parameters('FunctionName'), '/default/', tolower(parameters('FunctionName')))]",
+              "dependsOn": [
+                  "[resourceId('Microsoft.Storage/storageAccounts/fileServices', parameters('FunctionName'), 'default')]",
+                  "[resourceId('Microsoft.Storage/storageAccounts', parameters('FunctionName'))]"
+              ],
+              "properties": {
+                  "shareQuota": 5120
+              }
+          }
+      ]
+  }
+  

DataConnectors/Sophos XG Firewall/Connector_Syslog_SophosXGFirewall.json

@@ -0,0 +1,123 @@
+{ 
+    "id": "SophosXGFirewall",
+    "title": "Sophos XG Firewall (Preview)", 
+    "publisher": "Sophos", 
+    "descriptionMarkdown": "The [Sophos XG Firewall](https://www.sophos.com/products/next-gen-firewall.aspx) allows you to easily connect your Sophos XG Firewall logs with Azure Sentinel, to view dashboards, create custom alerts, and improve investigations. Integrating Sophos XG Firewall with Azure Sentinel provides more visibility into your organization's firewall traffic and will enhance security monitoring capabilities.", 
+    "additionalRequirementBanner":"These queries and workbooks are dependent on a parser based on a Kusto Function to work as expected. Follow the steps to use this Kusto functions alias **SophosXGFirewall** in queries and workbooks. [Follow these steps to get this Kusto functions.](https://aka.ms/sentinelgithubparserssophosxgfirewall)",
+    "graphQueries": [ 
+     { 
+         "metricName": "Total data received", 
+         "legend": "Sophos", 
+         "baseQuery": "SophosXGFirewall" 
+     } 
+    ], 
+    "sampleQueries": [ 
+        { 
+        "description" : "Top 10 Denied Source IPs", 
+        "query": "SophosXGFirewall \n| where Log_Type == \"Firewall\" and Status == \"Deny\" \n| summarize count() by Src_IP \n| top 10 by count_"     
+        },
+        {
+        "description" : "Top 10 Denied Destination IPs",
+        "query": "SophosXGFirewall \n| where Log_Type == \"Firewall\" and Status == \"Deny\" \n| summarize count() by Dst_IP \n| top 10 by count_" 
+        }
+    ], 
+    "dataTypes": [ 
+    { 
+        "name": "Syslog (SophosXGFirewall)", 
+        "lastDataReceivedQuery": "SophosXGFirewall \n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)" 
+    } 
+], 
+        "connectivityCriterias": [ 
+        { 
+            "type": "IsConnectedQuery", 
+            "value": [ 
+            "SophosXGFirewall \n      | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)" 
+        ] 
+        } 
+    ], 
+    "availability": { 
+    "status": 1 
+    }, 
+    "permissions": { 
+    "resourceProvider": [ 
+            { 
+                "provider": "Microsoft.OperationalInsights/workspaces", 
+                "permissionsDisplayText": "write permission is required.", 
+                "providerDisplayName": "Workspace", 
+                "scope": "Workspace", 
+                "requiredPermissions": { 
+                "write": true, 
+                "delete": true 
+            } 
+        } 
+    ],
+    "customs": [
+        {
+            "name": "Sophos XG Firewall",
+            "description": "must be configured to export logs via Syslog"
+        }
+    ]
+}, 
+    "instructionSteps": [ 
+        { 
+            "title": "", 
+            "description": ">This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinelgithubparserssophosfirewallxg) to create the Kusto functions alias, **SophosXGFirewall**",
+            "instructions": [ 
+            ]    
+        }, 
+        { 
+            "title": "1. Install and onboard the agent for Linux", 
+            "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n>  Syslog logs are collected only from **Linux** agents.", 
+            "instructions": [ 
+                { 
+                "parameters": { 
+                "title": "Choose where to install the agent:", 
+    "instructionSteps": [ 
+            { 
+            "title": "Install agent on Azure Linux Virtual Machine", 
+            "description": "Select the machine to install the agent on and then click **Connect**.", 
+            "instructions": [ 
+                { 
+                "parameters": { 
+                "linkType": "InstallAgentOnLinuxVirtualMachine" 
+                }, 
+                "type": "InstallAgent" 
+                } 
+            ]    
+        }, 
+            { 
+            "title": "Install agent on a non-Azure Linux Machine", 
+            "description": "Download the agent on the relevant machine and follow the instructions.", 
+            "instructions": [ 
+                { 
+                "parameters": { 
+                "linkType": "InstallAgentOnLinuxNonAzure" 
+                }, 
+                "type": "InstallAgent" 
+                } 
+            ] 
+        } 
+    ] 
+        }, 
+            "type": "InstructionStepsGroup" 
+            } 
+        ] 
+            }, 
+    { 
+            "title": "2. Configure the logs to be collected", 
+            "description": "Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3.  Click **Save**.",
+            "instructions": [
+                {
+                    "parameters": { 
+                        "linkType": "OpenAdvancedWorkspaceSettings"
+                    },
+                    "type": "InstallAgent"
+                }
+            ]
+        },
+    {
+        "title": "3. Configure and connect the Sophos XG Firewall",
+        "description":"[Follow these instructions](https://community.sophos.com/kb/123184#How%20to%20configure%20the%20Syslog%20Server) to enable syslog streaming. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address."
+    }
+]
+} 

Detections/OktaSSO/FailedLoginsFromUnknownOrInvalidUser.yaml

@@ -0,0 +1,34 @@
+id: 884be6e7-e568-418e-9c12-89229865ffde
+name: Failed Logins from Unknown or Invalid User
+description: |
+  'This creates an incident in the event that numerous login attempts to the management console with an unknown or invalid user name'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: OktaSSO
+    dataTypes: 
+      - Okta_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CredentialAccess 
+relevantTechniques:
+  - T1110
+query: |
+
+  let timeframe = ago(1h);
+  let FailureThreshold = 15;
+  let FailedLogins = Okta_CL
+  | where TimeGenerated > timeframe
+  | where eventType_s =~ "user.session.start" and outcome_reason_s =~ "UNKNOWN_USER"
+  | summarize count() by client_ipAddress_s, bin(TimeGenerated, 5m)
+  | where count_ > FailureThreshold
+  | project client_ipAddress_s;
+  Okta_CL
+  | where published_t > timeframe
+  | join kind=inner FailedLogins () on client_ipAddress_s
+  | where eventType_s =~ "user.session.start" and outcome_reason_s =~ "UNKNOWN_USER"
+  | summarize count() by ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)
+  | sort by TimeGenerated desc
+  | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP

Detections/OktaSSO/LoginfromUsersfromDifferentCountrieswithin3hours.yaml

@@ -0,0 +1,28 @@
+id: 2954d424-f786-4677-9ffc-c24c44c6e7d5
+name: Login from User(s) from Different Countries within 3 hours
+description: |
+  'This creates an incident in the event that a user logs into the Okta Console from different countries within 3 hours'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: OktaSSO
+    dataTypes: 
+      - Okta_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitalAccess 
+relevantTechniques:
+  - T1078
+query: |
+
+  let timeframe = ago(3h);
+  let threshold = 2;
+  Okta_CL
+  | where published_t >= timeframe
+  | where eventType_s =~ "user.session.start"
+  | where outcome_result_s =~ "SUCCESS"
+  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s
+  | where NumOfCountries >= threshold
+  | extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s

Detections/OktaSSO/PasswordSpray.yaml

@@ -0,0 +1,35 @@
+id: e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508
+name: Potential Password Spray Attack
+description: |
+  'This creates an incident when numerous lock out events from different accounts occurs'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: OktaSSO
+    dataTypes: 
+      - Okta_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CredentialAccess 
+relevantTechniques:
+  - T1110
+query: |
+
+  let timeframe = ago(1h);
+  let FailureThreshold = 15;
+  let LockOutEvents = Okta_CL
+  | where TimeGenerated > timeframe
+  | where eventType_s =~ "user.account.lock"
+  | summarize count() by client_ipAddress_s, bin(TimeGenerated, 5m)
+  | where count_ > FailureThreshold
+  | project TimeGenerated;
+  Okta_CL
+  | where TimeGenerated > timeframe
+  | where eventType_s =~ "user.account.lock"
+  | extend TimeGenerated = bin(TimeGenerated, 5m)
+  | join kind=inner LockOutEvents () on TimeGenerated
+  | summarize User = make_set(actor_alternateId_s) by ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)
+  | sort by TimeGenerated desc
+  | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP

Detections/SophosXGFirewall/ExcessiveAmountofDeniedConnectionsfromASingleSource.yaml

@@ -0,0 +1,27 @@
+id: 3d645a88-2724-41a7-adea-db74c439cf79
+name: Excessive Amount of Denied Connections from a Single Source
+description: |
+  'This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: SophosXGFirewall
+    dataTypes: 
+      - Syslog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+relevantTechniques:
+  - T1499
+query: |
+
+  let timeframe = ago(1h);
+  let threshold = 5000;
+  SophosXGFirewall
+  | where TimeGenerated >= timeframe
+  | where Log_Type =~ "Firewall" and Status =~ "Deny"
+  | summarize count() by Src_IP, bin(TimeGenerated,5m)
+  | where count_ > threshold
+  | extend timestamp = TimeGenerated, IPCustomEntity = Src_IP

Detections/SophosXGFirewall/PortScanDetected.yaml

@@ -0,0 +1,28 @@
+id: 427e4c9e-8cf4-4094-a684-a2d060dbca38
+name: Port Scan Detected
+description: |
+  'This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: SophosXGFirewall
+    dataTypes: 
+      - Syslog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Discovery
+relevantTechniques:
+  - T1046
+query: |
+
+  let timeframe = ago(1h);
+  let threshold = 50;
+  SophosXGFirewall
+  | where TimeGenerated >= timeframe
+  | where Log_Type =~ "Firewall"
+  | where not(ipv4_is_match("10.0.0.0",Src_IP,8) or ipv4_is_match("172.16.0.0",Src_IP,12) or ipv4_is_match("192.168.0.0",Src_IP,16))
+  | summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)
+  | where dcount_Dst_Port > threshold
+  | extend timestamp = TimeGenerated, IPCustomEntity = Src_IP

Detections/SymantecProxySG/UserAccessedSuspiciousURLCategories.yaml

@@ -12,9 +12,9 @@ queryPeriod: 1h
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - InitialAccess
+  - DefenseEvasion
 relevantTechniques:
-  - T1192
+  - T1090
 query: |
 
   let timeframe = ago(1h);

Logos/okta_logo.svg

@@ -0,0 +1,14 @@
+<svg xmlns="http://www.w3.org/2000/svg" height="800" width="1200" xml:space="preserve" y="0" x="0" id="Layer_1" version="1.1" viewBox="-60 -33.675 520 202.05">
+    <g id="g17005">
+        <g id="g16999">
+            <g id="g16993">
+                <path id="path16991" d="M50.3 33.8C22.5 33.8 0 56.3 0 84.1c0 27.8 22.5 50.3 50.3 50.3 27.8 0 50.3-22.5 50.3-50.3 0-27.8-22.5-50.3-50.3-50.3zm0 75.5c-13.9 0-25.2-11.3-25.2-25.2 0-13.9 11.3-25.2 25.2-25.2 13.9 0 25.2 11.3 25.2 25.2 0 13.9-11.3 25.2-25.2 25.2z"/>
+            </g>
+            <path id="path16995" d="M138.7 101c0-4 4.8-5.9 7.6-3.1 12.6 12.8 33.4 34.8 33.5 34.9.3.3.6.8 1.8 1.2.5.2 1.3.2 2.2.2h22.7c4.1 0 5.3-4.7 3.4-7.1l-37.6-38.5-2-2c-4.3-5.1-3.8-7.1 1.1-12.3L201.2 41c1.9-2.4.7-7-3.5-7h-20.6c-.8 0-1.4 0-2 .2-1.2.4-1.7.8-2 1.2-.1.1-16.6 17.9-26.8 28.8-2.8 3-7.8 1-7.8-3.1V4c0-2.9-2.4-4-4.3-4h-16.8c-2.9 0-4.3 1.9-4.3 3.6v126.6c0 2.9 2.4 3.7 4.4 3.7h16.8c2.6 0 4.3-1.9 4.3-3.8V101z"/>
+            <path id="path16997" d="M275.9 129.6l-1.8-16.8c-.2-2.3-2.4-3.9-4.7-3.5-1.3.2-2.6.3-3.9.3-13.4 0-24.3-10.5-25.1-23.8v-22c0-2.7 2-4.9 4.7-4.9h22.5c1.6 0 4-1.4 4-4.3V38.7c0-3.1-2-4.7-3.8-4.7h-22.7c-2.6 0-4.7-1.9-4.8-4.5V4c0-1.6-1.2-4-4.3-4h-16.7c-2.1 0-4.1 1.3-4.1 3.9v81.9c.7 27.2 23 48.9 50.3 48.9 2.3 0 4.5-.2 6.7-.5 2.4-.3 4-2.3 3.7-4.6z"/>
+        </g>
+        <g id="g17003">
+            <path id="path17001" d="M397.1 108.5c-14.2 0-16.4-5.1-16.4-24.2V38.2c0-1.6-1.2-4.3-4.4-4.3h-16.8c-2.1 0-4.4 1.7-4.4 4.3v2.1c-7.3-4.2-15.8-6.6-24.8-6.6-27.8 0-50.3 22.5-50.3 50.3 0 27.8 22.5 50.3 50.3 50.3 12.5 0 23.9-4.6 32.7-12.1 4.7 7.2 12.3 12 24.2 12.1 2 0 12.8.4 12.8-4.7v-17.9c0-1.5-1.2-3.2-2.9-3.2zm-66.7.8c-13.9 0-25.2-11.3-25.2-25.2 0-13.9 11.3-25.2 25.2-25.2 13.9 0 25.2 11.3 25.2 25.2-.1 13.9-11.4 25.2-25.2 25.2z" />
+        </g>
+    </g>
+</svg>

Logos/sophos_logo.svg

@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" height="800" width="1200" viewBox="-30 -8.37825 260 50.2695">
+    <path d="M1.585 27.412h15.068c2.626 0 4.064-.248 4.907-.793 1.041-.646 1.636-1.733 1.636-3.022 0-1.537-.794-2.876-2.131-3.521-.693-.396-1.984-.595-3.57-.595h-6.097c-3.964 0-6.542-.694-8.276-2.181C1.139 15.564 0 12.888 0 10.014 0 5.801 2.329 2.133 5.749.943 7.236.397 8.97.25 12.837.25h16.356v5.898H14.422c-3.123.049-3.371.049-4.411.297-1.387.346-2.23 1.635-2.23 3.369 0 1.489.693 2.678 1.884 3.223.991.447 1.784.545 4.164.545h5.303c4.858 0 7.484.744 9.418 2.727 1.487 1.486 2.479 4.412 2.479 7.288 0 3.519-1.636 6.789-4.213 8.376-1.635 1.04-3.716 1.337-8.625 1.337H1.585zM49.912 0c-4.659 0-8.724 1.141-11.301 3.223-3.271 2.578-5.005 7.387-5.005 13.732 0 4.41.939 8.031 2.874 10.756 2.577 3.719 7.585 5.802 13.929 5.802 4.461 0 8.229-1.093 10.708-3.075 3.271-2.625 5.108-7.388 5.108-13.188l-.015-.946-.04-.931-.066-.906-.089-.889-.116-.867-.144-.84-.165-.813-.191-.787-.104-.384-.111-.375-.116-.371-.121-.357-.125-.356-.134-.345-.14-.334-.146-.332-.147-.316-.155-.312-.161-.303-.166-.291-.174-.285-.175-.277-.183-.264-.188-.254C60.523 1.836 55.811 0 49.912 0zm.048 5.599c5.899 0 8.526 3.473 8.526 11.204 0 7.634-2.677 11.153-8.526 11.153-5.947 0-8.625-3.521-8.625-11.252l.004-.326.004-.322.005-.316.013-.312.014-.305.014-.303.018-.295.022-.291.026-.287.027-.277.031-.271.035-.268.036-.264.04-.26.045-.25.045-.25.05-.24.054-.232.054-.232.059-.224.062-.22.062-.215.066-.205.072-.201.076-.196.076-.192.081-.183.085-.183.084-.174.089-.166.094-.162.094-.155c1.339-2.134 3.867-3.328 7.088-3.328zM69.99.25v33.062h7.034V21.758H88.33c3.767 0 5.546-.492 7.48-2.128 2.28-1.932 3.669-5.154 3.669-8.625 0-2.924-1.04-5.652-2.973-7.734C94.326.842 92.291.25 86.492.25zm7.034 5.899h9.715c1.14 0 2.033.097 2.578.296 1.538.545 2.431 2.131 2.431 4.311 0 1.835-.547 3.422-1.438 4.166l-.071.062-.072.061-.076.059-.075.059-.081.053-.08.05-.085.049-.089.046-.09.043-.094.045-.094.037-.098.039-.104.036-.103.029-.107.032-.112.031-.115.025-.116.021-.121.022-.125.022-.129.018-.13.018-.139.014-.139.018-.143.01-.152.009-.152.01-.156.009-.162.003-.166.005h-.17l-.175.004h-9.567V6.149zm45.503 13.53h-12.738v13.629h-7.039V.25h7.039v13.531h12.738V.25h7.039v33.058h-7.039zM150.088 0c-4.658 0-8.723 1.141-11.301 3.223-3.271 2.578-5.01 7.387-5.01 13.732 0 4.41.943 8.031 2.879 10.756 2.574 3.719 7.582 5.802 13.928 5.802 4.463 0 8.227-1.093 10.703-3.075 3.271-2.625 5.107-7.388 5.107-13.188l-.014-.946-.039-.931-.066-.906-.09-.889-.117-.867-.143-.84-.166-.813-.188-.787-.107-.384-.107-.375-.115-.371-.125-.357-.125-.356-.135-.345-.139-.334-.143-.332-.152-.316-.156-.312-.16-.303-.166-.291-.174-.285-.174-.277-.186-.264-.188-.254C160.693 1.836 155.988 0 150.088 0zm.051 5.599c5.896 0 8.525 3.473 8.525 11.204 0 7.634-2.678 11.153-8.525 11.153-5.947 0-8.625-3.521-8.625-11.252v-.326l.004-.322.01-.316.008-.312.014-.305.02-.303.018-.295.021-.291.021-.287.027-.277.035-.271.031-.268.035-.264.041-.26.043-.25.047-.25.049-.24.053-.232.055-.232.059-.224.062-.22.062-.215.07-.205.07-.201.072-.196.076-.192.08-.183.086-.183.084-.174.09-.166.094-.162.1-.155c1.336-2.134 3.865-3.328 7.088-3.328zm20.42 21.813h15.068c2.625 0 4.062-.248 4.906-.793 1.039-.646 1.635-1.733 1.635-3.022 0-1.537-.793-2.876-2.131-3.521-.695-.396-1.982-.595-3.568-.595h-6.098c-3.965 0-6.543-.694-8.277-2.181-1.982-1.736-3.123-4.412-3.123-7.286 0-4.213 2.328-7.881 5.75-9.071 1.486-.546 3.223-.693 7.088-.693h16.357v5.898h-14.771c-3.123.049-3.371.049-4.41.297-1.389.346-2.232 1.635-2.232 3.369 0 1.489.695 2.678 1.887 3.223.988.447 1.781.545 4.162.545h5.303c4.857 0 7.484.744 9.42 2.727C199.01 17.795 200 20.72 200 23.596c0 3.519-1.635 6.789-4.213 8.376-1.635 1.04-3.717 1.337-8.625 1.337h-16.604v-5.897z" fill="#007aff"/>
+</svg>

Parsers/PulseConnectSecure/PulseConnectSecure.txt

@@ -1,8 +1,8 @@
 // Title:           Pulse Connect Secure Data Parser
 // Author:          Microsoft
-// Version:         1.0
-// Last Updated:    06/01/2020
-// Comment:         Inital Release
+// Version:         1.1
+// Last Updated:    06/16/2020
+// Comment:         Added support for version 8.0R7 and above
 //  
 // DESCRIPTION:
 // This parser takes raw Pulse Connect Secure logs from a Syslog data stream and parses the data into a normalized schema
@@ -29,6 +29,7 @@
 //
 Syslog
 | where Computer in ("datasource") and Facility == "local7"
+//Version 8.0R7 and below
 | extend Parser = extract_all(@'^(\d{4}\-\d{2}-\d{2})\s(\d{2}\:\d{2}:\d{2})\s(\S+)\s(\S+)\s(\S+)\s\[(\S+)\]\s(\S+)\((.*)?\)\[(.*)\]\s\-\s(.*)',dynamic([1,2,3,4,5,6,7,8,9,10]),SyslogMessage)
 | mv-expand Parser
 | extend LogTime = todatetime(strcat(tostring(Parser[0]),'T',tostring(Parser[1]))), 
@@ -39,3 +40,14 @@ Syslog
     EventID = tostring(Parser[8]), 
     Messages = tostring(Parser[9])
 | project-away Parser
+//Version 8.0R7 and above
+| extend User = extract(@'user=(\S+)',1,SyslogMessage),
+    EventID = extract(@'id=(\S+)',1,SyslogMessage),
+    Pri = extract(@'pri=(\S+)',1,SyslogMessage),
+    Node = extract(@'vpn=\"(\S+)\"',1,SyslogMessage),
+    Realm = extract(@'realm=\"([\w\s\:\.]+)\"',1,SyslogMessage),
+    Roles = extract(@'roles=\"([\w\s\:\.]+)\"',1,SyslogMessage),
+    Type = extract(@'type=(\S+)',1,SyslogMessage),
+    Messages = extract(@'msg=\"([\w\s\:\.]+)\"',1,SyslogMessage),
+    Source_IP = extract(@'fw=([\d\.]+)',1,SyslogMessage),
+

Parsers/SophosXGFirewall/SophosXGFirewall.txt

@@ -0,0 +1,97 @@
+// Title:           Sophos XG Firewall Data Parser
+// Author:          Microsoft
+// Version:         1.0
+// Last Updated:    06/04/2020
+// Comment:         Inital Release
+//  
+// DESCRIPTION:
+// This parser takes raw Sophos XG Firewall logs from a Syslog data stream and parses the data into a normalized schema
+//
+// USAGE:
+// 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window. 
+// 2. In the query window, on the second line of the query, enter the hostname(s) of your Sophos XG Firewall device(s) and any other unique identifiers for the logstream. 
+//    For example: | where Computer in ("server1, server2") and Facility == "local0"
+// 3. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter a Function Name.
+//    In order for the Sophos XG Firewall logs to work with pre-built queries and workbooks the Function Alias must be set to - SophosXGFirewall
+// 4. Function App usually take 10-15 minutes to activate. You can then use Function Alias for other queries
+//
+// REFERENCES: 
+// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions
+// 
+// LOG SAMPLES:
+// This parser assumes the raw log are formatted as follows:
+//
+// messageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="N/A" 
+// nat_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" 
+// app_technology="" app_category="" vlan_id="0" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="" in_display_interface="" 
+// out_interface="" out_display_interface="" src_mac="" dst_mac="" src_ip="216.163.176.36" src_country="USA" dst_ip="10.0.1.4" dst_country="R1" protocol="TCP" 
+// src_port="80" dst_port="50932" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" 
+// dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" 
+// message="Could not associate packet to any connection." appresolvedby="Signature" app_is_cloud="0" 
+// 
+//
+Syslog
+| where Computer in ("52.152.175.228") and Facility == "local0"
+| extend Device = extract(@'device=\"(\S+)\"', 1, SyslogMessage),
+Date = extract(@'date=(\S+)', 1, SyslogMessage),
+Time = extract(@'time=(\S+)', 1, SyslogMessage),
+Timezone = extract(@'timezone=\"(\S+)\"', 1, SyslogMessage),
+Device_Name = extract(@'device_name=\"(\S+)\"', 1, SyslogMessage),
+Device_ID = extract(@'device_id=(\S+)', 1, SyslogMessage),
+Log_ID = extract(@'(log_id|messageid)=\"?(\d+)\"?', 2, SyslogMessage),
+Log_Type = extract(@'log_type=\"?([\w\s]+)\"?', 1, SyslogMessage),
+Log_Component = extract(@'log_component=\"([\w\s]+)\"', 1, SyslogMessage),
+Log_Subtype = extract(@'log_subtype=\"([\w]+)\"', 1, SyslogMessage),
+Status = extract(@'status=\"?(\w+)\"?', 1, SyslogMessage),
+Priority = extract(@'priority=(\S+)', 1, SyslogMessage),
+Duration = extract(@'(con_duration|duration)=(\S+)', 2, SyslogMessage),
+FW_Rule_ID = extract(@'fw_rule_id=\"?(\S+)\"?', 1, SyslogMessage),
+Policy_Type = extract(@'policy_type=(\S+)', 1, SyslogMessage),
+User_Name = extract(@'(user_name|user)=\"(\S+)\"',2, SyslogMessage),
+User_GP = extract(@'(user_gp|user_group)=\"(\S+)\"', 2, SyslogMessage),
+IAP = extract(@'iap=(\S+)', 1, SyslogMessage),
+IPS_Policy_ID = extract(@'ips_policy_id=(\S+)', 1, SyslogMessage),
+Appfilter_Policy_ID = extract(@'appfilter_policy_id=(\S+)', 1, SyslogMessage),
+Application = extract(@'(application|app_name)=\"(\S+)\"', 2, SyslogMessage),
+Application_Risk = extract(@'(application_risk|app_risk)=(\S+)', 2, SyslogMessage),
+Application_Technology = extract(@'(application_technology|app_technology)=\"(\S+)\"', 2, SyslogMessage),
+Application_Category = extract(@'(application_category|app_category)=\"(\S+)\"', 2, SyslogMessage),
+In_Interface = extract(@'in_interface=\"(\S+)\"', 1, SyslogMessage),
+Out_Interface = extract(@'out_interface=\"(\S+)\"', 1, SyslogMessage),
+Src_MAC = extract(@'src_mac=\"?([\w\:]+)\"?', 1, SyslogMessage),
+Src_IP = extract(@'src_ip=\"?([\w\.]+)\"?', 1, SyslogMessage),
+Src_Country_Code = extract(@'(src_country|src_country_code)=\"?(\w+)\"?', 2, SyslogMessage),
+Dst_MAC = extract(@'dst_mac=\"?([\w\:]+)\"?', 1, SyslogMessage),
+Dst_IP = extract(@'dst_ip=\"?([\w\.]+)\"?', 1, SyslogMessage),
+Dst_Country_Code = extract(@'(dst_country|dst_country_code)=\"?(\w+)\"?', 2, SyslogMessage),
+Protocol = extract(@'protocol=\"?(\w+)\"?', 1, SyslogMessage),
+Src_Port = extract(@'src_port=\"?(\d+)\"?', 1, SyslogMessage),
+Dst_Port = extract(@'dst_port=\"?(\d+)\"?', 1, SyslogMessage),
+Sent_Pkts = extract(@'(packets_sent|sent_pkts)=\"?(\d+)\"?', 2, SyslogMessage),
+Recv_Pkts = extract(@'(packets_received|recv_pkts)=\"?(\d+)\"?', 2, SyslogMessage),
+Sent_Bytes = extract(@'(bytes_sent|sent_bytes)=\"?(\d+)\"?', 2, SyslogMessage),
+Recv_Bytes = extract(@'(bytes_received|recv_bytes)=\"?(\d+)\"?', 2, SyslogMessage),
+Tran_Src_IP = extract(@'(src_trans_ip|tran_src_ip)=(\S+)', 2, SyslogMessage),
+Tran_Src_Port = extract(@'(src_trans_port|tran_src_port)=\"?(\d+)\"?', 2, SyslogMessage),
+Tran_Dst_IP = extract(@'(dst_trans_ip|tran_dst_ip)=(\S+)', 2, SyslogMessage),
+Tran_Dst_Port = extract(@'(dst_trans_port|tran_dst_port)=\"?(\d+)\"?', 2, SyslogMessage),
+Srczonetype = extract(@'(src_zone_type|srczonetype)=\"(\S+)\"', 2, SyslogMessage),
+Srczone = extract(@'(src_zone|srczone)=\"(\S+)\"', 2, SyslogMessage),
+Dstzonetype = extract(@'(dst_zone_type|dstzonetype)=\"(\S+)\"', 2, SyslogMessage),
+Dstzone = extract(@'(dst_zone|dstzone)=\"(\S+)\"', 2, SyslogMessage),
+Dir_Disp = extract(@'dir_disp=\"(\S+)\"', 1, SyslogMessage),
+Connevent = extract(@'connevent=\"(\S+)\"', 1, SyslogMessage),
+ConnID = extract(@'(con_id|connid)=\"(\S+)\"', 2, SyslogMessage),
+VconnID = extract(@'(virt_con_id|vconnid)=\"(\S+)\"', 2, SyslogMessage),
+HB_Health = extract(@'(hb_status|hb_health)=\"(\S+)\"', 2, SyslogMessage),
+Message = extract(@'message=\"([\S\s]+)\.\"', 1, SyslogMessage),
+AppResolvedBy = extract(@'appresolvedby=\"(\S+)\"', 1, SyslogMessage),
+Nat_Rule_ID = extract(@'nat_rule_id=(\S+)', 1, SyslogMessage),
+Vlan_ID = extract(@'vlan_id=\"(\S+)\"', 1, SyslogMessage),
+Ether_Type = extract(@'ether_type=\"(\S+)\"', 1, SyslogMessage),
+Bridge_Name = extract(@'bridge_name=\"(\S+)\"', 1, SyslogMessage),
+Web_Policy_ID = extract(@'web_policy_id=\"(\S+)\"', 1, SyslogMessage),
+App_IS_Cloud = extract(@'app_is_cloud=\"(\S+)\"', 1, SyslogMessage),
+Bridge_Display_Name = extract(@'bridge_display_name=\"(\S+)\"', 1, SyslogMessage),
+In_Display_Interface = extract(@'in_display_interface=\"(\S+)\"', 1, SyslogMessage),
+Out_Display_Interface = extract(@'out_display_interface=\"(\S+)\"', 1, SyslogMessage)

Workbooks/Images/Logos/okta_logo.svg

@@ -0,0 +1,14 @@
+<svg xmlns="http://www.w3.org/2000/svg" height="800" width="1200" xml:space="preserve" y="0" x="0" id="Layer_1" version="1.1" viewBox="-60 -33.675 520 202.05">
+    <g id="g17005">
+        <g id="g16999">
+            <g id="g16993">
+                <path id="path16991" d="M50.3 33.8C22.5 33.8 0 56.3 0 84.1c0 27.8 22.5 50.3 50.3 50.3 27.8 0 50.3-22.5 50.3-50.3 0-27.8-22.5-50.3-50.3-50.3zm0 75.5c-13.9 0-25.2-11.3-25.2-25.2 0-13.9 11.3-25.2 25.2-25.2 13.9 0 25.2 11.3 25.2 25.2 0 13.9-11.3 25.2-25.2 25.2z"/>
+            </g>
+            <path id="path16995" d="M138.7 101c0-4 4.8-5.9 7.6-3.1 12.6 12.8 33.4 34.8 33.5 34.9.3.3.6.8 1.8 1.2.5.2 1.3.2 2.2.2h22.7c4.1 0 5.3-4.7 3.4-7.1l-37.6-38.5-2-2c-4.3-5.1-3.8-7.1 1.1-12.3L201.2 41c1.9-2.4.7-7-3.5-7h-20.6c-.8 0-1.4 0-2 .2-1.2.4-1.7.8-2 1.2-.1.1-16.6 17.9-26.8 28.8-2.8 3-7.8 1-7.8-3.1V4c0-2.9-2.4-4-4.3-4h-16.8c-2.9 0-4.3 1.9-4.3 3.6v126.6c0 2.9 2.4 3.7 4.4 3.7h16.8c2.6 0 4.3-1.9 4.3-3.8V101z"/>
+            <path id="path16997" d="M275.9 129.6l-1.8-16.8c-.2-2.3-2.4-3.9-4.7-3.5-1.3.2-2.6.3-3.9.3-13.4 0-24.3-10.5-25.1-23.8v-22c0-2.7 2-4.9 4.7-4.9h22.5c1.6 0 4-1.4 4-4.3V38.7c0-3.1-2-4.7-3.8-4.7h-22.7c-2.6 0-4.7-1.9-4.8-4.5V4c0-1.6-1.2-4-4.3-4h-16.7c-2.1 0-4.1 1.3-4.1 3.9v81.9c.7 27.2 23 48.9 50.3 48.9 2.3 0 4.5-.2 6.7-.5 2.4-.3 4-2.3 3.7-4.6z"/>
+        </g>
+        <g id="g17003">
+            <path id="path17001" d="M397.1 108.5c-14.2 0-16.4-5.1-16.4-24.2V38.2c0-1.6-1.2-4.3-4.4-4.3h-16.8c-2.1 0-4.4 1.7-4.4 4.3v2.1c-7.3-4.2-15.8-6.6-24.8-6.6-27.8 0-50.3 22.5-50.3 50.3 0 27.8 22.5 50.3 50.3 50.3 12.5 0 23.9-4.6 32.7-12.1 4.7 7.2 12.3 12 24.2 12.1 2 0 12.8.4 12.8-4.7v-17.9c0-1.5-1.2-3.2-2.9-3.2zm-66.7.8c-13.9 0-25.2-11.3-25.2-25.2 0-13.9 11.3-25.2 25.2-25.2 13.9 0 25.2 11.3 25.2 25.2-.1 13.9-11.4 25.2-25.2 25.2z" />
+        </g>
+    </g>
+</svg>

Workbooks/Images/Logos/sophos_logo.svg

@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" height="800" width="1200" viewBox="-30 -8.37825 260 50.2695">
+    <path d="M1.585 27.412h15.068c2.626 0 4.064-.248 4.907-.793 1.041-.646 1.636-1.733 1.636-3.022 0-1.537-.794-2.876-2.131-3.521-.693-.396-1.984-.595-3.57-.595h-6.097c-3.964 0-6.542-.694-8.276-2.181C1.139 15.564 0 12.888 0 10.014 0 5.801 2.329 2.133 5.749.943 7.236.397 8.97.25 12.837.25h16.356v5.898H14.422c-3.123.049-3.371.049-4.411.297-1.387.346-2.23 1.635-2.23 3.369 0 1.489.693 2.678 1.884 3.223.991.447 1.784.545 4.164.545h5.303c4.858 0 7.484.744 9.418 2.727 1.487 1.486 2.479 4.412 2.479 7.288 0 3.519-1.636 6.789-4.213 8.376-1.635 1.04-3.716 1.337-8.625 1.337H1.585zM49.912 0c-4.659 0-8.724 1.141-11.301 3.223-3.271 2.578-5.005 7.387-5.005 13.732 0 4.41.939 8.031 2.874 10.756 2.577 3.719 7.585 5.802 13.929 5.802 4.461 0 8.229-1.093 10.708-3.075 3.271-2.625 5.108-7.388 5.108-13.188l-.015-.946-.04-.931-.066-.906-.089-.889-.116-.867-.144-.84-.165-.813-.191-.787-.104-.384-.111-.375-.116-.371-.121-.357-.125-.356-.134-.345-.14-.334-.146-.332-.147-.316-.155-.312-.161-.303-.166-.291-.174-.285-.175-.277-.183-.264-.188-.254C60.523 1.836 55.811 0 49.912 0zm.048 5.599c5.899 0 8.526 3.473 8.526 11.204 0 7.634-2.677 11.153-8.526 11.153-5.947 0-8.625-3.521-8.625-11.252l.004-.326.004-.322.005-.316.013-.312.014-.305.014-.303.018-.295.022-.291.026-.287.027-.277.031-.271.035-.268.036-.264.04-.26.045-.25.045-.25.05-.24.054-.232.054-.232.059-.224.062-.22.062-.215.066-.205.072-.201.076-.196.076-.192.081-.183.085-.183.084-.174.089-.166.094-.162.094-.155c1.339-2.134 3.867-3.328 7.088-3.328zM69.99.25v33.062h7.034V21.758H88.33c3.767 0 5.546-.492 7.48-2.128 2.28-1.932 3.669-5.154 3.669-8.625 0-2.924-1.04-5.652-2.973-7.734C94.326.842 92.291.25 86.492.25zm7.034 5.899h9.715c1.14 0 2.033.097 2.578.296 1.538.545 2.431 2.131 2.431 4.311 0 1.835-.547 3.422-1.438 4.166l-.071.062-.072.061-.076.059-.075.059-.081.053-.08.05-.085.049-.089.046-.09.043-.094.045-.094.037-.098.039-.104.036-.103.029-.107.032-.112.031-.115.025-.116.021-.121.022-.125.022-.129.018-.13.018-.139.014-.139.018-.143.01-.152.009-.152.01-.156.009-.162.003-.166.005h-.17l-.175.004h-9.567V6.149zm45.503 13.53h-12.738v13.629h-7.039V.25h7.039v13.531h12.738V.25h7.039v33.058h-7.039zM150.088 0c-4.658 0-8.723 1.141-11.301 3.223-3.271 2.578-5.01 7.387-5.01 13.732 0 4.41.943 8.031 2.879 10.756 2.574 3.719 7.582 5.802 13.928 5.802 4.463 0 8.227-1.093 10.703-3.075 3.271-2.625 5.107-7.388 5.107-13.188l-.014-.946-.039-.931-.066-.906-.09-.889-.117-.867-.143-.84-.166-.813-.188-.787-.107-.384-.107-.375-.115-.371-.125-.357-.125-.356-.135-.345-.139-.334-.143-.332-.152-.316-.156-.312-.16-.303-.166-.291-.174-.285-.174-.277-.186-.264-.188-.254C160.693 1.836 155.988 0 150.088 0zm.051 5.599c5.896 0 8.525 3.473 8.525 11.204 0 7.634-2.678 11.153-8.525 11.153-5.947 0-8.625-3.521-8.625-11.252v-.326l.004-.322.01-.316.008-.312.014-.305.02-.303.018-.295.021-.291.021-.287.027-.277.035-.271.031-.268.035-.264.041-.26.043-.25.047-.25.049-.24.053-.232.055-.232.059-.224.062-.22.062-.215.07-.205.07-.201.072-.196.076-.192.08-.183.086-.183.084-.174.09-.166.094-.162.1-.155c1.336-2.134 3.865-3.328 7.088-3.328zm20.42 21.813h15.068c2.625 0 4.062-.248 4.906-.793 1.039-.646 1.635-1.733 1.635-3.022 0-1.537-.793-2.876-2.131-3.521-.695-.396-1.982-.595-3.568-.595h-6.098c-3.965 0-6.543-.694-8.277-2.181-1.982-1.736-3.123-4.412-3.123-7.286 0-4.213 2.328-7.881 5.75-9.071 1.486-.546 3.223-.693 7.088-.693h16.357v5.898h-14.771c-3.123.049-3.371.049-4.41.297-1.389.346-2.232 1.635-2.232 3.369 0 1.489.695 2.678 1.887 3.223.988.447 1.781.545 4.162.545h5.303c4.857 0 7.484.744 9.42 2.727C199.01 17.795 200 20.72 200 23.596c0 3.519-1.635 6.789-4.213 8.376-1.635 1.04-3.717 1.337-8.625 1.337h-16.604v-5.897z" fill="#007aff"/>
+</svg>

Workbooks/OktaSingleSignOn.json

@@ -0,0 +1,984 @@
+{
+  "version": "Notebook/1.0",
+  "items": [
+    {
+      "type": 9,
+      "content": {
+        "version": "KqlParameterItem/1.0",
+        "parameters": [
+          {
+            "id": "23197862-8ab5-4aa4-8e78-bb26fbf1a6bc",
+            "version": "KqlParameterItem/1.0",
+            "name": "TimeRange",
+            "label": "Time Range",
+            "type": 4,
+            "isRequired": true,
+            "value": {
+              "durationMs": 2419200000
+            },
+            "typeSettings": {
+              "selectableValues": [
+                {
+                  "durationMs": 300000
+                },
+                {
+                  "durationMs": 900000
+                },
+                {
+                  "durationMs": 1800000
+                },
+                {
+                  "durationMs": 3600000
+                },
+                {
+                  "durationMs": 14400000
+                },
+                {
+                  "durationMs": 43200000
+                },
+                {
+                  "durationMs": 86400000
+                },
+                {
+                  "durationMs": 172800000
+                },
+                {
+                  "durationMs": 259200000
+                },
+                {
+                  "durationMs": 604800000
+                },
+                {
+                  "durationMs": 1209600000
+                },
+                {
+                  "durationMs": 2419200000
+                },
+                {
+                  "durationMs": 2592000000
+                },
+                {
+                  "durationMs": 5184000000
+                },
+                {
+                  "durationMs": 7776000000
+                }
+              ],
+              "allowCustom": true
+            },
+            "resourceType": "microsoft.insights/components"
+          }
+        ],
+        "style": "above",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "name": "parameters - 2"
+    },
+    {
+      "type": 11,
+      "content": {
+        "version": "LinkItem/1.0",
+        "style": "tabs",
+        "links": [
+          {
+            "cellValue": "selectedTab",
+            "linkTarget": "parameter",
+            "linkLabel": "Administrative",
+            "subTarget": "General",
+            "preText": "Session/User Analysis",
+            "style": "link"
+          },
+          {
+            "cellValue": "selectedTab",
+            "linkTarget": "parameter",
+            "linkLabel": "Application",
+            "subTarget": "Application",
+            "style": "link"
+          },
+          {
+            "cellValue": "selectedTab",
+            "linkTarget": "parameter",
+            "linkLabel": "Session/User Analysis",
+            "subTarget": "Analysis",
+            "preText": "Session/User Analysis",
+            "style": "link"
+          }
+        ]
+      },
+      "name": "links - 13"
+    },
+    {
+      "type": 9,
+      "content": {
+        "version": "KqlParameterItem/1.0",
+        "parameters": [
+          {
+            "id": "fc39a4b9-f38a-4a3e-bf83-845441828fb8",
+            "version": "KqlParameterItem/1.0",
+            "name": "ApplicationList",
+            "label": "Application",
+            "type": 2,
+            "isRequired": true,
+            "multiSelect": true,
+            "quote": "'",
+            "delimiter": ",",
+            "query": "Okta_CL\r\n| mv-expand todynamic(target_s)\r\n| where target_s.type == \"AppInstance\"\r\n| distinct tostring(target_s.alternateId)\r\n| sort by target_s_alternateId asc",
+            "value": [
+              "value::all"
+            ],
+            "typeSettings": {
+              "additionalResourceOptions": [
+                "value::all"
+              ]
+            },
+            "timeContext": {
+              "durationMs": 0
+            },
+            "timeContextFromParameter": "TimeRange",
+            "queryType": 0,
+            "resourceType": "microsoft.operationalinsights/workspaces"
+          }
+        ],
+        "style": "above",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "Application"
+      },
+      "name": "parameters - 15"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Okta_CL\r\n| where eventType_s == \"user.session.start\"\r\n| summarize Count = count() by Results = outcome_result_s, bin(TimeGenerated, {TimeRange:grain})",
+        "size": 0,
+        "title": "Console Login by Result",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "barchart",
+        "tileSettings": {
+          "showBorder": false,
+          "titleContent": {
+            "columnMatch": "Results",
+            "formatter": 1
+          },
+          "leftContent": {
+            "columnMatch": "Count",
+            "formatter": 12,
+            "formatOptions": {
+              "palette": "auto"
+            },
+            "numberFormat": {
+              "unit": 17,
+              "options": {
+                "maximumSignificantDigits": 3,
+                "maximumFractionDigits": 2
+              }
+            }
+          }
+        },
+        "chartSettings": {
+          "seriesLabelSettings": [
+            {
+              "seriesName": "FAILURE",
+              "color": "red"
+            },
+            {
+              "seriesName": "SUCCESS",
+              "color": "green"
+            }
+          ]
+        }
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "General"
+      },
+      "customWidth": "50",
+      "name": "query - 5"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Okta_CL\r\n| where eventType_s == \"user.session.start\"\r\n| where outcome_result_s == \"FAILURE\"\r\n| summarize Total = count() by User = actor_alternateId_s\r\n| top 10 by Total",
+        "size": 0,
+        "title": "Top 10 Failed Console Logins by User",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table",
+        "gridSettings": {
+          "formatters": [
+            {
+              "columnMatch": "Total",
+              "formatter": 3,
+              "formatOptions": {
+                "palette": "coldHot"
+              }
+            }
+          ]
+        },
+        "tileSettings": {
+          "showBorder": false,
+          "titleContent": {
+            "columnMatch": "Results",
+            "formatter": 1
+          },
+          "leftContent": {
+            "columnMatch": "Count",
+            "formatter": 12,
+            "formatOptions": {
+              "palette": "auto"
+            },
+            "numberFormat": {
+              "unit": 17,
+              "options": {
+                "maximumSignificantDigits": 3,
+                "maximumFractionDigits": 2
+              }
+            }
+          }
+        },
+        "chartSettings": {
+          "seriesLabelSettings": [
+            {
+              "seriesName": "FAILURE",
+              "color": "red"
+            },
+            {
+              "seriesName": "SUCCESS",
+              "color": "green"
+            }
+          ]
+        }
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "General"
+      },
+      "customWidth": "50",
+      "name": "query - 5 - Copy"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Okta_CL\r\n| where eventType_s == \"user.authentication.auth_via_mfa\"\r\n| where outcome_result_s == \"FAILURE\"\r\n| summarize count() by actor_alternateId_s\r\n| top 10 by count_",
+        "size": 0,
+        "title": "Top 10 Failed MFA Authentications by User",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table",
+        "gridSettings": {
+          "formatters": [
+            {
+              "columnMatch": "count_",
+              "formatter": 3,
+              "formatOptions": {
+                "palette": "coldHot"
+              }
+            },
+            {
+              "columnMatch": "Total",
+              "formatter": 3,
+              "formatOptions": {
+                "palette": "coldHot"
+              }
+            }
+          ],
+          "labelSettings": [
+            {
+              "columnId": "actor_alternateId_s",
+              "label": "User"
+            },
+            {
+              "columnId": "count_",
+              "label": "Total"
+            }
+          ]
+        },
+        "tileSettings": {
+          "showBorder": false,
+          "titleContent": {
+            "columnMatch": "Results",
+            "formatter": 1
+          },
+          "leftContent": {
+            "columnMatch": "Count",
+            "formatter": 12,
+            "formatOptions": {
+              "palette": "auto"
+            },
+            "numberFormat": {
+              "unit": 17,
+              "options": {
+                "maximumSignificantDigits": 3,
+                "maximumFractionDigits": 2
+              }
+            }
+          }
+        },
+        "chartSettings": {
+          "seriesLabelSettings": [
+            {
+              "seriesName": "FAILURE",
+              "color": "red"
+            },
+            {
+              "seriesName": "SUCCESS",
+              "color": "green"
+            }
+          ]
+        }
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "General"
+      },
+      "customWidth": "50",
+      "name": "query - 5 - Copy - Copy"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Okta_CL\r\n| where eventType_s == \"user.authentication.auth_via_mfa\"\r\n| summarize Count=count() by Results = outcome_result_s, bin(TimeGenerated, {TimeRange:grain})",
+        "size": 0,
+        "title": "MFA Authentications by Result",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "barchart",
+        "tileSettings": {
+          "showBorder": false,
+          "titleContent": {
+            "columnMatch": "Results",
+            "formatter": 1
+          },
+          "leftContent": {
+            "columnMatch": "Count",
+            "formatter": 12,
+            "formatOptions": {
+              "palette": "auto"
+            },
+            "numberFormat": {
+              "unit": 17,
+              "options": {
+                "maximumSignificantDigits": 3,
+                "maximumFractionDigits": 2
+              }
+            }
+          }
+        },
+        "chartSettings": {
+          "seriesLabelSettings": [
+            {
+              "seriesName": "SUCCESS",
+              "color": "green"
+            },
+            {
+              "seriesName": "FAILURE",
+              "color": "red"
+            }
+          ]
+        }
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "General"
+      },
+      "customWidth": "50",
+      "name": "query - 5 - Copy"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Okta_CL\r\n| mv-expand todynamic(target_s)\r\n| where target_s.type == \"AppInstance\"\r\n| summarize count() by tostring(target_s.displayName)\r\n| top 10 by count_",
+        "size": 0,
+        "title": "Active Applications",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart",
+        "tileSettings": {
+          "showBorder": false,
+          "titleContent": {
+            "columnMatch": "Users",
+            "formatter": 1
+          },
+          "leftContent": {
+            "columnMatch": "Count",
+            "formatter": 12,
+            "formatOptions": {
+              "palette": "auto"
+            },
+            "numberFormat": {
+              "unit": 17,
+              "options": {
+                "maximumSignificantDigits": 3,
+                "maximumFractionDigits": 2
+              }
+            }
+          }
+        }
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "General"
+      },
+      "customWidth": "50",
+      "name": "query - 3"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Okta_CL\r\n| mv-expand todynamic(target_s)\r\n| where target_s.type == \"AppInstance\"\r\n| summarize count() by tostring(target_s.displayName), bin(TimeGenerated, {TimeRange:grain})",
+        "size": 0,
+        "title": "Active Applications",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "areachart",
+        "tileSettings": {
+          "showBorder": false,
+          "titleContent": {
+            "columnMatch": "Users",
+            "formatter": 1
+          },
+          "leftContent": {
+            "columnMatch": "Count",
+            "formatter": 12,
+            "formatOptions": {
+              "palette": "auto"
+            },
+            "numberFormat": {
+              "unit": 17,
+              "options": {
+                "maximumSignificantDigits": 3,
+                "maximumFractionDigits": 2
+              }
+            }
+          }
+        }
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "General"
+      },
+      "customWidth": "50",
+      "name": "Events by Application"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Okta_CL\r\n| where eventType_s == \"application.user_membership.add\"\r\n| extend TargetUser = tostring(parse_json(target_s)[0].alternateId)\r\n| extend Application = tostring(parse_json(target_s)[1].alternateId)\r\n| summarize count() by ['Event Time'] = published_t, ['Source User'] = actor_alternateId_s, Application, ['Target User'] = TargetUser\r\n| project-away count_\r\n| sort by ['Event Time'] desc",
+        "size": 0,
+        "title": "Users Added to Application",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "General"
+      },
+      "customWidth": "50",
+      "name": "query - 18"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Okta_CL\r\n| where eventType_s == \"application.user_membership.remove\"\r\n| extend TargetUser = tostring(parse_json(target_s)[0].alternateId)\r\n| extend Application = tostring(parse_json(target_s)[1].alternateId)\r\n| summarize count() by published_t, SourceUser = actor_alternateId_s, Application, TargetUser\r\n| project-away count_\r\n| sort by published_t desc\r\n",
+        "size": 0,
+        "title": "Users Removed from Application",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "General"
+      },
+      "customWidth": "50",
+      "name": "query - 18 - Copy"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Okta_CL\r\n| mv-expand todynamic(target_s)\r\n| where target_s.type == \"AppInstance\"\r\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\r\n| summarize count() by tostring(target_s.alternateId), bin(TimeGenerated,{TimeRange:grain})",
+        "size": 0,
+        "title": "Total Events by Application",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "barchart"
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "Application"
+      },
+      "customWidth": "50",
+      "name": "query - 12"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Okta_CL\r\n| mv-expand todynamic(target_s)\r\n| where target_s.type == \"AppInstance\"\r\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\r\n| where eventType_s has \"authentication\"\r\n| where outcome_result_s == \"FAILURE\"\r\n| summarize count() by tostring(target_s.alternateId), bin(TimeGenerated,{TimeRange:grain})",
+        "size": 0,
+        "title": "Failed Logins by Application",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "barchart"
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "Application"
+      },
+      "customWidth": "50",
+      "name": "query - 12 - Copy"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Okta_CL\r\n| mv-expand todynamic(target_s)\r\n| where target_s.type == \"AppInstance\"\r\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\r\n| summarize Total = count() by Application = tostring(target_s.alternateId)\r\n| top 10 by Total",
+        "size": 0,
+        "title": "Top 10 Event Count by Application",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "Application"
+      },
+      "customWidth": "50",
+      "name": "query - 12 - Copy"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Okta_CL\r\n| mv-expand todynamic(target_s)\r\n| where target_s.type == \"AppInstance\"\r\n| where eventType_s has \"authentication\"\r\n| where target_s.alternateId in ({ApplicationList}) or '*' in ({ApplicationList})\r\n| summarize SUCCESS = countif(outcome_result_s == \"SUCCESS\"), FAILURE = countif(outcome_result_s == \"FAILURE\"), Total = count() by User = actor_alternateId_s\r\n| top 10 by Total\r\n",
+        "size": 0,
+        "title": "Top 10 User Authentications",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "gridSettings": {
+          "formatters": [
+            {
+              "columnMatch": "SUCCESS",
+              "formatter": 8,
+              "formatOptions": {
+                "palette": "red"
+              }
+            },
+            {
+              "columnMatch": "FAILURE",
+              "formatter": 8,
+              "formatOptions": {
+                "palette": "green"
+              }
+            },
+            {
+              "columnMatch": "Total",
+              "formatter": 3,
+              "formatOptions": {
+                "palette": "coldHot"
+              }
+            }
+          ]
+        }
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "Application"
+      },
+      "customWidth": "50",
+      "name": "query - 12 - Copy - Copy"
+    },
+    {
+      "type": 9,
+      "content": {
+        "version": "KqlParameterItem/1.0",
+        "parameters": [
+          {
+            "id": "427470db-f8f8-461c-adc7-47fe5202b5d1",
+            "version": "KqlParameterItem/1.0",
+            "name": "SessionID",
+            "label": "Session ID",
+            "type": 2,
+            "isRequired": true,
+            "multiSelect": true,
+            "quote": "'",
+            "delimiter": ",",
+            "query": "Okta_CL\r\n| where actor_alternateId_s !in (\"system@okta.com\")\r\n| distinct authenticationContext_externalSessionId_s\r\n| sort by authenticationContext_externalSessionId_s asc",
+            "value": [
+              "value::all"
+            ],
+            "typeSettings": {
+              "additionalResourceOptions": [
+                "value::all"
+              ]
+            },
+            "timeContext": {
+              "durationMs": 0
+            },
+            "timeContextFromParameter": "TimeRange",
+            "queryType": 0,
+            "resourceType": "microsoft.operationalinsights/workspaces"
+          },
+          {
+            "id": "939a52ae-0662-4483-a52b-35287b151074",
+            "version": "KqlParameterItem/1.0",
+            "name": "User",
+            "type": 2,
+            "isRequired": true,
+            "multiSelect": true,
+            "quote": "'",
+            "delimiter": ",",
+            "query": "Okta_CL\r\n| where actor_alternateId_s !in (\"system@okta.com\")\r\n| distinct actor_alternateId_s\r\n| sort by actor_alternateId_s asc",
+            "value": [
+              "value::all"
+            ],
+            "typeSettings": {
+              "additionalResourceOptions": [
+                "value::all"
+              ]
+            },
+            "timeContext": {
+              "durationMs": 0
+            },
+            "timeContextFromParameter": "TimeRange",
+            "queryType": 0,
+            "resourceType": "microsoft.operationalinsights/workspaces"
+          },
+          {
+            "id": "059ad6dc-5f2f-490d-941a-d9f87cf71723",
+            "version": "KqlParameterItem/1.0",
+            "name": "EventTypes",
+            "label": "Event Type",
+            "type": 2,
+            "isRequired": true,
+            "multiSelect": true,
+            "quote": "'",
+            "delimiter": ",",
+            "query": "Okta_CL\r\n| distinct eventType_s\r\n| sort by eventType_s asc",
+            "value": [
+              "user.session.start"
+            ],
+            "typeSettings": {
+              "additionalResourceOptions": [
+                "value::all"
+              ]
+            },
+            "timeContext": {
+              "durationMs": 0
+            },
+            "timeContextFromParameter": "TimeRange",
+            "queryType": 0,
+            "resourceType": "microsoft.operationalinsights/workspaces"
+          }
+        ],
+        "style": "above",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "Analysis"
+      },
+      "name": "parameters - 7"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Okta_CL\r\n| where authenticationContext_externalSessionId_s in ({SessionID})\r\n| where actor_alternateId_s in ({User}) or '*' in ({User})\r\n| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\r\n| summarize count(eventType_s) by actor_alternateId_s, bin(published_t, {TimeRange:grain})",
+        "size": 0,
+        "showAnnotations": true,
+        "title": "User Events Timeline",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "barchart",
+        "gridSettings": {
+          "sortBy": [
+            {
+              "itemKey": "actor_alternateId_s",
+              "sortOrder": 2
+            }
+          ]
+        },
+        "sortBy": [
+          {
+            "itemKey": "actor_alternateId_s",
+            "sortOrder": 2
+          }
+        ]
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "Analysis"
+      },
+      "customWidth": "50",
+      "name": "query - 8 - Copy"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Okta_CL\r\n| where authenticationContext_externalSessionId_s in ({SessionID})\r\n| where actor_alternateId_s in ({User}) or '*' in ({User})\r\n| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\r\n| summarize count() by authenticationContext_externalSessionId_s, published_t, eventType_s, actor_alternateId_s\r\n| sort by authenticationContext_externalSessionId_s asc, published_t asc",
+        "size": 0,
+        "title": "User Event Details",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "gridSettings": {
+          "sortBy": [
+            {
+              "itemKey": "actor_alternateId_s",
+              "sortOrder": 2
+            }
+          ],
+          "labelSettings": [
+            {
+              "columnId": "authenticationContext_externalSessionId_s",
+              "label": "Session ID"
+            },
+            {
+              "columnId": "published_t",
+              "label": "Event Time"
+            },
+            {
+              "columnId": "eventType_s",
+              "label": "Event Type"
+            },
+            {
+              "columnId": "actor_alternateId_s",
+              "label": "User"
+            },
+            {
+              "columnId": "count_",
+              "label": "Total"
+            }
+          ]
+        },
+        "sortBy": [
+          {
+            "itemKey": "actor_alternateId_s",
+            "sortOrder": 2
+          }
+        ]
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "Analysis"
+      },
+      "customWidth": "50",
+      "name": "query - 8"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Okta_CL\r\n| mv-expand todynamic(target_s)\r\n| where target_s.type == \"AppInstance\"\r\n| where eventType_s has \"authentication\"\r\n| where authenticationContext_externalSessionId_s in ({SessionID})\r\n| where actor_alternateId_s in ({User}) or '*' in ({User})\r\n| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\r\n| summarize SUCCESS = countif(outcome_result_s == \"SUCCESS\"), FAILURE = countif(outcome_result_s == \"FAILURE\"), Total = count() by actor_alternateId_s, tostring(target_s.alternateId)\r\n| sort by actor_alternateId_s asc, target_s_alternateId asc\r\n\r\n",
+        "size": 0,
+        "title": "Application Authentications",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "gridSettings": {
+          "formatters": [
+            {
+              "columnMatch": "SUCCESS",
+              "formatter": 8,
+              "formatOptions": {
+                "palette": "green"
+              }
+            },
+            {
+              "columnMatch": "FAILURE",
+              "formatter": 8,
+              "formatOptions": {
+                "palette": "red"
+              }
+            },
+            {
+              "columnMatch": "Total",
+              "formatter": 3,
+              "formatOptions": {
+                "palette": "blue"
+              }
+            }
+          ],
+          "labelSettings": [
+            {
+              "columnId": "actor_alternateId_s",
+              "label": "User"
+            },
+            {
+              "columnId": "target_s_alternateId",
+              "label": "Application"
+            },
+            {
+              "columnId": "SUCCESS"
+            },
+            {
+              "columnId": "FAILURE"
+            },
+            {
+              "columnId": "Total"
+            }
+          ]
+        },
+        "sortBy": []
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "Analysis"
+      },
+      "customWidth": "50",
+      "name": "query - 8 - Copy"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Okta_CL\r\n| where authenticationContext_externalSessionId_s in ({SessionID})\r\n| where actor_alternateId_s in ({User}) or '*' in ({User})\r\n| where eventType_s in ({EventTypes}) or '*' in ({EventTypes})\r\n| summarize count(eventType_s) by \tCity = client_geographicalContext_city_s, actor_alternateId_s, Country = client_geographicalContext_country_s, latitude = client_geographicalContext_geolocation_lat_d, longitude = client_geographicalContext_geolocation_lon_d,  Results = outcome_result_s",
+        "size": 0,
+        "title": "User Events by Geo-Location",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "map",
+        "tileSettings": {
+          "showBorder": false,
+          "titleContent": {
+            "columnMatch": "Users",
+            "formatter": 1
+          },
+          "leftContent": {
+            "columnMatch": "Count",
+            "formatter": 12,
+            "formatOptions": {
+              "palette": "auto"
+            },
+            "numberFormat": {
+              "unit": 17,
+              "options": {
+                "maximumSignificantDigits": 3,
+                "maximumFractionDigits": 2
+              }
+            }
+          }
+        },
+        "mapSettings": {
+          "locInfo": "LatLong",
+          "latitude": "latitude",
+          "longitude": "longitude",
+          "sizeSettings": "count_eventType_s",
+          "sizeAggregation": "Sum",
+          "labelSettings": "actor_alternateId_s",
+          "legendMetric": "count_eventType_s",
+          "legendAggregation": "Sum",
+          "itemColorSettings": {
+            "nodeColorField": "count_eventType_s",
+            "colorAggregation": "Sum",
+            "type": "heatmap",
+            "heatmapPalette": "greenRed"
+          }
+        }
+      },
+      "conditionalVisibility": {
+        "parameterName": "selectedTab",
+        "comparison": "isEqualTo",
+        "value": "Analysis"
+      },
+      "customWidth": "50",
+      "name": "query - 3 - Copy - Copy"
+    }
+  ],
+  "fromTemplateId": "sentinel-UserWorkbook",
+  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+}

Workbooks/SophosXGFirewall.json

@@ -0,0 +1,520 @@
+{
+  "version": "Notebook/1.0",
+  "items": [
+    {
+      "type": 9,
+      "content": {
+        "version": "KqlParameterItem/1.0",
+        "parameters": [
+          {
+            "id": "3a1905da-e863-4fb1-a4cc-373bfa047344",
+            "version": "KqlParameterItem/1.0",
+            "name": "TimeRange",
+            "label": "Time Range",
+            "type": 4,
+            "isRequired": true,
+            "value": {
+              "durationMs": 604800000
+            },
+            "typeSettings": {
+              "selectableValues": [
+                {
+                  "durationMs": 300000
+                },
+                {
+                  "durationMs": 900000
+                },
+                {
+                  "durationMs": 1800000
+                },
+                {
+                  "durationMs": 3600000
+                },
+                {
+                  "durationMs": 14400000
+                },
+                {
+                  "durationMs": 43200000
+                },
+                {
+                  "durationMs": 86400000
+                },
+                {
+                  "durationMs": 172800000
+                },
+                {
+                  "durationMs": 259200000
+                },
+                {
+                  "durationMs": 604800000
+                },
+                {
+                  "durationMs": 1209600000
+                },
+                {
+                  "durationMs": 2419200000
+                },
+                {
+                  "durationMs": 2592000000
+                },
+                {
+                  "durationMs": 5184000000
+                },
+                {
+                  "durationMs": 7776000000
+                }
+              ],
+              "allowCustom": true
+            },
+            "resourceType": "microsoft.insights/components"
+          }
+        ],
+        "style": "above",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "name": "parameters - 0"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\"\r\n| summarize inbound = countif(not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))), outbound = countif((ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))), deny = countif(Status == \"Deny\"), count() by bin(TimeGenerated, {TimeRange:grain})\r\n| project-away count_",
+        "size": 0,
+        "title": "Network Traffic by Direction",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "areachart"
+      },
+      "customWidth": "50",
+      "name": "query - 8"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\"\r\n| where Status in (\"Allow\",\"Deny\")\r\n| summarize count() by Status, bin(TimeGenerated, {TimeRange:grain})",
+        "size": 0,
+        "title": "Events by Action",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "barchart",
+        "chartSettings": {
+          "seriesLabelSettings": [
+            {
+              "seriesName": "Allow",
+              "color": "green"
+            },
+            {
+              "seriesName": "Deny",
+              "color": "red"
+            }
+          ]
+        }
+      },
+      "customWidth": "50",
+      "name": "query - 1"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\" and Status =~ \"Deny\"\r\n| where not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| summarize Total = count() by ['Source IP'] = Src_IP\r\n| top 10 by Total",
+        "size": 0,
+        "title": "Top 10 Denied Inbound Source IPs",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table",
+        "gridSettings": {
+          "formatters": [
+            {
+              "columnMatch": "Total",
+              "formatter": 3,
+              "formatOptions": {
+                "palette": "coldHot"
+              },
+              "numberFormat": {
+                "unit": 17,
+                "options": {
+                  "style": "decimal",
+                  "maximumFractionDigits": 2
+                }
+              }
+            }
+          ]
+        },
+        "chartSettings": {
+          "seriesLabelSettings": [
+            {
+              "seriesName": "Allow",
+              "color": "green"
+            },
+            {
+              "seriesName": "Deny",
+              "color": "red"
+            }
+          ]
+        }
+      },
+      "customWidth": "50",
+      "name": "query - 1 - Copy - Copy"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\" and Status =~ \"Deny\"\r\n| where (ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| summarize Total = count() by ['Destination IP'] = Dst_IP\r\n| top 10 by Total",
+        "size": 0,
+        "title": "Top 10 Denied Outbound Destination IPs",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table",
+        "gridSettings": {
+          "formatters": [
+            {
+              "columnMatch": "Total",
+              "formatter": 3,
+              "formatOptions": {
+                "palette": "coldHot"
+              },
+              "numberFormat": {
+                "unit": 17,
+                "options": {
+                  "style": "decimal",
+                  "useGrouping": false,
+                  "maximumFractionDigits": 2
+                }
+              }
+            }
+          ]
+        },
+        "chartSettings": {
+          "seriesLabelSettings": [
+            {
+              "seriesName": "Allow",
+              "color": "green"
+            },
+            {
+              "seriesName": "Deny",
+              "color": "red"
+            }
+          ]
+        }
+      },
+      "customWidth": "50",
+      "name": "query - 1 - Copy"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\" and Status =~ \"Deny\"\r\n| where not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| summarize Total = count() by Port = Src_Port\r\n| top 10 by Total",
+        "size": 0,
+        "title": "Top 10 Denied Inbound Ports",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table",
+        "gridSettings": {
+          "formatters": [
+            {
+              "columnMatch": "Total",
+              "formatter": 3,
+              "formatOptions": {
+                "palette": "coldHot"
+              },
+              "numberFormat": {
+                "unit": 17,
+                "options": {
+                  "style": "decimal",
+                  "useGrouping": false,
+                  "maximumFractionDigits": 2
+                }
+              }
+            }
+          ]
+        },
+        "chartSettings": {
+          "seriesLabelSettings": [
+            {
+              "seriesName": "Allow",
+              "color": "green"
+            },
+            {
+              "seriesName": "Deny",
+              "color": "red"
+            }
+          ]
+        }
+      },
+      "customWidth": "50",
+      "name": "query - 1 - Copy - Copy - Copy"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\" and Status == \"Deny\"\r\n| where (ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| summarize Total = count() by Port = Dst_Port\r\n| top 10 by Total",
+        "size": 0,
+        "title": "Top 10 Denied Outbound Ports",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table",
+        "gridSettings": {
+          "formatters": [
+            {
+              "columnMatch": "Total",
+              "formatter": 3,
+              "formatOptions": {
+                "palette": "coldHot"
+              }
+            }
+          ]
+        },
+        "chartSettings": {
+          "seriesLabelSettings": [
+            {
+              "seriesName": "Allow",
+              "color": "green"
+            },
+            {
+              "seriesName": "Deny",
+              "color": "red"
+            }
+          ]
+        }
+      },
+      "customWidth": "50",
+      "name": "query - 1 - Copy - Copy"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\" and Status == \"Deny\"\r\n| where not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| where isnotempty(Src_Country_Code)\r\n| summarize Total = count() by ['Source Country'] = Src_Country_Code\r\n| top 10 by Total",
+        "size": 0,
+        "title": "Top 10 Denied Inbound Traffic by Country",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table",
+        "gridSettings": {
+          "formatters": [
+            {
+              "columnMatch": "Total",
+              "formatter": 3,
+              "formatOptions": {
+                "palette": "coldHot"
+              },
+              "numberFormat": {
+                "unit": 17,
+                "options": {
+                  "style": "decimal",
+                  "useGrouping": false,
+                  "maximumFractionDigits": 2
+                }
+              }
+            }
+          ]
+        },
+        "mapSettings": {
+          "locInfo": "CountryRegion",
+          "locInfoColumn": "Dst_Country_Code",
+          "sizeSettings": "count_",
+          "sizeAggregation": "Sum",
+          "legendMetric": "count_",
+          "legendAggregation": "Sum",
+          "itemColorSettings": {
+            "nodeColorField": "count_",
+            "colorAggregation": "Sum",
+            "type": "heatmap",
+            "heatmapPalette": "greenRed"
+          }
+        }
+      },
+      "customWidth": "50",
+      "name": "query - 5 - Copy"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\"\r\n| where not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| where isnotempty(Src_Country_Code)\r\n| summarize count() by Src_Country_Code, bin(TimeGenerated, {TimeRange:grain})\r\n",
+        "size": 0,
+        "title": "Denied Inbound Traffic by Country",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "linechart",
+        "gridSettings": {
+          "formatters": [
+            {
+              "columnMatch": "Total",
+              "formatter": 3,
+              "formatOptions": {
+                "palette": "coldHot"
+              },
+              "numberFormat": {
+                "unit": 17,
+                "options": {
+                  "style": "decimal",
+                  "useGrouping": false,
+                  "maximumFractionDigits": 2
+                }
+              }
+            }
+          ]
+        },
+        "mapSettings": {
+          "locInfo": "CountryRegion",
+          "locInfoColumn": "Dst_Country_Code",
+          "sizeSettings": "count_",
+          "sizeAggregation": "Sum",
+          "legendMetric": "count_",
+          "legendAggregation": "Sum",
+          "itemColorSettings": {
+            "nodeColorField": "count_",
+            "colorAggregation": "Sum",
+            "type": "heatmap",
+            "heatmapPalette": "greenRed"
+          }
+        }
+      },
+      "customWidth": "50",
+      "name": "query - 5 - Copy - Copy"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\" and Status == \"Deny\"\r\n| where (ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| where isnotempty(Dst_Country_Code)\r\n| summarize Total = count() by  ['Source Country'] = Dst_Country_Code\r\n| top 10 by Total",
+        "size": 0,
+        "title": "Top Denied Outbound Traffic by Country",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table",
+        "gridSettings": {
+          "formatters": [
+            {
+              "columnMatch": "Total",
+              "formatter": 3,
+              "formatOptions": {
+                "palette": "coldHot"
+              },
+              "numberFormat": {
+                "unit": 17,
+                "options": {
+                  "style": "decimal",
+                  "useGrouping": false,
+                  "maximumFractionDigits": 2
+                }
+              }
+            }
+          ]
+        },
+        "mapSettings": {
+          "locInfo": "CountryRegion",
+          "locInfoColumn": "Dst_Country_Code",
+          "sizeSettings": "count_",
+          "sizeAggregation": "Sum",
+          "legendMetric": "count_",
+          "legendAggregation": "Sum",
+          "itemColorSettings": {
+            "nodeColorField": "count_",
+            "colorAggregation": "Sum",
+            "type": "heatmap",
+            "heatmapPalette": "greenRed"
+          }
+        }
+      },
+      "customWidth": "50",
+      "name": "query - 5 - Copy - Copy"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\"\r\n| where (ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| where isnotempty(Dst_Country_Code)\r\n| summarize count() by Dst_Country_Code, bin(TimeGenerated, {TimeRange:grain})\r\n",
+        "size": 0,
+        "title": "Denied Outbound Traffic by Country",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "linechart",
+        "gridSettings": {
+          "formatters": [
+            {
+              "columnMatch": "Total",
+              "formatter": 3,
+              "formatOptions": {
+                "palette": "coldHot"
+              },
+              "numberFormat": {
+                "unit": 17,
+                "options": {
+                  "style": "decimal",
+                  "useGrouping": false,
+                  "maximumFractionDigits": 2
+                }
+              }
+            }
+          ]
+        },
+        "mapSettings": {
+          "locInfo": "CountryRegion",
+          "locInfoColumn": "Dst_Country_Code",
+          "sizeSettings": "count_",
+          "sizeAggregation": "Sum",
+          "legendMetric": "count_",
+          "legendAggregation": "Sum",
+          "itemColorSettings": {
+            "nodeColorField": "count_",
+            "colorAggregation": "Sum",
+            "type": "heatmap",
+            "heatmapPalette": "greenRed"
+          }
+        }
+      },
+      "customWidth": "50",
+      "name": "query - 5 - Copy - Copy - Copy"
+    }
+  ],
+  "fromTemplateId": "sentinel-UserWorkbook",
+  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+}

Workbooks/WorkbooksMetadata.json

@@ -785,6 +785,32 @@
     "subtitle": "",
     "provider": "Azure Sentinel community"
   },
+  {
+    "workbookKey": "SophosXGFirewallWorkbook",
+    "logoFileName": "sophos_logo.svg",
+    "description": "Gain insight into Sophos XG Firewall by analyzing, collecting and correlating firewall data.\nThis workbook provides visibility into network traffic",
+    "dataTypesDependencies": ["Syslog"],
+    "dataConnectorsDependencies": [ "SophosXGFirewall" ],
+    "previewImagesFileNames": [ "SophosXGFirewallWhite.png", "SophosXGFirewallBlack.png" ],
+    "version": "1.0",
+    "title": "Sophos XG Firewall",
+    "templateRelativePath": "SophosXGFirewall.json",
+    "subtitle": "",
+    "provider": "Sophos"
+  },
+  {
+    "workbookKey": "OktaSingleSignOnWorkbook",
+    "logoFileName": "okta_logo.svg",
+    "description": "Gain extensive insight into Okta Single Sign-On (SSO) by analyzing, collecting and correlating Audit and Event events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked",
+    "dataTypesDependencies": [ "Okta_CL" ],
+    "dataConnectorsDependencies": [ "OktaSSO" ],
+    "previewImagesFileNames": [ "OktaSingleSignOnWhite.png", "OktaSingleSignOnBlack.png" ],
+    "version": "1.0",
+    "title": "Okta Single Sign-On",
+    "templateRelativePath": "OktaSingleSignOn.json",
+    "subtitle": "",
+    "provider": "Okta"
+  },
   {
     "workbookKey": "SysmonThreatHuntingWorkbook",
     "logoFileName": "sysmonthreathunting_logo.svg",