Updated Solution name

Solutions/Network Session Essentials/Analytic Rules/PossibleBeaconingActivity.yaml

@@ -77,7 +77,7 @@ query: |
   let TimeDeltaThreshold = 10;
   let TotalEventsThreshold = 15;
   let PercentBeaconThreshold = 80;
-  _Im_NetworkSession(starttime=querystarttime, endtime=queryendtime)
+  _Im_NetworkSession(starttime=ago(querystarttime), endtime=ago(queryendtime))
   | where not(ipv4_is_private(DstIpAddr))
   | project TimeGenerated,   SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes
   | sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc
@@ -115,5 +115,5 @@ customDetails:
   FrequencyTime: MostFrequentTimeDeltaCount
   TotalDstBytes: TotalDstBytes
 
-version: 1.1.1
+version: 1.1.2
 kind: Scheduled

Solutions/Network Session Essentials/Data/Solution_NetworkSessionEssentials.json

@@ -1,10 +1,10 @@
 {
-  "Name": "Network Session Solution for Microsoft Sentinel",
+  "Name": "Network Session Essentials",
   "Author": "Microsoft - support@microsoft.com",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
   "Description": "This is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Amazon Web Services \n 2. Azure Firewall \n 3. Azure Network Security Groups \n 4. Check Point \n 5. Cisco ASA \n 6. Cisco Meraki Security Events \n 7. Corelight \n 8. Fortinet FortiGate \n 9. Microsoft Defender for IoT \n 10. Microsoft Defender for Cloud \n 11. Microsoft Sysmon For Linux \n 12. Windows Firewall \n 13. Palo Alto PANOS \n 14. Vectra AI Stream \n 15. WatchGuard Firebox \n 16. Zscaler Internet Access \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.",
   "Workbooks": [
-    "Workbooks/NetworkSessionSolution.json"
+    "Workbooks/NetworkSessionEssentials.json"
   ],
   "Analytic Rules": [
     "Analytic Rules/AnomalyFoundInNetworkSessionTraffic.yaml",
@@ -12,7 +12,6 @@
     "Analytic Rules/DetectPortMisuseByStaticThreshold.yaml",
     "Analytic Rules/NetworkPortSweepFromExternalNetwork.yaml",
     "Analytic Rules/ExcessiveHTTPFailuresFromSource.yaml",
-    "Analytic Rules/IPEntity_imNetworkSession.yaml",
     "Analytic Rules/PortScan.yaml",
     "Analytic Rules/PossibleBeaconingActivity.yaml"
   ],
@@ -29,8 +28,8 @@
   "Watchlists": [
     "Watchlists/NetworkSession_Monitor_Configuration.json"
   ],
-  "WatchlistDescription": "Monitor Network Session solution configurable conditions here. Choose between Detection or Hunting for Type and set Threshold type to Static or Anomaly to tune monitoring as needed",
-  "BasePath": "C:\\Users\\demehra\\source\\repos\\Azure-Sentinel\\Solutions\\Network Session Solution for Microsoft Sentinel",
+  "WatchlistDescription": "Monitor Network Session Essentials Solution's' configurable conditions here. Choose between Detection or Hunting for Type and set Threshold type to Static or Anomaly to tune monitoring as needed",
+  "BasePath": "C:\\Users\\demehra\\source\\repos\\Azure-Sentinel\\Solutions\\Network Session Essentials",
   "Version": "2.0.0",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,

Solutions/Network Session Essentials/Playbooks/SummarizeData/azuredeploy.json

@@ -2,8 +2,8 @@
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
     "metadata": {
-        "title": "Summarize Data for Network Session Solution",
-        "description": "This playbook summarizes data for Network Session Solution and lands it into custom tables.",
+        "title": "Summarize Data for Network Session Essentials",
+        "description": "This playbook summarizes data for Network Session Essentials and lands it into custom tables.",
         "prerequisites": [],
         "postDeployment": [
             "1. Authorize 'Azure Monitor Logs' and 'Azure Log Analytics Data Collector' API connections."

Solutions/Network Session Essentials/Playbooks/SummarizeData/readme.md

@@ -1,9 +1,9 @@
-# Network Session Solution for Microsoft Sentinel Summarization capability
+# Network Session Essentials Solution Summarization capability
 
 This logic app helps to summarize Network session data into custom tables. This would incur additional cost.
 
  ## Summary
- To ensure good performance of Network session solution, summarization capability can be used. This would create various custom tables containing analytics based on different parameters of ASIM Network Session Schema.
+ To ensure good performance of Network Session Essentials solution, summarization capability can be used. This would create various custom tables containing analytics based on different parameters of ASIM Network Session Schema.
 
 ### Deployment instructions 
 1. Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.

Solutions/Network Session Essentials/Watchlists/NetworkSession_Monitor_Configuration.json

@@ -5,7 +5,7 @@
       "name": "['Network Session Monitor Configuration']",
       "apiVersion": "2021-03-01-preview",
       "properties": {
-        "description": "Configure the Network Session solution monitoring conditions here. \n\nChoose between Detection or Hunting for Type and Anomaly or Static for Threshold type to tune monitoring according to environment.",
+        "description": "Configure the Network Session Essentials solution monitoring conditions here. \n\nChoose between Detection or Hunting for Type and Anomaly or Static for Threshold type to tune monitoring according to environment.",
         "displayName": "NetworkSession Monitor Configuration",
         "source": "NetworkSession_Monitor_Configuration.csv",
         "provider": "Microsoft",

Solutions/Network Session Essentials/Workbooks/NetworkSessionEssentials.json

@@ -4,7 +4,7 @@
     {
       "type": 1,
       "content": {
-        "json": "## Network Session Solution\n---\n"
+        "json": "## Network Session Essentials\n---\n"
       },
       "name": "text - 2"
     },
@@ -19,7 +19,7 @@
     {
       "type": 1,
       "content": {
-        "json": "The \"SummarizedData\" playbook installed along with the Solution helps in summarizing the logs and improves the performance of workbooks and data searches. This workbook is build of the summarized data and would require the user to run the playbook to utilize the capabilities of this workbook.",
+        "json": "The \"SummarizedData\" playbook installed along with the Solution helps in summarizing the logs and improves the performance of workbooks and data searches. It is highly recommended to run the playbook to utilize the best capabilities of this workbook.",
         "style": "warning"
       },
       "name": "text - 7"

Tools/Create-Azure-Sentinel-Solution/V2/input/Solution_CrowdStrike.json

@@ -1,31 +0,0 @@
-{
-  "Name": "CrowdStrike Falcon Endpoint Protection",
-  "Author": "Microsoft - support@microsoft.com",
-  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Data%20Connectors/Logo/crowdstrike.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)",
-  "Data Connectors": [
-    "Data Connectors/CrowdstrikeReplicator/CrowdstrikeReplicator_API_FunctionApp.json",
-	"Data Connectors/Connector_Syslog_CrowdStrikeFalconEndpointProtection.json"
-  ],
-  "Parsers": [
-    "Parsers/CrowdstrikeFalconEventStream.txt",
-	"Parsers/CrowdstrikeReplicator"
-  ],
-   "Workbooks": [
-    "Workbooks/CrowdStrikeFalconEndpointProtection.json"
-  ],
-  "Analytic Rules": [
-    "Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml",
-	"Analytic Rules/CriticalSeverityDetection.yaml"
-  ],
-  "Playbooks": [
-    "Playbooks/CrowdStrike_Base/azuredeploy.json",    
-    "Playbooks/CrowdStrike_Enrichment_GetDeviceInformation/azuredeploy.json",
-    "Playbooks/CrowdStrike_ContainHost/azuredeploy.json"    
-  ],
-  "BasePath": "C:\\GitHub\\azure\\Solutions\\CrowdStrike Falcon Endpoint Protection",
-  "Version": "2.0.6",
-  "Metadata": "SolutionMetadata.json",
-  "TemplateSpec": true,
-  "Is1Pconnector": false
-}

Tools/Create-Azure-Sentinel-Solution/V2/input/Solution_DigitalShadows.json

@@ -1,24 +0,0 @@
-{
-    "Name": "Digital Shadows",
-    "Author": "Digital Shadows - support@digitalshadows.com",
-    "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/DigitalShadowsLogo.svg\" width=\"75px\" height=\"75px\">",
-    "Description": "Digital Shadows SearchLight removes the noise of Threat Intelligence, making it easier to identify what is important so you can make better decisions faster.",
-    "Data Connectors": [
-      "Data Connectors/Digital Shadows/DigitalShadowsSearchlight_API_functionApp.json"
-    ],
-    "Analytic Rules": [
-      "Analytic Rules/Digital_Shadows_incident_creation_exclude.yaml",
-      "Analytic Rules/Digital_Shadows_incident_creation_include.yaml"
-    ],
-    "Workbooks": [
-        "Workbooks/DigitalShadows.json"
-    ],
-    "Playbooks": [
-        "Playbooks/DigitalShadowsPlaybook-UpdateIncidentStatus.json"
-    ],
-    "Metadata": "SolutionMetadata.json",
-    "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Digital Shadows",
-    "Version": "2.0.0",
-    "TemplateSpec": true,
-    "Is1PConnector": false
-  }

Tools/Create-Azure-Sentinel-Solution/V2/input/Solution_NetworkSessionEssentials.json

@@ -0,0 +1,37 @@
+{
+  "Name": "Network Session Essentials",
+  "Author": "Microsoft - support@microsoft.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "This is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Amazon Web Services \n 2. Azure Firewall \n 3. Azure Network Security Groups \n 4. Check Point \n 5. Cisco ASA \n 6. Cisco Meraki Security Events \n 7. Corelight \n 8. Fortinet FortiGate \n 9. Microsoft Defender for IoT \n 10. Microsoft Defender for Cloud \n 11. Microsoft Sysmon For Linux \n 12. Windows Firewall \n 13. Palo Alto PANOS \n 14. Vectra AI Stream \n 15. WatchGuard Firebox \n 16. Zscaler Internet Access \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.",
+  "Workbooks": [
+    "Workbooks/NetworkSessionEssentials.json"
+  ],
+  "Analytic Rules": [
+    "Analytic Rules/AnomalyFoundInNetworkSessionTraffic.yaml",
+    "Analytic Rules/DetectPortMisuseByAnomalyBasedDetection.yaml",
+    "Analytic Rules/DetectPortMisuseByStaticThreshold.yaml",
+    "Analytic Rules/NetworkPortSweepFromExternalNetwork.yaml",
+    "Analytic Rules/ExcessiveHTTPFailuresFromSource.yaml",
+    "Analytic Rules/PortScan.yaml",
+    "Analytic Rules/PossibleBeaconingActivity.yaml"
+  ],
+  "Playbooks": [
+    "Playbooks/SummarizeData/azuredeploy.json"
+  ],
+  "PlaybookDescription": "This solution installs the \"Summarize Data\" Playbook templates. It is \"highly recommended\" to use the \"Summarize data\" logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries. After installing the solution, this will be deployed under Playbook Templates in the Automation blade of Microsoft Sentinel. It can be configured and managed from the Manage solution view in Content Hub.",
+  "Hunting Queries": [
+    "Hunting Queries/DetectPortMisuseByAnomalyHunting.yaml",
+    "Hunting Queries/DetectPortMisuseByStaticThresholdHunting.yaml",
+    "Hunting Queries/DetectsSeveralUsersWithTheSameMACAddress.yaml",
+    "Hunting Queries/MismatchBetweenDestinationAppNameAndDestinationPort.yaml"
+  ],
+  "Watchlists": [
+    "Watchlists/NetworkSession_Monitor_Configuration.json"
+  ],
+  "WatchlistDescription": "Monitor Network Session Essentials Solution's' configurable conditions here. Choose between Detection or Hunting for Type and set Threshold type to Static or Anomaly to tune monitoring as needed",
+  "BasePath": "C:\\Users\\demehra\\source\\repos\\Azure-Sentinel\\Solutions\\Network Session Essentials",
+  "Version": "2.0.0",
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true,
+  "Is1PConnector": false
+}

Tools/Create-Azure-Sentinel-Solution/V2/input/Solution_SlashNext.json

@@ -1,16 +0,0 @@
-{
-  "Name": "SlashNext",
-  "Author": "SlashNext - support@slashnext.com",
-  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/slashnext-logo.svg\" width=\"75px\"height=\"75px\">",
-  "Description": "SlashNext URL Investigation Connector is based upon its Real-time Phishing Defense (RPD) APIs which are connected to SlashNext real-time threat intelligence database, continuously updated with the latest phishing threats. SlashNext RPD APIs are designed to be very fast and give accurate binary verdict on each enrichment request to ease its integration in any phishing Incident Response (IR) or SOAR environment.",
-  "Playbooks": [
-    "Playbooks/SlashNextURLInvestigationConnector/deploy.json",
-    "Playbooks/SlashNextPhishingIncidentInvestigation/deploy.json",
-    "Playbooks/SlashNextWebAccessLogAssessment/deploy.json"
-  ],
-  "Metadata": "SolutionMetadata.json",
-  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SlashNext",
-  "Version": "2.0.0",
-  "TemplateSpec": true,
-  "Is1Pconnector": false
-}