Update ReversingLabs solution to v2.0.1

- ReversingLabs-CapabilitiesOverview: update KQL queries in workbook
to match playbook names as deployed by solution; update guide text;
update preview images; add logo svg
- Update Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json to include
  ReversingLabs-CapabilitiesOverview

Solutions/ReversingLabs/Data/Solution_ReversingLabs.json

@@ -3,7 +3,7 @@
   "Author": "ReversingLabs - support@reversinglabs.com",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/reversinglabs.svg\" width=\"75px\" height=\"75px\">",
   "Description": "The ReversingLabs solution for Microsoft Sentinel includes a number of Sentinel resources designed to automate your security operations using the power of TitaniumCloud APIs and visualize your threat intelligence capabilities using included workbooks.",
-  "WorkbookDescription": "The ReversingLabs-CapabilitiesOverview workbook provides a high level look at your threat intellgience capabilties and how they relate to your operations.",
+  "WorkbookDescription": "The ReversingLabs-CapabilitiesOverview workbook provides a high level look at your threat intelligence capabilities and how they relate to your operations.",
   "Workbooks": [ 
 	  "Workbooks/ReversingLabs-CapabilitiesOverview/ReversingLabs-CapabilitiesOverview.json"
   ],
@@ -21,7 +21,7 @@
   "Watchlists": [],
   "WatchlistDescription": [],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\ReversingLabs",
-  "Version": "2.0.0",
+  "Version": "2.0.1",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1Pconnector": false

Solutions/ReversingLabs/SolutionMetadata.json

@@ -1,8 +1,8 @@
 {
 	"publisherId": "reversinglabs1597673283347",
 	"offerId": "rl_offer_content_hub_aoae",
-	"firstPublishDate": "2022-09-12",
-    "lastPublishDate": "2022-09-12",
+	"firstPublishDate": "2022-08-08",
+    "lastPublishDate": "2023-01-03",
 	"providers": ["ReversingLabs"],
 	"categories": {
 		"domains" : ["Security - Threat Intelligence"],

Solutions/ReversingLabs/Workbooks/ReversingLabs-CapabilitiesOverview/Images/Logo/reversinglabs.svg

@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 21.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 841.9 595.3" xml:space="preserve">
+<g>
+	<g>
+		<path class="st0" d="M279.3,303.1h-30.8l-27.9,92.2H173v-92.2h-20.6v109.6h84l9.7-30.7h35.2l9.4,30.7h22.5L279.3,303.1z M250,365
+			l9.3-30.2c1.6-5.5,2.7-11.4,3.8-17.3h1.3c1,5.9,2.2,11.8,3.8,17.3l9.1,30.2H250z" fill="#F6143F"/>
+		<path class="st0" d="M349.8,413.5c-12.5,0-17.8-0.3-31.7-0.9V303.1c14.5-0.6,19.8-0.9,32.3-0.9c29.3,0,47.5,5.2,47.5,29.8v1.3
+			c0,9.4-4.1,18.6-13.9,23c10.3,4.3,14.5,13.7,14.5,23.1v1.5C398.5,408.3,378.1,413.5,349.8,413.5 M377.8,332.7
+			c0-12.5-9.9-13.6-27.4-13.6h-12.2v29.7h18.6c17,0,21.1-5.6,21.1-14.7V332.7z M378.3,379.3c-0.1-9.6-4.6-15.6-21.4-15.6h-18.7v32.9
+			h5.6c22.4,0,34.5-0.1,34.5-15.6V379.3z" fill="#F6143F"/>
+		<path class="st0" d="M446,415c-14.3,0-29.1-1.9-34.5-3.4v-15.8c9,0.9,19.2,1.8,32.9,1.8c13.3,0,19.6-3.7,19.6-13.6
+			c0-7.1-2.8-11.1-13.7-15.6l-16.5-6.8c-16.2-6.6-24.9-15.9-24.9-31.9c0-21.2,13.3-28.9,39.2-28.9c13.8,0,26.8,2.2,32,3.5V320
+			c-8.4-0.7-19.6-1.9-31.1-1.9c-12.8,0-19.8,2.2-19.8,11.1c0,6.6,3.1,10,14,14.5l14.9,6.1c19.2,7.8,26.8,15.6,26.8,34.2
+			C484.9,403.8,470.6,415,446,415" fill="#F6143F"/>
+	</g>
+	<g>
+		<path class="st1" d="M52.9,292.1l25.8-44.7c-11.7-5-18.9-13.7-18.9-30.4v-1c0-28.9,21.8-34.2,48.2-34.2c11.1,0,21,0.3,30.7,0.7
+			v109.6h-20.1v-40.4h-10.2c-3.4,0-6.6,0-9.6-0.1l-24.2,40.6H52.9z M80,217.2c0,14.2,8.4,18.1,27.3,18.1c3.8,0,7.5,0,11.4-0.2v-36
+			c-26.8,0-38.6,0.2-38.6,17.1V217.2z" fill="#231F20"/>
+		<path class="st1" d="M291.5,182.5l-22.6,75.9c-1.9,6.4-3.2,13.7-4.4,19.6h-0.3c-1.5-5.8-2.5-13.3-4.4-19.6l-22.6-75.9h-84.9v109.6
+			h69.8v-16.9H173V244h46v-16.5h-46v-27.9h48.1l27.9,92.5h30.1l33.2-109.6H291.5z" fill="#231F20"/>
+		<polygon class="st1" points="318,292.1 318,182.5 387.7,182.5 387.7,199.6 338.6,199.6 338.6,227.5 384.6,227.5 384.6,244 
+			338.6,244 338.6,275.1 387.7,275.1 387.7,292.1" fill="#231F20"/>
+		<path class="st1" d="M463.7,292.1l-24.2-40.5c-2.9,0.1-6.2,0.1-9.6,0.1h-10.2v40.4h-20.1V182.5c9.7-0.4,19.6-0.7,30.7-0.7
+			c26.4,0,48.2,5.3,48.2,34.2v1c0,16.7-7.2,25.4-18.9,30.4l25.8,44.7H463.7z M458.4,216.3c0-17-11.8-17.1-38.6-17.1v36
+			c3.8,0.2,7.5,0.2,11.4,0.2c18.9,0,27.3-4,27.3-18.1V216.3z" fill="#231F20"/>
+		<path class="st1" d="M525.1,294.5c-14.3,0-29.1-1.9-34.5-3.4v-15.8c9,0.9,19.2,1.8,32.9,1.8c13.3,0,19.6-3.7,19.6-13.6
+			c0-7.1-2.8-11.1-13.7-15.6l-16.5-6.8c-16.2-6.6-24.9-15.9-24.9-31.9c0-21.2,13.3-28.9,39.2-28.9c13.9,0,26.8,2.2,32,3.5v15.6
+			c-8.4-0.7-19.6-1.9-31.1-1.9c-12.8,0-19.8,2.2-19.8,11.1c0,6.6,3.1,10,14,14.5l14.9,6c19.2,7.8,26.8,15.6,26.8,34.2
+			C564,283.2,549.7,294.5,525.1,294.5" fill="#231F20"/>
+		<rect x="573" y="182.5" class="st1" width="20.6" height="109.6" fill="#231F20"/>
+		<path class="st1" d="M671.5,292.1l-35.1-65c-2.7-5-5.8-10.9-8.3-16.4h-0.3c0.3,6.2,0.6,13,0.6,19.6v61.8h-18.9V182.5h23.9l35,63.7
+			c2.6,5,6,11.4,8.4,16.7h0.3c-0.5-6.5-0.6-14.2-0.6-20.8v-59.6h19v109.6H671.5z" fill="#231F20"/>
+		<path class="st1" d="M753.2,294.5c-25.1,0-45.9-9.7-45.9-49.4v-15.5c0-41.9,23.6-49.3,46.3-49.3c16.1,0,31.9,2.7,35.2,3.7v15.8
+			c-7.1-0.6-24.2-1.5-31.7-1.5c-17.8,0-29.3,4-29.3,31.3V245c0,25.1,9.1,31.4,26.8,31.4c5.5,0,10.9-0.2,14.7-0.4v-26.6l-8.4,0v-15.7
+			h28v57.4C783,292.4,769,294.5,753.2,294.5" fill="#231F20"/>
+	</g>
+</g>
+</svg>

Solutions/ReversingLabs/Workbooks/ReversingLabs-CapabilitiesOverview/ReversingLabs-CapabilitiesOverview.json

@@ -10,7 +10,7 @@
           {
             "type": 1,
             "content": {
-              "json": "``` \r\nVersion: 1.0\r\nAuthor: Aaron Hoffmann\r\n```\r\n"
+              "json": "``` \r\nVersion: 1.0.1\r\nAuthor: aaron.hoffmann@reversinglabs.com\r\n```\r\n"
             },
             "conditionalVisibility": {
               "parameterName": "showWorkbookInfo",
@@ -1251,7 +1251,7 @@
                       }
                     ]
                   },
-                  "customWidth": "25",
+                  "customWidth": "50",
                   "name": "query - 3"
                 },
                 {
@@ -1270,7 +1270,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "The following data is based on average time spent performing manual enrichment lookups compared to a default SOC analyst salary of $90,000 USD defined in the analyst_salary parameter.\r\n\r\n* Time saved - the amount of time saved on performing lookups when using a ReversingLabs playbook\r\n* Current cost savings - based on incidents that have been enriched by a ReversingLabs playbook, this is the amount of money you've saved\r\n* Estimated potential cost savings - this is the amount of money you could be saving when performing enrichment lookups on incidents\r\n",
+                          "json": "The following data is based on average time spent performing manual enrichment lookups compared to a default SOC analyst salary of $90,000 USD defined in the analyst_salary parameter.\r\n\r\n* Time saved - the amount of time saved on performing lookups when using a ReversingLabs playbook\r\n* Current cost savings - based on incidents that have been enriched by a ReversingLabs playbook, this is the amount of money you've saved\r\n* Estimated potential cost savings - this is the amount of money you could be saving when performing enrichment lookups on incidents\r\n\r\n**NOTE:** if you modified any ReversingLabs playbook names from the default value during solution deployment, you will need to update the KQL query for each tile below.\r\n",
                           "style": "info"
                         },
                         "conditionalVisibility": {
@@ -1284,7 +1284,7 @@
                         "type": 3,
                         "content": {
                           "version": "KqlItem/1.0",
-                          "query": "// average time to manually perform a lookup ~2 minutes\r\nlet avg_lookup_time = 120;\r\nlet avg_playbook_time = 10;\r\nSecurityIncident\r\n| extend CommenterName = tostring(parse_json(tostring(Comments[0].author)).name)\r\n| where CommenterName == \"Comment created from playbook - TCA0101-EnrichFileHash\"\r\n| summarize arg_max(TimeGenerated, *) by IncidentName\r\n| summarize count()\r\n| extend manual_time = count_ * avg_lookup_time\r\n| extend auto_time = count_ * avg_playbook_time\r\n| extend time_saved = manual_time - auto_time\r\n| project time_saved\r\n| extend title = \"Time saved\"",
+                          "query": "// average time to manually perform a lookup ~2 minutes\r\nlet avg_lookup_time = 120;\r\nlet avg_playbook_time = 10;\r\nSecurityIncident\r\n| extend CommenterName = tostring(parse_json(tostring(Comments[0].author)).name)\r\n| where CommenterName == \"Comment created from playbook - ReversingLabs-EnrichFileHash\"\r\n| summarize arg_max(TimeGenerated, *) by IncidentName\r\n| summarize count()\r\n| extend manual_time = count_ * avg_lookup_time\r\n| extend auto_time = count_ * avg_playbook_time\r\n| extend time_saved = manual_time - auto_time\r\n| project time_saved\r\n| extend title = \"Time saved\"",
                           "size": 3,
                           "timeContextFromParameter": "timerange",
                           "queryType": 0,
@@ -1316,7 +1316,7 @@
                         "type": 3,
                         "content": {
                           "version": "KqlItem/1.0",
-                          "query": "// average time to manually perform a lookup ~2 minutes\r\nlet avg_lookup_time = 120;\r\n// salary in $ per hour assuming 2080 work hours in a year\r\nlet salary_per_second = round(todecimal({analyst_salary}/2080)/60/60, 5);\r\nSecurityIncident\r\n| extend CommenterName = tostring(parse_json(tostring(Comments[0].author)).name)\r\n| where CommenterName == \"Comment created from playbook - TCA0101-EnrichFileHash\"\r\n| summarize arg_max(TimeGenerated, *) by IncidentName\r\n| summarize count()\r\n| extend cost = (salary_per_second) * (avg_lookup_time * count_)\r\n| project cost, title=\"Current cost savings\"",
+                          "query": "// average time to manually perform a lookup ~2 minutes\r\nlet avg_lookup_time = 120;\r\n// salary in $ per hour assuming 2080 work hours in a year\r\nlet salary_per_second = round(todecimal({analyst_salary}/2080)/60/60, 5);\r\nSecurityIncident\r\n| extend CommenterName = tostring(parse_json(tostring(Comments[0].author)).name)\r\n| where CommenterName == \"Comment created from playbook - ReversingLabs-EnrichFileHash\"\r\n| summarize arg_max(TimeGenerated, *) by IncidentName\r\n| summarize count()\r\n| extend cost = (salary_per_second) * (avg_lookup_time * count_)\r\n| project cost, title=\"Current cost savings\"",
                           "size": 3,
                           "timeContextFromParameter": "timerange",
                           "queryType": 0,
@@ -1355,7 +1355,7 @@
                         "type": 3,
                         "content": {
                           "version": "KqlItem/1.0",
-                          "query": "// average time to perform a manual lookup ~2 minutes\r\nlet avg_lookup_time = 120;\r\n// salary in $ per hour assuming 2080 work hours in a year\r\nlet salary_per_second = round(todecimal({analyst_salary}/2080)/60/60, 2);\r\nSecurityIncident\r\n| extend CommenterName = tostring(parse_json(tostring(Comments[0].author)).name)\r\n| summarize arg_max(TimeGenerated, *) by IncidentName\r\n| where CommenterName != \"Comment created from playbook - TCA0101-EnrichFileHash\"\r\n| summarize count()\r\n| extend cost = (salary_per_second) * (avg_lookup_time * count_)\r\n| project cost, title=\"Estimated potential cost savings\"",
+                          "query": "// average time to perform a manual lookup ~2 minutes\r\nlet avg_lookup_time = 120;\r\n// salary in $ per hour assuming 2080 work hours in a year\r\nlet salary_per_second = round(todecimal({analyst_salary}/2080)/60/60, 2);\r\nSecurityIncident\r\n| extend CommenterName = tostring(parse_json(tostring(Comments[0].author)).name)\r\n| summarize arg_max(TimeGenerated, *) by IncidentName\r\n| where CommenterName != \"Comment created from playbook - ReversingLabs-EnrichFileHash\"\r\n| summarize count()\r\n| extend cost = (salary_per_second) * (avg_lookup_time * count_)\r\n| project cost, title=\"Estimated potential cost savings\"",
                           "size": 3,
                           "timeContextFromParameter": "timerange",
                           "queryType": 0,

Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json

@@ -4887,5 +4887,25 @@
   "templateRelativePath": "ibossWebUsage.json",
   "subtitle": "",
   "provider": "iboss"
+},
+{
+  "workbookKey": "ReversingLabs-CapabilitiesOverview",
+  "logoFileName": "reversinglabs.svg",
+  "description": "The ReversingLabs-CapabilitiesOverview workbook provides a high level look at your threat intelligence capabilities and how they relate to your operations.",
+  "dataTypesDependencies": [
+  ],
+  "dataConnectorsDependencies": [
+  ],
+  "previewImagesFileNames": [
+    "ReversingLabsTiSummary-White.png",
+    "ReversingLabsTiSummary-Black.png",
+    "ReversingLabsOpsSummary-White.png",
+    "ReversingLabsOpsSummary-Black.png"
+  ],
+  "version": "1.0.1",
+  "title": "ReversingLabs-CapabilitiesOverview",
+  "templateRelativePath": "ReversingLabs-CapabilitiesOverview.json",
+  "subtitle": "",
+  "provider": "ReversingLabs"
 }
 ]