From 5b9b4359d81ea6a628f2f4064ed2fc3abfb1be4e Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Fri, 3 May 2024 14:38:59 +0530 Subject: [PATCH] Repackage - Vectra XDR , Dataminr Pulse --- .../Analytic Rules/DetectXDR_detections.yaml | 4 +- .../Vectra XDR/Data/Solution_VectraXDR.json | 2 +- Solutions/Vectra XDR/Package/3.1.1.zip | Bin 0 -> 22254 bytes .../Package/createUiDefinition.json | 2 +- .../Vectra XDR/Package/mainTemplate.json | 118 +++++++++--------- Solutions/Vectra XDR/ReleaseNotes.md | 3 +- 6 files changed, 65 insertions(+), 64 deletions(-) create mode 100644 Solutions/Vectra XDR/Package/3.1.1.zip diff --git a/Solutions/Vectra XDR/Analytic Rules/DetectXDR_detections.yaml b/Solutions/Vectra XDR/Analytic Rules/DetectXDR_detections.yaml index 37b6a1a3f0..3bc0afd0d2 100644 --- a/Solutions/Vectra XDR/Analytic Rules/DetectXDR_detections.yaml +++ b/Solutions/Vectra XDR/Analytic Rules/DetectXDR_detections.yaml @@ -1,6 +1,6 @@ id: 065c0a50-3080-4f9a-acca-1fe6fbf63205 name: Vectra Detection Alerts -version: 1.0.0 +version: 1.0.1 kind: Scheduled description: This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform status: Available @@ -34,7 +34,7 @@ incidentConfiguration: groupingConfiguration: enabled: false reopenClosedIncident: false - lookbackDuration: 5h + lookbackDuration: PT5H matchingMethod: AllEntities groupByEntities: [] groupByAlertDetails: [] diff --git a/Solutions/Vectra XDR/Data/Solution_VectraXDR.json b/Solutions/Vectra XDR/Data/Solution_VectraXDR.json index b11e911d05..899bb1ca2e 100644 --- a/Solutions/Vectra XDR/Data/Solution_VectraXDR.json +++ b/Solutions/Vectra XDR/Data/Solution_VectraXDR.json @@ -21,7 +21,7 @@ "Workbooks/VectraXDR.json" ], "BasePath": "C:\\Users\\xxx\\Documents\\GitHub\\Azure-Sentinel\\Solutions\\Vectra XDR", - "Version": "3.1.0", + "Version": "3.1.1", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/Vectra XDR/Package/3.1.1.zip b/Solutions/Vectra XDR/Package/3.1.1.zip new file mode 100644 index 0000000000000000000000000000000000000000..70254570821c3eb66e9b580b8e4713c6d408f314 GIT binary patch literal 22254 zcmV)6K*+yPO9KQH000080OWI{Sob&x3%d#c08b?V02crN0Aq4xVRU6xX+&jaX>MtB zX>V>WYIARH-CBKb+qfD3f55&2;cbW=*m4@+upwCQ;3eH%fMgAttlf|V1ufAQ7fIBS zlwG$Au+OrOwokI(L+aI5nx?(p4J!_@nE*x?AVixx%*xj}*E|&#o3P^pEnzWK z*+MRx1uRMPM!x4d!s3D_MvUt>b8cj4+MBT$2@`6W+miDiWx8ZWhtF?n>uA0XmeR(> zyf8w8qa_QGZJZ|l@5v<=WhRm-j0GX5XKJa;bawh$gjVwt2p-zNtd=(eww95N!Ql7b z`q&0aZ6c3!gUSHjaKR_1nC>FafUSV60WsI-_KEh#&~K^l!n3`TNX#RB4{d;`hZ^l#B!l6 zN9d8pWE5#wCCixQyEaRAO%;$-UTiiyg&58}_%y;-GQ-*=(sCs-tW&VE$T^Wrhp+~9 zlS3- z8my#|bD3b%n7KfHXPwOSTdRa|%2C7eVxGv*3pr+&oL`O^IKUsEPWvNnISZY3EE9IE z^qnD-aR?(7gplvSbRk64QoFL|!@69ZkC{lF4dBj~$Kb`2jj@KDsCh1P_Z7H;N3Pq^dlWW@$qJFarqN@|t43dmmSCC^YvTaoMZ_Rm8a8Z}=a7)k z6X7GZ_P0VZlwy+Wi47cTid49LGK&gh^#*ckNrY_`4#v5_Fq8AlrPAj*-jHF`g4IQy zRn;P3e@1$wKJ&;b+@~l-qGjv#I#@Xc11?=Ywsl4&aY|Ey?NW9@ixOat@YM;)b*!=s zUn-aLP=_=Xh&aR#LV#@KGpj{@2urA98MBw?myA=Oj35Sk1HI---5s%$O~zB0B;qEX zE3_5n3Mq7bK~|B%jM+(57x4Q`g?AC^)R@hRNV@DAvmXRcZ0zfLS5iYI{@IxA?_Y3@ zIC0P4&~qh1vtvfdU?Iz^0wF-lheY!FOmLlf6Z5$$Y>%yWimU7IRfQd~f3jUFb!q?j z$8~v*R5%)pTb#z=HI-TY6*tfp!S4t&UlC&6H5wcjwgm5R-jwX0uPLxnVI+g7ND9hV` zIU}GzCrEM;b!ek%MY2Mh*Gq?j^)M0H(#FG%5r?CIG#rf&Mz@2msec3pvVB1kE5f~l z?_XSXBNOP^#*QQSBRq!fht3I6CHT0(iG#yiB|au3TS{`7%6$KGEQfUXW zN)nck-&K~hLZTHB=7}MJ{)|>;&5lo9;)v)qPvCOrz?A1hACNcwE0_=@~6>T50 za^HwO|F-UyL#xgRV3qIS`O%nFYrXL|!iJ%=B6W0f>QloqiuOL-c$?o0j&25f01MdW zz8bT=o5A>I;3VmPd%p+Lw_9;au`PjscWXr3VogbEZz==rwyGYOQ1VBM2UXRuZpZ!6 zwAHgao8}4Tg)3>DG#}jw*Hhox>2%u#y<9fjsVhQLlaI9uB-DY zV6%mFvsmwR>qZz%|AqFD+GArs3vLOC!rjcw%R)vR(+0`l;Y2eN6SxZoU9;S`AG^Kr z(_A-kIir7O2Z|p5ai6~0S1R}>Gla=aIVTWe7E$FOfao6YWQ5@pKi@ex@5hv#<$6?^ z3rkK6mB!@cS_z@&NG>p((_lshFm8$1I-t_LbZfpQx$()3kRTmRteW5-Ovx5w6J8oj zK4521km1*QHi9K3d;s0XEG|fgC5?@tn`&C~?sq3DYvb@v z!|QgLehHu2UuwyI=E8*XY<4PBCCt!_D9>Y&LF(*@ykk`@8{2m%nXg!)8*BdGmuP>h zHSt#hX5t66@7`PmY4}z~&o7jQcP6!_Z{2O++xGSCBl-OW=Kl&My{>9(Mn}H8C%B(m z-)otF+4|m1HY_A4_LN&RsApnbUOFM~<|5`RiP3|pIbBit%Msh$zg(0TS$@Kk?%vy7 zld38;v7n`>54$eQsmocGS(mcJR;&b&8ZmEOp^_M}aCdb)W91!Fi5DIe<%`?Plfv%_ zYCPp8|`d(zI@i zvCTvB*(vR6?tELZGUxb$Zerbydrq;&-6+k5KE@fHToYPZ3Fzi7z3FZ>vhkS7G^fIr zg(46(3`P{=lq`IM%m4=B%cU08xqx+{Sh7tJ%}IlvI4jTa%iB~sn8=i*|NVfzcHPTO zGv!@25&|Wb#9q@GOv>qW#C#px}+Xn0BBDSx9UQ}*%W`_zyAVI zO9KQH0000800VTRSR;yWL^VqQ0EKn}01*HH0BvDuZd7G$aBN|8WiD!SZ*J^edvn}2 zlK=mz?mOU=tCBP)j$W2;M2{gJJjqU~-{OR|9{TD(u{yny5Y)&^`kd0ZAgz<~rUGZc%r#_vsIrEbt z{Vk2y&<^JEUA%j+xBtDh_srVc-*s5%1$Wr)ip@ihCT#f6IPkyQ*x>`%fuF#;4=jq^ zz{hd+hkN*+d_QLib!dVd{EiRc5lxd>5Mk4+H)q5m$(;Rd!4f;7L+XldobVh6jj`P* z@X`dxlSHyWCP73#FguAT`TObR2KMeag!l1y9Hl!EWG!gvCNANJY3mH<6lgRa_ zYGCBq^|AdPJHV-%#}*7i`1@=2#vl3&t_?Z^!! zPaAK8grqTZcE~tQh|ieA9Fhbiq;X7WG`EuE2853j^5wN0#2U?l)N?H8YQ19CPc(Au z0J?n{67rD|*N+oM9i&Q<86#hAgXks>sm(0K<`;51bL|;%W8$#LUBHl&D46r+ua8OA zVMFo#hxp|WHAQ8T-Sk^jWN&p{gVn)+Tbq|`%FQAm!c0l5EJe*tOe~AU46Opq2IW)C z!eb9i2!7k#$*pEu$yACsXv1hBe@&d0m@fn0f*nt z0vgz~^t-!w&XvnA<}Y{U)<`R%aH^x~VBMi=P7ofxc>-{mdaNoz)ZZ6Vl6`%C^@g^Qne073viIoGo^`nQ zmp$v*S^Pz*ZAJXfxr;w5r;KdDHI?9rpa$ z9<>hlpE=gEBVhDXrrI@oP9wTv^TNqfc{Jn9Nxgm)-*`K2Ix(u` z+&C|**5q}I^rrBfoBYVIr0IEMO7k&GX&R0VD>z<-2frOJZT=r68|BlgDutB}s){yV zoEJ46WRJFpgkfpYy>aCPc3Wu`E`a)Jw0(q{5%;iE!=Ttb1f`#kASi4eP zS-8++K^Kxpk9S zUb9|^sU${Oh!dPs*H`mnjzu26gr5y$mrD7y#+18&PX!|RRG}b$m@kbIUEy8D@=`y) zoB!0Uy)D=@hpJ8o_C*mn1ErM-3BzIK%FMdl!$p`irV852uHKBmjq7ti{Uh^PQd{M3XvDYR*yn1-$aOyar!BQ8Z*Om9C3i^O-EGYcOx*>Gc^%uPAsxFO zSRvk70JiZ;ha{Gt{O=HP47@|c@gI@re>+5-1rX{xM4Su>pX2&KucG*$%%UKj&iLSR zoXfM(6*;~*ACgNpVG%NdZ{Z1X0y{-F!42gF`I7mYGz^0%(Zq{)DOiH-vE83vSszB$ z{`2S0zwmPXJc#i23H&^D(XM5yON=fR*@oEZ#2#v1mn

$|DN6+PB9-EBFLP_6H{jpnU3CM%DpiMs#1H}% zbHZls!8vfw* z7Vx0zs>oH4P)}RiV!1}lW_aPMngveAV^b!4a^Cqf7M(wzyl&`*D*&0ltLa(Y@sApU z{iKxk(_cc-v9EN6UJogm>4%q)P!RYm3G|h;ruRcioJE@cvZ}6qr7ZP(Ncr^O*-JXn zv9D}}UNw?cJ^oZV!bVIXlV|sEQ`MUo%~72#z=_7hBFCOreqQ4}Iq6^P{m(Bx`Ck%4 zE6q%!@^<4RO;Oon8Y?>b3X?Qb4e(##9DvH?LqryOiruyZ2s+jYs1ITU|BAw4+r}-P>x*-2e=Je~9p_c7p7jc`~jr{?PNy{d@z-dpJ#bBIGW>UQZ%7 zf!vKQ+8Vy(soHFk|PPg03JA{AXw*OQfs zjhZ43!OsF|l41nguTkrU8(+wR*b6eDUd*c6RZs6m$fCI$V~wq*;KW<0y5WVamNm^_ zt-TOl-BSHKm+0!P$z=c3jYE&#U9qnTl8^AiTz>wINdVCrV(CJC@5qPXwT?&>NSub9 zpeBGEOdWS+cU2lY$953*Xs$TA=rTpJ4;L0%B~i*6XcM8IP7NLAv5aPY%Sy}VFKWrJ z+ERAo8O)^fGrPN&(ded<1Vj)eH$c_+RJOu&$n}VcFTsr>A5!rcjeJqJqvIe=G!jTT zFRnn(c$nXe!rKP?-hudEYaaM+5=6Ur!vM>FyL1Y}ShubZkthBx7$?;At-K=bIuMoNf zF%pJ^^q3WpT86T|mk1hWqh_sCJ+4V95EUazxjZARG}o`A&d0bf2ZOiouFhV7=C80` zonQM%V^~#H3qZ6`7cW$80#t^GAF1aNEJ%34G_JeWF%(11G0Gs)Md~G3TFHJ!mxr$`VU59}`2aDEL5;r&bylx)* z=kjHRZ@mkpoH&cypn86}i+Ohh++$<}L9}O3tpJ^Ie-kzfF=s2@CKxh<8|LHhpg*A# z2rJ|Rf?EuW4~PszF*vW74@lAY8=R6$qv2nx*D~@cz11RAe3()>`e)A+204>rK zJ9(`zv|<)5T-*2^qo=h%=Bx;B^DrNhjcs+MrN}?Ok4XK3QKJ8S$k{TMhx96HjmX=h z)t7jvyy%fJ+H#*KRyTUk46n74rTB8H?UqQ@<(g|*9_&WJya@xn3njR2RL-hys{pag zM|UHWeK)3G%(<4OrEVnTw}*;A9=y?oR9=`NozBx>@L(1@ z7>usYF33Kyh`5oMio9O4t%BRu;`?Cmiw_(7+Ldl3K*f;GaU+~&7`9Z-uX>Yj4-;r2IWb@c@w6~iE zzdpMqHh+$MJp=#fWc*@Mo>93BJmCkSH3S^cojUf=b%nIWra;IgNaJv-#gM=_M?>-o z7B+e;=nyfm6i0M06(=;ty&cX`OegGyu@J0kNd6I|;QS!6BD9vAmgE+qt;-N1Dwyau z7B#-WS5g~V#3D}Q_*nVugBA*n^!y7*&FPKUhe0gnGE?9KMl2W+xWO=RdA;{x4f_BM zdlm$sf_HDva*-z7X3MDr@G$QTh0U#&KY~yvl3_7_lfI5}d!e zcz1bq{PqgN!7DZi#6?aZ$%oAqVn&G_GNTLObh4eCn)Up_MdZ$DbjJ-~%Z8a7Ba<-0 zPKAuy1ozV}BnBg{K<}RPlE6c=jSyapuS5J zxyRD4v`H|@m8n-V^KYu%x>qYZvM+e6_v%VE%*-qhJ6TBLgSouMlDj9vm1a(3h&~5m z=Lru%*kUj^mF`QPOMnv^r%4i^s{prv(FXoYuK(>?HoTGzOL>wQJ_&ekE@*7GB~yPt zy#z;M@h+nO_Afrf?vaR@$YIEHc#Iq1tJ86&50MtB@2CjJo6OQ81qcZ#5eNWL9x^H> zauhC>5!zm$jL9!amQrKfmd^~|T6~0FRXmf5eg#=Nd4KtuWMcnS?CdR(m{@7#z1%kY zsDSN22$G3t)q5?HH@4$+3MqC2y-sa8O>OJYNUxFz(^hy3)@i#Kmxj7E^9qFJapl1yBoH_**O6SDNKpwQC$jHS{W zIjt2vrsOs3oISF2DljHrkn^`cyxT5P9N9DGq+Wqu;i<-Z;f<8G@U$S0_7<{T{0c~< zK6s2W4!#oZl=*5sCv+Myrp|O=0nWuI4&aZ(p-fD$S_X~jI9M>TSdWx@8VoLAWzS$q z!LrWstfrfPiTV;s9EI@hipaV$Hz76x5!pJve6vlm?+YK)U+ZZk?w73borV8j+5~Bt zWM$3=X|ta~rhF$3EsDogTc>#dSh%p2a^sXA2f?%kuy1o%Q%#|yJ84D=gh0oQpjo55T9eTD^ceRp*W$|&jyPBtSHZAj)hz{B|j)r5WhO;DbP+n_rV zyHg(+b$x^0YB_|I21eoSv;0f(vx(=XWnQL%a;QFNlRK0l_nNZUUvM~jqC-_i1(Tn| zFGOZXhscGPI5AbYpyZrTWA?Z$<;Tci>EkH4jk%o#K8{S$vV1%yh(&8%Ohq$nBz@s2+!*u`|`ht3{!wV2RAq;6U!wQ9@gyx33jjSb) zg6d#Ioa=Bx$!4rr$PVK(YZ{U*Hk=O0hqIHb%j3V}&$iSN)09j}l!Et|Gfl%6+jtY*FqmHu=((#BHrk^FKu8>9C$b4B_0Mmn~yuPBVJx0l|BMwjA zTuu>fuz1ph;LW*X4(I#%P!Cc(6pVq0KP1P*4-$9cN=fjzU6jl*?U*3@B}2tV!sk2L zL5{Y$3I%uqwt~ixa3Tx;IV3*@*(xR%Jm1eO#;{FWKS6!KlPz%U>adoTxDYWELeaTj zdY7G9mRRRWsTKiX0qVj)2FK&cdFKC6KT`8C7z=nL^nnQ-@8l%@gS-XPqUENX+@Uy9 zWz?RjZEfz|Dmr0-&;f_+@Jwk(;!Vt$8=>`LfdnI?s6XMESj-So9HKWo-d0<|^|o)l z?OSjAYPNm&)(fT?aM=6EC0l{4J|lB50l4!iw!ti6!J-~w;j9OcQ`SY@BDyEU zjqGj0)g$&5eowOn$$@JEYB_p4i37H4B7JF0wnD<-zSLJ3V2_RnWeB&#-)b;KvsDu= zTPI4@gcSCUF-4Uv7x#f?k~D<6>k1tiGYUqn`Vb|vP8pMozx!e|G!XXc@V7oyEc>dY zF#pq0)yylduHKy0uv7U5Up{Al@uedh@+w;^A5uFb*}R1%N%e0cpVIzLO`!uUH-7i{ z0s=jvl1JRl^f036^l7`ad-ntSf3mZX14XFecTe25zj3$M>nKx4H{l*%e>b z^lLRpy^mb!BaWE8DqD@K4dXq+_md9W^;nI~q$<%7mxY|GhgJOlmn+=gAGGEMy_b&Ow>lSS z$pKnpfB%?o#E$A1Umx4M$8=+uni$?Gc6W~1&9S<7jLu?jt>0Ub`{`t<#;WcPh`$eXzW(n|rJU}L z^G~Igu0HokD5b$ux4{@e6misWF;k&<lJDH4j&06DTJtf?%Wes?ZkL5lrK2`@@tm;ix7o4U}_)Hye zuZlY|_0t3As=Vvq1iB(GRds)8y|m(0wX3BKpX$C^DL(35`B>vjt#PK-9~`egIDVQR z96u49sg>bNE$NS+HjdP)@S}PwXN?oJ#)-Ng3R5vb(Xn9GI8keys5MU18Yk+h;Y2MF zCf9gSYdom+_H4a9EAf8M?HRsZ<3T+d9#qqvzX}kFRDPaY1-`S9SL-iD)d3aqiu%5| zsddGR9lwej!Qw&;c)@WH+{FCGl&G}wZC+KaRaEm@3aqj;CacK&6tc1kSXl(biK=E# z6~Hsc-vv zW&b_CnzzMA`|5;7|89O6WD{+L2}$0K@t!^`v7z|48fXL-k3M~0|KNV{-{DnRSh4 z_9QiSRFp``yd#M^B;{FOudDJ5$=|6|@@RR2JVLthL4qJaQXl@BrE1qB5kR8>G#cGM zG(h7$1KN;lY4&2=G!H%CwjS?!!fyouXQsK|loj6&q82e$r(Rp|myq6Zgq6i%VD!oU zjDmd>uVE@4eG--y9<&CQx|S zpZn3CQ1440AgQ~sDv@Pv88m?=K07L)@pqZzYfB2%d^}|*F3Z&ypG%m!QD&_ipgttz zHKG6R?vXpfPAr*DS^hz&W^zb!u!$at_zj-ob2*z2 zys`Vc7e+9!o-=Sj7u9NeQr6Fx$?+m`!u$7f=SoLFBD(H=CY6nL=x5`h(#`D^iP@R?l9?2u078I~Ekw9r4AmA28;Kd9g z!#H5%s=4f`!sqBf_Q1`f-lCxjEz4#0Y)cB*?zjzjRb3{%cyt{t!LlZUZ zuxm)xjS)QwsvRPBNc2`;DGfmYk1D^HCoGrR!$vi%pRVA#?MjFJKiA|uwJR_J!zjQ@ zwbYb4x!n2Z1%7|c5-hPqSxvkm@^S~mO*7;&Gge^$o+fp|53J^2imJgvqTT!eZBkF_ zOr5&cuw}`x0;Lw463a=>Vo|UXQg^GpCt%1Gxbeh|^2BYfwY>=I3mn zW3dCYkS{P@2Z2aCab`RMRyTFJnXdaDnQkD}``9P({f_x}mFKu#h6_no^65FLg1gFv zfO1uDzJ$EwrRFQ&TPi-fnAYm9ax75YRi2a<(8qJXt9&KRpx#)XRSc^jKl+Qw`3e%* zU))_&FVwpYSczbDsV#yU{la5JE+WL-cR3AXaaxoy&x)_mA*{L@HNtD^Iwkg{UUnna zRO*7l_I5Q4FlPy9brS@4ZS>TP?Q7A})#l2o=;&&wXoZGWXlNlX6&hNhp%ofhp`jHT ziXYQ*lCxM8tOU9GJy&n%>SME(O^-v4YRpx7CQYW%Q)VqxtYZq4MoCqWH?gymwrEC{ zMng-Wpa%3)i+U>FeHoO~fNn}&bL=y3&wyX;MN3AMa(#>ZIm4Qz-q2JA#w-(E^o-!j zZGjPHcye72RwhxsF6mo)UD5{H>v4iATgITu)>hz&DyWhPE{{C^GXzw&R4v!KQfMt? zgXGBqDqCqdPUVu)C`SF_tSe9T7a35=e4`m{CaQ`Y^Zx9LrKVx z6)lDfHThP93O}J*FycZ>NY&$ESPrG#RLYFS(Hha`%d69j2h!qrsaRg|0Ma$Z`MlB< z)d08@RrBz&4BkH|5dt+_Lp8}S_+MjG;kG{ zRmEkk17NgdxS{nBaarjaUTRzxn`#@yWVNzjht32h+lt95bPG7CDkiHGcp^SkOjZ?> zwdI(sLd~#lOjg#Rd;alQy3TlU@mQ-jVoilEC~OZ9eZY9E8~|u-@MSCUSh{(#D!5V} zRH?v}3QVcMlnP7{L@O|bex56sQUXM&!aBaKu#Q4hWaY396ADshe{=CX(2i~SGMj~T z6rdVaNJkaY@z^09ZDUABdn+DJ71F^3_f6`?wm(B;M_W~P?JI@WLbgesEV84WcI;Iy zDUD+MAkMn-jDL}l9Vv0v7F!vEh)WuK4SH`KD`sj%UO(8Q7v#kSGXCb~54dfy6{@qB)3kQoN zlm7f3WvIllIrJo?!8D18LM{ifQV14wSwiyDhqvV@8c)fk36>+4CG_5a;~6l#yrXR) zPcvY5!Ni@9*p1Fc{Ep=rgqUaTQ;qr_`^|*~!@&6sPs^E;s5hbr%qH@|j;Q*=x;6TO zW*P)Elc1w0ReduyI_*_>3@bxU@bnnqmhpVk`!u+f=rBb)6=)5OfaVKdu1sk(afzv1 zMu8OTtb!@72&8Et%T?Ct#O#`-nKSwGK*r>1gXpzo{H^^EaZc$PUTU0E zYQ}98?$pi#fjYmCY%AQU&{yW9s&J=Lz@qq6;Z9Y!)0V@X3N^#J;Z8<)H6fw zMLn(Fh&A=Pps>9?g9nUy$^l2$1}3)>^^`MRRs|kc1{^D(u>u-d7gj)H1vC~BtANG| zXsm$73TR9c9~o#Y0WelEfZtXOU?F0-atxpeAuJOR^SqG2ZTb0|g#s2JepM)76$<#+ zp@1D@C}3wRZhsXD$OMq+u?VOG={{O^dUxJk?)h z3?P$ZZT^)pxVWSNi_57?1IDr3Mih=GYtc8Y?-iqItYk6jrpfoYCi?_6{QgE&lAV)5_Q!o5NK1JTt`*$kqW^y2~Uk3EgGRY2I0IcNJ@Xnnf2w19)8O>XQ z=(+zD28SIH)00|Yj+{e?oWz?T@Pj-GE@sdnPHu#nLJK;vBrWbV5B)%UYBFR=nnGYL z&(Sl!p*Xjh!br|%CdcG(z!mQRr_g{+p^fLy$G{$sy^#Z&F^|zm%BJusG{?ihIp(J4 zXq6KBq12o&F^fyg%u-V;XR4T|KvuT1f?FV!`Jx~LEYfnayH^EqRY6?qKr$T}K_YP&2F>y_NM( zpMThvt}|X-*w*TeSW}@33fseXA24hy2hUm?OWI1vpzOd0u!p@ZoaL!n?jIh<+vLYs8eS5`I&$>+j7k|3%Dr&X{vymD&Xd^ z18%y;fSc}C9JVUph6(OlfAq!izs~;@AvaxB&vma9S_|16d9sk3ZW^Lcxui6Tk&rm+ z%9H&?hTI5A)|OZqNQp}t0F~U@G|-C3ZvpQ9J_o1I7#$J zcQ}chQ&5})JN-nmF6`{U$rDsfk*JG-UHsAq{1`-LCALb{`_7Azi~u4QUY5 zZKI%uZq`56*-T_xK@Ej=Bqvn`HI(wV#it5tsDc`{9Mn*#8P*MI(AodbKdeF59WO4d zVf99=snP|7?V)H77}k)38LaKEZzZfjKT}rq$5-*gEC0LlzbpTne1raX3BSAAHvYD@ zjSC&=mA8#ej&qqklxO20Z_E7MY~#4V5w13ltBvEw*f_SK?%T*4eOOLiCYVhSO!=w0 ziQL?Zd0cHGv%8*Ph9;M~g@a?>@%9wEJ|yCINbvVJwYyv_dAwlrN};=uEtm(}Y0gg9 zjHnz>VW8zXqTBH;KkEka<9Lx$n@@@AW_>Fk(T`US7*7W(a5Q<=oz5|VLYQ2c1Rt-x zkceiJ0A(B=Ono1?osh8~kU998>?S@pAVc@szVR?@)*r&k3FZJ9-je9r<*q6@hf#o1 zvwiXr9(uG3kz(YNQQ+dFaq)6Am|5POmJ?%2hmu4%KD1iAd+wH29?wq326P@$v*(0) zYGmfmy~q!YtYmwM7~Fm7`ZvmsMw)Pan0S!C${7WyqU1Z_k5hT^Qpz-8G2-k#M#H`*9h9E~7yg}(=;)k( z?7lN+J$D1ocXIQIYdWc#avg7}7dA9jK=q-vI9&$u1V8`S{G}-Wn_^*uVVF$7s->$j zH4btmG*>eF1U{zSPS)%m<43p4tk()SN8Z_s1t`vyo6bsq z1&M`OJkxNR!R6^5r_}Q$R z5jy&7;4iWH7j6{sUeIr_*^^1&PUwUanIgm)p3Q0)rha! z?%cUp&So}SA;i~`jM&IN=i^sUJ^_r0x%o8nEsU!-I+qOtgUlEuhEd`qZsTrzi!Pc` zU=p|~rLYa+q7@dM2*mA5R`8!;mA4~l9X~!JcXx4(_xF4qGL8rD)z~sh2qsIBSfO4) zKi!ER_xG1`J{m9xcl;|cKMKMpV!GnnMloF)EHV z01bV}&suE9Boyww2cWqH%_yk7^qqoM!A?P|+9~k1yHg;&D`Oz6(LeW|fhvQ%VCzbu z`z`Jnw2WF@Z9XOXt?U_`Fd*Na6XCleGCijc91hBRAqkh^f;!y@*AHC+atSrfJn#bd z1x63qmLcvmfX5EGl6O-{`2Ns_5(K8qY&ng*1?~^n6kjB}Y+r()ZkbPD_KSC{5dLDY zI!RvEweLow{XN{5zzq)j77_R{kq{zcM-&$4)lOX?N4R1SiA^R9R3#usFyvO`TXP>8 zLu<$V2!~v|(*@g12_rK0N6Qe|{(23B!JoxJ+1Fa-`n8+unp+aPy}Gi+PP@7r!O(p1 z>bPWEp_YCZP>pUZM8VSC*0w_GeNGg&Prd#oh4J$Nq`8#$>gYEZLPk*g8Xsl%fW5y6 zv!~u=r0y|jcNYEtu|~j-ifAwy% z^5>DaB$!;N?~AOqCDPjx@2mX?veAA7SDaW4*QfgK6!IvnCpzHzoJ?a6n8wDuDW#rI zK3R*gVDf@GL#afyV|MA6KD&6q8k?v5d&%y6F1soesRyARxo^?>FbluDw?daN)2@nv z!U{aCy3_NZ`#Z5sB=!-AMegn}&;31No>pp2M-%VvF7*gA8brvv4a67nxTSBO85y_v~eQ0FQ*gyc|Bu{f`uz=k|E_9B`^~CJMZgnYLiF^kl1j|>^eNzW>894kj1ilKO+B0 zyiKp)N?CVO!~}$C6kdbLsoU+zOm48~kMwsZ#;!pro0#s4h;}CX9yeaNwBy^m!9_h@ zI$l&yAoj3MxOdFq%zAtu0o@eguf;`1vVLmT@+o1kpwM7U zhPuh@WIE(=p(9bgj5Rd#YCuTl3<|}>!{~O(2m{rSK0^CU5cM3IcGz>8oldiD9l9gi z>KrxN*09s*S)=}_H|}*hBe&D0Wk>FG`Wxapv{>jyAMIgG^rIb2+=!;c-5)2uwTJGM zrZK@_+%1PvAvqyt8_Qnq+}9IkN5fISJ?wR@_Gr|%I?aC58n)Y@sT^Rmci3%>+{V_J zl}_no8CDZ>nC>_GM~8>wL+hyLHmpvsKeqaZ@W*wXQP1i38m(?~YfQ_RawsgPlk$4m z?RDDD$g#TJVb|)k#y#t(+ihER-)XiQ!=}^g47bKGRUaB|rRO=Uw(L&p@DRn-Z49kW z#~oWohbY3fdpLBC+*W&w(wn@|Md4LWP?^2Dho^MoQ#=fbMH;*rkET2Nc@_NaAJcQu z?vx5iROw|(X^dKKr`G~Ive|XU(Cx#vb=2rItj2IW>a|?g9yV-Bpj0h!@8I<$fjytF zR!rlL$J<26hd6;Zse>&IKk$7$ctC+YmMnH&SX)CEtb5u$R0Kq091bJC!w2mKe(0d2 zp7#yUn@5I(_Mxdnr(;Ozv|EOhqeD}fX0K)9pw;c0=p8mXrcyAq`zF>~plVGdvt};hTgekTMn8$NsDE@G440|u6^Wy z-spk=H|?f%G;AGOPRng~nxLJVo&FjE{2O>vitI`e6teKP48lueS}v%(CJ+Cy^dnY5 zjnZ)3sWu2{oY9?H+0)151M=z8te(C%~&Eq63(S)Kmav4(D|YjxYM z+vz&(aevfWW9YE&E~qb|3?RKso~7_hgdT7dv%1T6K(l-3*$OZC*9Esbu!Cq{y?O<+ zhu%uWRo$_?*nP(qrfdJ}DLY6EPwD7kUmL|HJL1QGzc7tAPfE#5mcYCAVfWzp_>@w~ z5=rh(qxsM+B`k9RUH-f4Fiuj2Pa zWGxXRr3sO$vxcUs+pT?9!@#oLJJhxJd&CdOXB^vfuo^zOlJo5eGCZD(O(pW0M1IJw zbY#0w=tb6J+1dNtxYCzwK~Zl!-t|Ivwuo+b+0#8*^!+gvMgGXdf1+?$D+Jw4;-0w| z)7Px=Ff+N+z&8e6GK%mnHRxPSs$HoK!iGcnfty5qK9w>u_qX73M zfs49CbuZI-5ZD+{IJ3XFgDDW%jeLg%i0me$_ULHk3=FUZMm@zP z2IAs_m}yqYu3RJ2%p^5PaTDT!)RKLg#ivLGQ#Hh0oCf?BXkYC0%wi%b@$r!d}l1RDr`v?KOM4V)^x~);ZSzXWWn>|?A-P;6Z8HbAGo}^!trwMKk1X zEJ3rvkNo94+NBdwv_fR^0|#$jN)iYn_e{@1QLbNL=1gU4lAIt#EG9N*x2^u5bZT>e z7LU9sPs4BN)rGQnBI`jG@B0peu$U5+Ssl~pJ7%ahkKzZ(ii9LZxOkX6reyJTo|KC? z!(Rhx#3K;o^SE@H`St5`#$K6AeCFj|?%Xx*@0#~q{g~OX8!?m!dAQ7z9bARsgHFP-} zx&aHeWcikJ#Db}S`f~YXL3iAdH?yZefHH~($4_*kT*i(MpB$GM(Bosqy0l!=c>pVQ z=jm7K=j1h2OSST;mg;y=xy;dkCmc^m2<%a`i@E>nE_Cm!Kd{GN{ek`S>W_EyFRk&_ z-oNbbf4BD+T2HG^Nj#J(5c)yH=7@5*i>{h=k{ml=%V@flQfkJAkkek12J6DNppnyK zlg`%UJxwo%%gxzhIq}4nk`I4oZHPJ%ryR1ZCMh|L%9--ml=H31r08CLVSIK}>e*9( zbye2tnR9q`S&NDL2UA8`T`M>8@F)FOŁ$+*Hr2$z>QCN5cFGB#JdAAkiuxMN)E ze_BQnT|jst_jlyrXFM+TKHf)=T1U&XOfhU2XFMM`uDcj4gQ=A5RCTN0)1{TO@rLI4 z=)d`WL{Y^U7Tl&GI054-ZS2M70L2b8rbDL9vH{VnYwZVR^Y#<(hV-^ArHH4ASq*gM z*VM0CTu*Lpvb~RbIXjbO&Nut?R-L9RPC=%~Te^R}{y5xI$R+TeioGfAE^`A$A@!gxeKF}@QmikC+B58IC3=_+ht@sXGO zE$v5x3)i&(3)?D7^s#$Rb!L>o4nSXoSeJQov)i zS)yt9>3)xie)7544ss;BolUW`TG8RV8e$@ep_S#If=#m{G>jQovc7K|xa+4dud{y- zQ#Ci3P1JQ#kFig8S~-u-6B?^}GthFdWz2QqGa8cgrA&hXdpK=up*N(Yx)!T{Liws- zkpin&>km^I{!(#%mqs`2=#}%Zy>c645Ufb0EAI~LKCUu;o zq1q8h!(>sVw|@kaP)C>pXZxK1$boFU(%K%&r7J=#s!(_=zrQM~kFRN5GXA3(`$uId z?>$A=Nwz#bNhZmQPn#Ts7VmLR{WH4)C1aE`tN2Bh)C*u@-nRr{cPrQ3_#{V=+3=$+ zF?O#c=BnagvRi7eR_3CM6sDh^E;7_iH=b_47N-eyzU6;s?cz(5?h03?dOX1LiD0Ph zT=%W37yDnT5-w1EH#P_k@ zHnJSj$KGBwMBMhNtrvOHDh>YOmL-dvR~gntH~x|%Zi0#fzW5+uF!uQ?tGHA+kJtE# zxS1f1@^euZKk~C?q8Usg87i4nTP!UPHFUP+_3JPemgR#c1bE$ohn;?A4g6&Gf6dMU zJ!ex>)Hl5Mp3$ZwC{!fqE;0NK*%arl|4$Tb!(d}yq;nhUt2*syYWVvRdsWv;m#rk~ z?eC02SwVmSDqSM;3>pH~O{W4;5;?TD+BhSl$gfe7z(EC}i>YlNgnV~m9>s@|(7f?O zx|mYZa~3x!il*+XM>-bUdh&nNIA8T#cP^KYxvo6MPvNT%iZdgfyrp;YSM5YXWuGxY zK^?E7Ya8Y!Br=kbrblQpSud?@24tr_gbtK z314Mi6WlcZx8}w!AGWA(*^b`lsd70lY~0o0%?0`(gtxKl4y2yZG0sKDEPLGX2K4i{ z{;jTM;x$L;)QI|Us{u#Bm7X0DjPt}*U-=-tXx)^p6zSLn3H1yp5}r?0g~(jnP|0!b zOhZP+Y6H2fC(ylFe4xeznkyi2&^T7H3>$#Xi`1~rKg{N;C^LSjSj*ODWujGPNX4ws zrIqF ze`(vK&Eqg6-B+cxl&Dx7U*{zbmwe@k9h{Le>8Ec-Mc8Gkh{Vx=6-$L9#%>sB%Ztx#T1hs#8A5@xDPD8#ao@XodXQ1 zi(m23$DDx&KLXj#<)u^Wei+YaeY4KUvnzaVc4F23A;FVx^st*e&5ijD4f{|I5P$SX zOLEqf#<^RBu}Q8QmIyhPQ5aOh^Q#r`{E`rk2Fk5Gcjuo2>)-|wJAUjwd7N;8a5z-aFH1%x%_QmF+ z8eGxc&SlcGwSt#(TYq`>8}njI1)G4;v)FTlrX$ zUUyt)CmBdnxZK0KiInVWKY#U4pPaTbnt9u$p=<*r)FGE-dWsG&FMu*NH2lb$%_xg>P+p#E8jU*7}Z4oUCHnOoB9 z^g?G!Zh6bvYNa03vTF>@-x)j*g;viUHaw`$98=ai zTvx1V*Xi#5Ds|P3^NB6pjgGr-Q(qu&_82)>M97v&eqGcb5I+;_Gs>~G_uS6-yji+Tdo}iPHnW}^ z@c{xb4L6Dc=qg?S0ji##d$fnwhQpvr!yQoWruX`}Z{r3V$Pc(x{5tqV4k)ic_7OI9 zBIRNBR7-7PbM|-+%fc>jM88OB2Ij{^wzeY`J3OW*^0AITWE=+##Tux-*eL`ksS@Z( z>R3&Oa*6SX?grGC%o`62CO%oHMrT>l*_lyNPk2%rcsZXAR>qLXg!#+EaNsvX+j`{U5j%aLz^ zsRb-?AFZ34+wDjlH=|VN*CAi5yGG7$P2&EZ4Pfb{N0nR}9>k}>nI@K(Pw*bb#h|Sa0cz(eyzXHTRk;R zJuaVMy2l=4`Bte<=GVA(W+roTp`0?1tyS`4zrQv>?^__}`3}WZEB~$^5EotX?LMrB8RU6mQ>d7$MRbAG6aVB3o zP9ly^737INmnC;~g{?+_aTCjA=8kb#$Qnv~hKVDJ9r3oGMusL>ImVU)WN*%qO|PE{ zFZhF^ZSSgaIGu)6vCHVgSL~+aD^()a)WRwErTF=0v2thx*;k`39-#%~AUja6t7xSN z{I>1Na14&2UxsF9kCi}vFi27)GNHvHP*x;Nq11v={*q3v1o<=*f@&P7LiV_!;VgV> zD$BfIY0T`R`2qK;G1A?b)$)?+7xH%*b4<3{oKlF(N*nm%2`-z9=XY()+ z-M!I*n>@Wh+VP?vl7X+;W!+c-LO!<=p(ta%pQLM8we-O^JMccsE84oY`qu1~kp#KK z!>Is>4B0~ws<2LFa=kgVctAj(1-x*DXjBI#%bOO0>0r2DgDUn4>=5h=-AN=3i>)Rz? zA=8lWZg#t0EUDJx3=f`ptJ?0`sZyypbB+Rvaji9VtMw)~?{QzMtUiKZC-z66IG0SW zrK-3Ktsdq$B_FfhUHH%)3opK=tI@0`ZOh9m#Nte%S>kb@!|VKO{GB8A{a`w5iNyCXR9`K=PhCyr zRXBCs)V~jQ2zn(zhRh=C5}!%Ki^awP;XtXiixbC%cyyOugLqfy-+fKVhCe4ebPNDO zxL1Ug0?rS(pLw(JYbm~0BQaxzOvkIt@eq$=?AA9?`>0aX2H1 znP|5Gn)aIM&rEXRwCbPy82_hmL z)GG13^y+W4e?VUK3Zfh&c(UI|KomtPO#(RLf{>${*6Bp(?q3KdMIB@9dnE%tJI+6$ z^1}|0qEFK8&ybO`yN4!b{W_gJIbYxAwDP1Gy;QQy_x9|Xw4uRL4+Jnz-Y}-nc0+@S zM*g=3=2lI_&tb$%GJ7h^#S^HQqV6n#2&dM=z}%|2TvlezGIB-(HgclA!8P%_0$#nX zcnfw%?ZR)3#CS7LApEBc6OEx*#5$i_=gFV$B4ZmLYa{>gw9qOYFW$`io?tS_siRY;(zIQ8 zNIhqtDE1uT% z1a&(BW3IBP-WLn+t#`8N^sMMGPbvB{kPeD~a+~gQ*+K%}YKN1eN~b~?~Km}k!Yc7K8c0pA79(;^A zG&JpC(eeNDa-?RKsZkj>@pn1yx+i1kMvngSeyfgzKsw?SfT#R5n_^c2E$DD)4y`Jr z!!mb`gdw|alRnmRz?MOf0TXxS`R0lt%i4`3E7;%K{x-EW6TB&@nV% zd}3lG{1$``XD1q)`@2=UBcPi0)PEDgJ=xmu8c`9!5rD`2c;&d_D%z~xoH#ywa&|d;U1P70O-45qU4qcGv(CWo&Pe)sr)A~%Zk&(GQcDyII-a# zZp%hDU2IxwM;=3C)^nzl0F_&nph$tt(>RsCfEEd&CTcAsxB@1^s2tG-u|UdM36JRg zZgG|TB2vBu? zp)a?u%`_FI{xrnY|KQ#g2@7E5xL38oI67^a`J-QE%|~o&?5frxe09<3nUXJtJ{L_U z(S|czVbKwxZMqiX)pub_XfA&`1f)|n9BpQID4UvUX7_@P5i9sv)7mDd3?>|)=VQ>_ zsDJNhT32;9%W|#{3SlQGXxQ{19@(75s$AXB%`mf?9dw-FnTjSCkmU4xq>D!Jm$-Y& zAOd)D>hzDlD6tRc#$2h6`o-DD-!DNO8PxX!dzEiZ_;9ReFiZUmvnc8g6G$ux7!SOC zc>=$L`{eW_3`_Y{4GH}8EAKgMq z7V_|6*JW4nIb>2%l5$b9i1b0}M%4P6i(j!P{;6**I~1eaouoCKKW_y~)*E!9cpp`j zZHOw}Roy0xAUqO0eS_BFUNd-oz`30Ez?b2}A2*SM4iDC(-oXgdq|P={M*y=8KH>r`^Obr|wpfEAKXJEWs)B+xm|#{Y=q2`;JaHi_HyA=wS%JmT z3j^G{Ym33>t!P4gIeNt#5;Eq4AN=qh*{Zc-LPCB#NAMZ3kktEXv1p>Y{=3q6cL3!~ z6n8k4LeMMVozWQc`XLLYKdTQ#v}@(T>C5M5X3&7BC|@M2`$NpxFB)Ac{mUPek-Ue} z);0D3=u74kXv{yVB#%B3Jr#t!az?4hTq9pc`NO#sB4J~ujwK{CC%_9gBF zAd9ZJ9GWYZ2R?m{xTY2;JaU|r>VNlE_c2Hz8~vz=C{QT(7Ju)UZWm6_ciIA8f&JO= zTofjB0@MqZ67-XC4BUN}uAOGm6H+?7{YfhU-keRBooSyO{?r^d$H0kB+3tA!@SnKS zN>Vx#`##2=8?r~F{;CNi5Ujcy4ZpB`KC78Hx_!5-JVu2d>Y8o*kjIksj}M7y9PYS# z%y7|cJS}2UM(e@!w3MX!^{2ha<)#SRSgwXqf1`Pvi@Xt{lV;K zlB0*xKY*>QAD@*JB>*J}eJm4sqqUTy9=R4WV}{+FoMvvlzmsWNmqJ3ilnzolpPMI$ zPnfXzSb%_mJA&u=?AuLgVx6{?z~rvTirgRoNj?B`Pnwr-Yh5x0wlmfqgegDDmZ!M= zX0lO+$kF|hYrAWIO7O$5KDC*Oo|V+hr(D~@sal^|&=(lzT!5GxC(XMN>7E*j58fIb zSwl9&OGLKdOBrFZ;OvyVT-W)mA8c(JcCkf*L(|E5v1N{oV$_FsdT2vH>Oc4e;da5=IVq)Soem6\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nVectra AI is the leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises. Vectra AI's cloud-native platform - powered by our patented Attack Signal Intelligence- provide security teams with unified threat visibility, context and control across public cloud, SaaS, identity and data center networks in a prioritized feed. Vectra AI-driven Attack Signal IntelligenceTM, empowers SOC analysts to rapidly prioritize, investigate and respond to the most urgent cyber-attacks in their hybrid cloud environment. Organizations worldwide rely on Vectra AI's cloud-native platform and MDR services to see and stop attacks from becoming breaches. The Vectra AI App enables the security operations team to consume the industry's richest threat signals spanning public cloud, SaaS, identity and data center networks inside of Microsoft Sentinel. For more information, visit www.vectra.ai.\n\n The Vectra XDR App for Microsoft Sentinel contains:\n Data Connector to ingest events generated by Vectra XDR (through OMS agent).\n Workbook: Dynamic dashboard view of Entities, Detections, Lockdown, Audit and, Health\n\n**Data Connectors:** 1, **Parsers:** 5, **Workbooks:** 1, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vectra%20XDR/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nVectra AI is the leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises. Vectra AI's cloud-native platform - powered by our patented Attack Signal Intelligence- provide security teams with unified threat visibility, context and control across public cloud, SaaS, identity and data center networks in a prioritized feed. Vectra AI-driven Attack Signal IntelligenceTM, empowers SOC analysts to rapidly prioritize, investigate and respond to the most urgent cyber-attacks in their hybrid cloud environment. Organizations worldwide rely on Vectra AI's cloud-native platform and MDR services to see and stop attacks from becoming breaches. The Vectra AI App enables the security operations team to consume the industry's richest threat signals spanning public cloud, SaaS, identity and data center networks inside of Microsoft Sentinel. For more information, visit www.vectra.ai.\n\n The Vectra XDR App for Microsoft Sentinel contains:\n Data Connector to ingest events generated by Vectra XDR (through OMS agent).\n Workbook: Dynamic dashboard view of Entities, Detections, Lockdown, Audit and, Health\n\n**Data Connectors:** 1, **Parsers:** 5, **Workbooks:** 1, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/Vectra XDR/Package/mainTemplate.json b/Solutions/Vectra XDR/Package/mainTemplate.json index 87b950eeb2..a703f97b3c 100644 --- a/Solutions/Vectra XDR/Package/mainTemplate.json +++ b/Solutions/Vectra XDR/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "tme@vetcra.ai", "_email": "[variables('email')]", "_solutionName": "Vectra XDR", - "_solutionVersion": "3.1.0", + "_solutionVersion": "3.1.1", "solutionId": "vectraaiinc.vectra-xdr-for-microsoft-sentinel", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "VectraXDR", @@ -89,11 +89,11 @@ "parserContentId5": "VectraLockdown-Parser" }, "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.0", + "analyticRuleVersion1": "1.0.1", "_analyticRulecontentId1": "065c0a50-3080-4f9a-acca-1fe6fbf63205", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '065c0a50-3080-4f9a-acca-1fe6fbf63205')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('065c0a50-3080-4f9a-acca-1fe6fbf63205')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','065c0a50-3080-4f9a-acca-1fe6fbf63205','-', '1.0.0')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','065c0a50-3080-4f9a-acca-1fe6fbf63205','-', '1.0.1')))]" }, "analyticRuleObject2": { "analyticRuleVersion2": "1.0.0", @@ -121,7 +121,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Vectra XDR data connector with template version 3.1.0", + "description": "Vectra XDR data connector with template version 3.1.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -624,7 +624,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "VectraDetections Data Parser with template version 3.1.0", + "description": "VectraDetections Data Parser with template version 3.1.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -638,7 +638,7 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for VectraDetections", + "displayName": "VectraDetections", "category": "Microsoft Sentinel Parser", "functionAlias": "VectraDetections", "query": "let VectraDetections_view = view () { \n Detections_Data_CL\n | extend \n EventVendor=\"VectraDetections\",\n EventProduct=\"VectraDetections\",\n ID = column_ifexists('id_d', ''),\n [\"Detection Category\"] = column_ifexists('Category', ''),\n [\"Is Triaged\"] = column_ifexists('triaged_b', ''),\n [\"Detection Name\"] = column_ifexists('detection_type_s', ''),\n [\"D Type Vname\"] = column_ifexists('d_type_vname_s', ''),\n [\"Detection ID\"] = column_ifexists('detection_id_d', ''),\n [\"Vectra Pivot\"] = column_ifexists('detection_href_s', ''),\n [\"Entity ID\"] = toint(column_ifexists('entity_id_d', '')),\n URL = column_ifexists('url_s', ''),\n [\"Entity UID\"] = column_ifexists('entity_uid_s', ''),\n [\"Last Updated\"] = column_ifexists('event_timestamp_t', ''),\n [\"Details\"] = column_ifexists('detail_s', ''),\n Severity = column_ifexists('Severity', ''),\n [\"Source IP\"] = column_ifexists('src_ip_s', ''),\n [\"Detection Details\"] = column_ifexists('d_detection_details_s', ''),\n [\"Normal Domains\"] = column_ifexists('normal_domains_s', ''),\n [\"Is Targeting Key Asset\"] = column_ifexists('is_targeting_key_asset_s', ''),\n [\"Source Host\"] = column_ifexists('src_host_s', ''),\n Summary = column_ifexists('summary_s', ''),\n [\"Grouped Details\"] = column_ifexists('grouped_details_s', '')\n | extend \n [\"Vectra Pivot\"] = case(isnotempty(['Vectra Pivot']), strcat(['Vectra Pivot'], \"&pivot=Vectra-Sentinel-1.0.0\"), ['Vectra Pivot']),\n URL = case(isnotempty(URL), strcat(URL, \"?pivot=Vectra-Sentinel-1.0.0\"), URL)\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n ID,\n [\"Detection Category\"],\n [\"Is Triaged\"],\n [\"Detection Name\"],\n [\"D Type Vname\"],\n [\"Detection ID\"],\n [\"Vectra Pivot\"],\n [\"Entity ID\"],\n URL,\n [\"Entity UID\"],\n [\"Last Updated\"],\n [\"Details\"],\n Severity,\n [\"Source IP\"],\n [\"Detection Details\"],\n [\"Normal Domains\"],\n [\"Is Targeting Key Asset\"],\n [\"Source Host\"],\n Summary,\n [\"Grouped Details\"]\n};\nVectraDetections_view\n", @@ -660,7 +660,7 @@ "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraDetections')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraDetections')]", "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", "version": "[variables('parserObject1').parserVersion1]", @@ -690,7 +690,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", - "displayName": "Parser for VectraDetections", + "displayName": "VectraDetections", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", "version": "[variables('parserObject1').parserVersion1]" @@ -703,7 +703,7 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for VectraDetections", + "displayName": "VectraDetections", "category": "Microsoft Sentinel Parser", "functionAlias": "VectraDetections", "query": "let VectraDetections_view = view () { \n Detections_Data_CL\n | extend \n EventVendor=\"VectraDetections\",\n EventProduct=\"VectraDetections\",\n ID = column_ifexists('id_d', ''),\n [\"Detection Category\"] = column_ifexists('Category', ''),\n [\"Is Triaged\"] = column_ifexists('triaged_b', ''),\n [\"Detection Name\"] = column_ifexists('detection_type_s', ''),\n [\"D Type Vname\"] = column_ifexists('d_type_vname_s', ''),\n [\"Detection ID\"] = column_ifexists('detection_id_d', ''),\n [\"Vectra Pivot\"] = column_ifexists('detection_href_s', ''),\n [\"Entity ID\"] = toint(column_ifexists('entity_id_d', '')),\n URL = column_ifexists('url_s', ''),\n [\"Entity UID\"] = column_ifexists('entity_uid_s', ''),\n [\"Last Updated\"] = column_ifexists('event_timestamp_t', ''),\n [\"Details\"] = column_ifexists('detail_s', ''),\n Severity = column_ifexists('Severity', ''),\n [\"Source IP\"] = column_ifexists('src_ip_s', ''),\n [\"Detection Details\"] = column_ifexists('d_detection_details_s', ''),\n [\"Normal Domains\"] = column_ifexists('normal_domains_s', ''),\n [\"Is Targeting Key Asset\"] = column_ifexists('is_targeting_key_asset_s', ''),\n [\"Source Host\"] = column_ifexists('src_host_s', ''),\n Summary = column_ifexists('summary_s', ''),\n [\"Grouped Details\"] = column_ifexists('grouped_details_s', '')\n | extend \n [\"Vectra Pivot\"] = case(isnotempty(['Vectra Pivot']), strcat(['Vectra Pivot'], \"&pivot=Vectra-Sentinel-1.0.0\"), ['Vectra Pivot']),\n URL = case(isnotempty(URL), strcat(URL, \"?pivot=Vectra-Sentinel-1.0.0\"), URL)\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n ID,\n [\"Detection Category\"],\n [\"Is Triaged\"],\n [\"Detection Name\"],\n [\"D Type Vname\"],\n [\"Detection ID\"],\n [\"Vectra Pivot\"],\n [\"Entity ID\"],\n URL,\n [\"Entity UID\"],\n [\"Last Updated\"],\n [\"Details\"],\n Severity,\n [\"Source IP\"],\n [\"Detection Details\"],\n [\"Normal Domains\"],\n [\"Is Targeting Key Asset\"],\n [\"Source Host\"],\n Summary,\n [\"Grouped Details\"]\n};\nVectraDetections_view\n", @@ -726,7 +726,7 @@ "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraDetections')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraDetections')]", "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", "version": "[variables('parserObject1').parserVersion1]", @@ -756,7 +756,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "VectraAudits Data Parser with template version 3.1.0", + "description": "VectraAudits Data Parser with template version 3.1.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject2').parserVersion2]", @@ -770,7 +770,7 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for VectraAudits", + "displayName": "VectraAudits", "category": "Microsoft Sentinel Parser", "functionAlias": "VectraAudits", "query": "let VectraAudits_view = view () { \n Audits_Data_CL\n | extend \n EventVendor=\"VectraAudits\",\n EventProduct=\"VectraAudits\",\n ID = column_ifexists('id_d', ''),\n [\"User ID\"] = column_ifexists('user_id_d', ''),\n Username = column_ifexists('username_s', ''),\n [\"User Type\"] = column_ifexists('user_type_s', ''),\n [\"User Role\"] = column_ifexists('user_role_s', ''),\n Version = column_ifexists('version_s', ''),\n [\"Source IP\"] = column_ifexists('source_ip_s', ''),\n [\"Event Timestamp\"] = column_ifexists('event_timestamp_t', ''),\n Message = column_ifexists('Message', ''),\n Status = column_ifexists('result_status_s', ''),\n [\"Event Data\"] = column_ifexists('event_data_s', ''),\n [\"Event Object\"] = column_ifexists('event_object_s', ''),\n [\"Event Action\"] = column_ifexists('event_action_s', ''),\n [\"API Client ID\"] = column_ifexists('api_client_id_g', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n ID,\n ['User ID'],\n Username,\n ['User Type'],\n [\"User Role\"],\n Version,\n ['Source IP'],\n ['Event Timestamp'],\n Message,\n Status,\n [\"Event Data\"],\n ['Event Object'],\n ['Event Action'],\n ['API Client ID']\n};\nVectraAudits_view\n", @@ -792,7 +792,7 @@ "[variables('parserObject2')._parserId2]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraAudits')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraAudits')]", "contentId": "[variables('parserObject2').parserContentId2]", "kind": "Parser", "version": "[variables('parserObject2').parserVersion2]", @@ -822,7 +822,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject2').parserContentId2]", "contentKind": "Parser", - "displayName": "Parser for VectraAudits", + "displayName": "VectraAudits", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]", "version": "[variables('parserObject2').parserVersion2]" @@ -835,7 +835,7 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for VectraAudits", + "displayName": "VectraAudits", "category": "Microsoft Sentinel Parser", "functionAlias": "VectraAudits", "query": "let VectraAudits_view = view () { \n Audits_Data_CL\n | extend \n EventVendor=\"VectraAudits\",\n EventProduct=\"VectraAudits\",\n ID = column_ifexists('id_d', ''),\n [\"User ID\"] = column_ifexists('user_id_d', ''),\n Username = column_ifexists('username_s', ''),\n [\"User Type\"] = column_ifexists('user_type_s', ''),\n [\"User Role\"] = column_ifexists('user_role_s', ''),\n Version = column_ifexists('version_s', ''),\n [\"Source IP\"] = column_ifexists('source_ip_s', ''),\n [\"Event Timestamp\"] = column_ifexists('event_timestamp_t', ''),\n Message = column_ifexists('Message', ''),\n Status = column_ifexists('result_status_s', ''),\n [\"Event Data\"] = column_ifexists('event_data_s', ''),\n [\"Event Object\"] = column_ifexists('event_object_s', ''),\n [\"Event Action\"] = column_ifexists('event_action_s', ''),\n [\"API Client ID\"] = column_ifexists('api_client_id_g', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n ID,\n ['User ID'],\n Username,\n ['User Type'],\n [\"User Role\"],\n Version,\n ['Source IP'],\n ['Event Timestamp'],\n Message,\n Status,\n [\"Event Data\"],\n ['Event Object'],\n ['Event Action'],\n ['API Client ID']\n};\nVectraAudits_view\n", @@ -858,7 +858,7 @@ "[variables('parserObject2')._parserId2]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraAudits')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraAudits')]", "contentId": "[variables('parserObject2').parserContentId2]", "kind": "Parser", "version": "[variables('parserObject2').parserVersion2]", @@ -888,7 +888,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "VectraEntityScoring Data Parser with template version 3.1.0", + "description": "VectraEntityScoring Data Parser with template version 3.1.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject3').parserVersion3]", @@ -902,7 +902,7 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for VectraEntityScoring", + "displayName": "VectraEntityScoring", "category": "Microsoft Sentinel Parser", "functionAlias": "VectraEntityScoring", "query": "let VectraEntityScoring_view = view () { \n Entity_Scoring_Data_CL\n | extend \n EventVendor=\"VectraEntityScoring\",\n EventProduct=\"VectraEntityScoring\",\n ID = column_ifexists('id_d', ''),\n [\"Entity ID\"] = column_ifexists('entity_id_d', ''),\n [\"Active Detection Types\"] = column_ifexists('active_detection_types_s', ''),\n [\"Breadth Contrib\"] = column_ifexists('breadth_contrib_d', ''),\n Category = column_ifexists('Category', ''),\n Importance = column_ifexists('importance_d', ''),\n Type = column_ifexists('type_s', ''),\n [\"Last Updated\"] = column_ifexists('event_timestamp_t', ''),\n [\"Is Prioritized\"] = column_ifexists('is_prioritized_b', ''),\n [\"Last Detection ID\"] = column_ifexists('last_detection_id_d', ''),\n [\"Last Detection Type\"] = column_ifexists('last_detection_type_s', ''),\n [\"Last Detection URL\"] = column_ifexists('last_detection_url_s', ''),\n [\"Last Detection\"] = column_ifexists('last_detection_s', ''),\n Name = column_ifexists('name_s', ''),\n Severity = column_ifexists('severity_s', ''),\n [\"Urgency Score\"] = column_ifexists('urgency_score_d', ''),\n [\"Vectra Pivot\"] = column_ifexists('url_s', ''),\n Velocity = column_ifexists('velocity_contrib_d', ''),\n [\"Attack Rating\"] = column_ifexists('attack_rating_d', '')\n | extend [\"Vectra Pivot\"] = case(isnotempty(['Vectra Pivot']), strcat(['Vectra Pivot'], \"?pivot=Vectra-Sentinel-1.0.0\"), ['Vectra Pivot'])\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n ID,\n [\"Entity ID\"],\n Name,\n Importance,\n Type,\n [\"Is Prioritized\"],\n Severity,\n [\"Urgency Score\"],\n [\"Vectra Pivot\"],\n Category,\n [\"Last Detection URL\"],\n [\"Last Detection Type\"],\n [\"Last Detection ID\"],\n [\"Last Detection\"],\n [\"Active Detection Types\"],\n [\"Last Updated\"],\n [\"Breadth Contrib\"],\n Velocity,\n [\"Attack Rating\"]\n};\nVectraEntityScoring_view\n", @@ -924,7 +924,7 @@ "[variables('parserObject3')._parserId3]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraEntityScoring')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraEntityScoring')]", "contentId": "[variables('parserObject3').parserContentId3]", "kind": "Parser", "version": "[variables('parserObject3').parserVersion3]", @@ -954,7 +954,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject3').parserContentId3]", "contentKind": "Parser", - "displayName": "Parser for VectraEntityScoring", + "displayName": "VectraEntityScoring", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]", "version": "[variables('parserObject3').parserVersion3]" @@ -967,7 +967,7 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for VectraEntityScoring", + "displayName": "VectraEntityScoring", "category": "Microsoft Sentinel Parser", "functionAlias": "VectraEntityScoring", "query": "let VectraEntityScoring_view = view () { \n Entity_Scoring_Data_CL\n | extend \n EventVendor=\"VectraEntityScoring\",\n EventProduct=\"VectraEntityScoring\",\n ID = column_ifexists('id_d', ''),\n [\"Entity ID\"] = column_ifexists('entity_id_d', ''),\n [\"Active Detection Types\"] = column_ifexists('active_detection_types_s', ''),\n [\"Breadth Contrib\"] = column_ifexists('breadth_contrib_d', ''),\n Category = column_ifexists('Category', ''),\n Importance = column_ifexists('importance_d', ''),\n Type = column_ifexists('type_s', ''),\n [\"Last Updated\"] = column_ifexists('event_timestamp_t', ''),\n [\"Is Prioritized\"] = column_ifexists('is_prioritized_b', ''),\n [\"Last Detection ID\"] = column_ifexists('last_detection_id_d', ''),\n [\"Last Detection Type\"] = column_ifexists('last_detection_type_s', ''),\n [\"Last Detection URL\"] = column_ifexists('last_detection_url_s', ''),\n [\"Last Detection\"] = column_ifexists('last_detection_s', ''),\n Name = column_ifexists('name_s', ''),\n Severity = column_ifexists('severity_s', ''),\n [\"Urgency Score\"] = column_ifexists('urgency_score_d', ''),\n [\"Vectra Pivot\"] = column_ifexists('url_s', ''),\n Velocity = column_ifexists('velocity_contrib_d', ''),\n [\"Attack Rating\"] = column_ifexists('attack_rating_d', '')\n | extend [\"Vectra Pivot\"] = case(isnotempty(['Vectra Pivot']), strcat(['Vectra Pivot'], \"?pivot=Vectra-Sentinel-1.0.0\"), ['Vectra Pivot'])\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n ID,\n [\"Entity ID\"],\n Name,\n Importance,\n Type,\n [\"Is Prioritized\"],\n Severity,\n [\"Urgency Score\"],\n [\"Vectra Pivot\"],\n Category,\n [\"Last Detection URL\"],\n [\"Last Detection Type\"],\n [\"Last Detection ID\"],\n [\"Last Detection\"],\n [\"Active Detection Types\"],\n [\"Last Updated\"],\n [\"Breadth Contrib\"],\n Velocity,\n [\"Attack Rating\"]\n};\nVectraEntityScoring_view\n", @@ -990,7 +990,7 @@ "[variables('parserObject3')._parserId3]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraEntityScoring')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraEntityScoring')]", "contentId": "[variables('parserObject3').parserContentId3]", "kind": "Parser", "version": "[variables('parserObject3').parserVersion3]", @@ -1020,7 +1020,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "VectraHealth Data Parser with template version 3.1.0", + "description": "VectraHealth Data Parser with template version 3.1.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject4').parserVersion4]", @@ -1034,7 +1034,7 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for VectraHealth", + "displayName": "VectraHealth", "category": "Microsoft Sentinel Parser", "functionAlias": "VectraHealth", "query": "let VectraHealth_view = view () { \n Health_Data_CL\n | extend\n EventVendor=\"VectraHealth\",\n EventProduct=\"VectraHealth\",\n ['Last Updated'] = column_ifexists('system_version_last_update_s', ''),\n ['CPU Usage - User (%)'] = column_ifexists('cpu_user_percent_d', ''),\n ['CPU Usage - System (%)'] = column_ifexists('cpu_system_percent_d', ''),\n ['CPU Usage - Idle (%)'] = column_ifexists('cpu_idle_percent_d', ''),\n ['Disk Utilization (%)'] = column_ifexists('disk_disk_utilization_usage_percent_d', ''),\n ['Memory Utilization (%)'] = column_ifexists('memory_usage_percent_d', ''),\n ['Power Status'] = column_ifexists('power_status_s', ''),\n ['Power Error'] = column_ifexists('power_error_s', ''),\n Network = column_ifexists('network_s', ''),\n Sensors = column_ifexists('sensors_s', ''),\n Connectivity_Sensors = column_ifexists('connectivity_sensors_s', ''),\n System_Version_Last_Update = column_ifexists('system_version_last_update_s', ''),\n Trafficdrop_Sensors = column_ifexists('trafficdrop_sensors_s', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n System_Version_Last_Update,\n ['Last Updated'],\n ['CPU Usage - User (%)'],\n ['CPU Usage - System (%)'],\n ['CPU Usage - Idle (%)'],\n ['Disk Utilization (%)'],\n ['Memory Utilization (%)'],\n ['Power Status'],\n ['Power Error'],\n Network,\n Sensors,\n Connectivity_Sensors,\n Trafficdrop_Sensors\n};\nVectraHealth_view()\n", @@ -1056,7 +1056,7 @@ "[variables('parserObject4')._parserId4]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraHealth')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraHealth')]", "contentId": "[variables('parserObject4').parserContentId4]", "kind": "Parser", "version": "[variables('parserObject4').parserVersion4]", @@ -1086,7 +1086,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject4').parserContentId4]", "contentKind": "Parser", - "displayName": "Parser for VectraHealth", + "displayName": "VectraHealth", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", "version": "[variables('parserObject4').parserVersion4]" @@ -1099,7 +1099,7 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for VectraHealth", + "displayName": "VectraHealth", "category": "Microsoft Sentinel Parser", "functionAlias": "VectraHealth", "query": "let VectraHealth_view = view () { \n Health_Data_CL\n | extend\n EventVendor=\"VectraHealth\",\n EventProduct=\"VectraHealth\",\n ['Last Updated'] = column_ifexists('system_version_last_update_s', ''),\n ['CPU Usage - User (%)'] = column_ifexists('cpu_user_percent_d', ''),\n ['CPU Usage - System (%)'] = column_ifexists('cpu_system_percent_d', ''),\n ['CPU Usage - Idle (%)'] = column_ifexists('cpu_idle_percent_d', ''),\n ['Disk Utilization (%)'] = column_ifexists('disk_disk_utilization_usage_percent_d', ''),\n ['Memory Utilization (%)'] = column_ifexists('memory_usage_percent_d', ''),\n ['Power Status'] = column_ifexists('power_status_s', ''),\n ['Power Error'] = column_ifexists('power_error_s', ''),\n Network = column_ifexists('network_s', ''),\n Sensors = column_ifexists('sensors_s', ''),\n Connectivity_Sensors = column_ifexists('connectivity_sensors_s', ''),\n System_Version_Last_Update = column_ifexists('system_version_last_update_s', ''),\n Trafficdrop_Sensors = column_ifexists('trafficdrop_sensors_s', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n System_Version_Last_Update,\n ['Last Updated'],\n ['CPU Usage - User (%)'],\n ['CPU Usage - System (%)'],\n ['CPU Usage - Idle (%)'],\n ['Disk Utilization (%)'],\n ['Memory Utilization (%)'],\n ['Power Status'],\n ['Power Error'],\n Network,\n Sensors,\n Connectivity_Sensors,\n Trafficdrop_Sensors\n};\nVectraHealth_view()\n", @@ -1122,7 +1122,7 @@ "[variables('parserObject4')._parserId4]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraHealth')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraHealth')]", "contentId": "[variables('parserObject4').parserContentId4]", "kind": "Parser", "version": "[variables('parserObject4').parserVersion4]", @@ -1152,7 +1152,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "VectraLockdown Data Parser with template version 3.1.0", + "description": "VectraLockdown Data Parser with template version 3.1.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject5').parserVersion5]", @@ -1166,7 +1166,7 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for VectraLockdown", + "displayName": "VectraLockdown", "category": "Microsoft Sentinel Parser", "functionAlias": "VectraLockdown", "query": "let VectraLockdown_view = view () { \n Lockdown_Data_CL\n | extend\n EventVendor=\"VectraLockdown\",\n EventProduct=\"VectraLockdown\",\n ID = column_ifexists('id_d', ''),\n [\"Entity ID\"] = column_ifexists('entity_id_d', ''),\n [\"Entity Name\"] = column_ifexists('entity_name_s', ''),\n [\"Entity Type\"] = column_ifexists('entity_type_s ', ''),\n Type = column_ifexists('type_s', ''),\n [\"Locked Date\"] = column_ifexists('lock_event_timestamp_t', ''),\n [\"Unlock Date\"] = column_ifexists('unlock_event_timestamp_t', ''),\n [\"Locked By\"] = column_ifexists('locked_by_s', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n ID,\n [\"Entity ID\"],\n [\"Entity Name\"],\n [\"Entity Type\"],\n Type,\n [\"Locked Date\"],\n [\"Unlock Date\"],\n [\"Locked By\"]\n};\nVectraLockdown_view()\n", @@ -1188,7 +1188,7 @@ "[variables('parserObject5')._parserId5]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraLockdown')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraLockdown')]", "contentId": "[variables('parserObject5').parserContentId5]", "kind": "Parser", "version": "[variables('parserObject5').parserVersion5]", @@ -1218,7 +1218,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject5').parserContentId5]", "contentKind": "Parser", - "displayName": "Parser for VectraLockdown", + "displayName": "VectraLockdown", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", "version": "[variables('parserObject5').parserVersion5]" @@ -1231,7 +1231,7 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for VectraLockdown", + "displayName": "VectraLockdown", "category": "Microsoft Sentinel Parser", "functionAlias": "VectraLockdown", "query": "let VectraLockdown_view = view () { \n Lockdown_Data_CL\n | extend\n EventVendor=\"VectraLockdown\",\n EventProduct=\"VectraLockdown\",\n ID = column_ifexists('id_d', ''),\n [\"Entity ID\"] = column_ifexists('entity_id_d', ''),\n [\"Entity Name\"] = column_ifexists('entity_name_s', ''),\n [\"Entity Type\"] = column_ifexists('entity_type_s ', ''),\n Type = column_ifexists('type_s', ''),\n [\"Locked Date\"] = column_ifexists('lock_event_timestamp_t', ''),\n [\"Unlock Date\"] = column_ifexists('unlock_event_timestamp_t', ''),\n [\"Locked By\"] = column_ifexists('locked_by_s', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n ID,\n [\"Entity ID\"],\n [\"Entity Name\"],\n [\"Entity Type\"],\n Type,\n [\"Locked Date\"],\n [\"Unlock Date\"],\n [\"Locked By\"]\n};\nVectraLockdown_view()\n", @@ -1254,7 +1254,7 @@ "[variables('parserObject5')._parserId5]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraLockdown')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraLockdown')]", "contentId": "[variables('parserObject5').parserContentId5]", "kind": "Parser", "version": "[variables('parserObject5').parserVersion5]", @@ -1284,7 +1284,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DetectXDR_detections_AnalyticalRules Analytics Rule with template version 3.1.0", + "description": "DetectXDR_detections_AnalyticalRules Analytics Rule with template version 3.1.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -1294,7 +1294,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -1333,26 +1333,26 @@ "aggregationKind": "AlertPerResult" }, "customDetails": { - "Summary": "Summary", - "triaged": "triaged" + "triaged": "triaged", + "Summary": "Summary" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "Vectra AI {{detection}} detected", - "alertDescriptionFormat": "Detection category: {{category}}\nDetails: {{Details}} \n", "alertDynamicProperties": [ { "alertProperty": "AlertLink", "value": "url_detection" } - ] + ], + "alertDisplayNameFormat": "Vectra AI {{detection}} detected", + "alertDescriptionFormat": "Detection category: {{category}}\nDetails: {{Details}} \n" }, "incidentConfiguration": { "createIncident": false, "groupingConfiguration": { - "lookbackDuration": "5h", - "matchingMethod": "AllEntities", + "enabled": false, + "lookbackDuration": "PT5H", "reopenClosedIncident": false, - "enabled": false + "matchingMethod": "AllEntities" } } } @@ -1408,7 +1408,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DetectXDR_Prioritized_Entities_AnalyticalRules Analytics Rule with template version 3.1.0", + "description": "DetectXDR_Prioritized_Entities_AnalyticalRules Analytics Rule with template version 3.1.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -1418,7 +1418,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -1457,16 +1457,14 @@ "aggregationKind": "AlertPerResult" }, "customDetails": { - "detections": "detections", - "Entity_type": "Type", - "Entity_importance": "Importance", "Breadth": "breadth", - "Velocity": "Velocity", - "Attack_Rating": "attack_rating" + "Entity_type": "Type", + "Attack_Rating": "attack_rating", + "Entity_importance": "Importance", + "detections": "detections", + "Velocity": "Velocity" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "Priority Incident - {{Name}} with Urgency Score of {{Urgency Score}} ", - "alertDescriptionFormat": "Entity {{Name}} has been prioritized by the Vectra AI prioritization algorithm with an urgency score of {{Urgency Score}}.\nAttack rating is {{Attack Rating}}.", "alertDynamicProperties": [ { "alertProperty": "ConfidenceLevel", @@ -1476,15 +1474,17 @@ "alertProperty": "AlertLink", "value": "url" } - ] + ], + "alertDisplayNameFormat": "Priority Incident - {{Name}} with Urgency Score of {{Urgency Score}} ", + "alertDescriptionFormat": "Entity {{Name}} has been prioritized by the Vectra AI prioritization algorithm with an urgency score of {{Urgency Score}}.\nAttack rating is {{Attack Rating}}." }, "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { + "enabled": true, "lookbackDuration": "7d", - "matchingMethod": "AllEntities", "reopenClosedIncident": true, - "enabled": true + "matchingMethod": "AllEntities" } } } @@ -1540,7 +1540,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "VectraXDR Workbook with template version 3.1.0", + "description": "VectraXDR Workbook with template version 3.1.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1640,12 +1640,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.1.0", + "version": "3.1.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Vectra XDR", "publisherDisplayName": "Vectra Support", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Vectra AI is the leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises. Vectra AI's cloud-native platform - powered by our patented Attack Signal Intelligence- provide security teams with unified threat visibility, context and control across public cloud, SaaS, identity and data center networks in a prioritized feed. Vectra AI-driven Attack Signal IntelligenceTM, empowers SOC analysts to rapidly prioritize, investigate and respond to the most urgent cyber-attacks in their hybrid cloud environment. Organizations worldwide rely on Vectra AI's cloud-native platform and MDR services to see and stop attacks from becoming breaches. The Vectra AI App enables the security operations team to consume the industry's richest threat signals spanning public cloud, SaaS, identity and data center networks inside of Microsoft Sentinel. For more information, visit www.vectra.ai.

\n

The Vectra XDR App for Microsoft Sentinel contains:\nData Connector to ingest events generated by Vectra XDR (through OMS agent).\nWorkbook: Dynamic dashboard view of Entities, Detections, Lockdown, Audit and, Health

\n

Data Connectors: 1, Parsers: 5, Workbooks: 1, Analytic Rules: 2

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Vectra AI is the leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises. Vectra AI's cloud-native platform - powered by our patented Attack Signal Intelligence- provide security teams with unified threat visibility, context and control across public cloud, SaaS, identity and data center networks in a prioritized feed. Vectra AI-driven Attack Signal IntelligenceTM, empowers SOC analysts to rapidly prioritize, investigate and respond to the most urgent cyber-attacks in their hybrid cloud environment. Organizations worldwide rely on Vectra AI's cloud-native platform and MDR services to see and stop attacks from becoming breaches. The Vectra AI App enables the security operations team to consume the industry's richest threat signals spanning public cloud, SaaS, identity and data center networks inside of Microsoft Sentinel. For more information, visit www.vectra.ai.

\n

The Vectra XDR App for Microsoft Sentinel contains:\nData Connector to ingest events generated by Vectra XDR (through OMS agent).\nWorkbook: Dynamic dashboard view of Entities, Detections, Lockdown, Audit and, Health

\n

Data Connectors: 1, Parsers: 5, Workbooks: 1, Analytic Rules: 2

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", diff --git a/Solutions/Vectra XDR/ReleaseNotes.md b/Solutions/Vectra XDR/ReleaseNotes.md index 02556a8396..7b7b5b7f96 100644 --- a/Solutions/Vectra XDR/ReleaseNotes.md +++ b/Solutions/Vectra XDR/ReleaseNotes.md @@ -1,6 +1,7 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|----------------------------------------------------------------| -| 3.1.0 | 04-01-2024 | Included **Parser** files in yaml format | +| 3.1.1 | 03-04-2024 | Repackaged for parser issue fix on reinstall | +| 3.1.0 | 04-01-2024 | Included **Parser** files in yaml format | | 3.0.2 | 04-10-2023 | Enhanced **Data Connector** logic to post data into Sentinel | | 3.0.1 | 21-08-2023 | **Workbook** metadata issue resolved | | 3.0.0 | 03-08-2023 | Initial Solution Release | \ No newline at end of file