diff --git a/Detections/WindowsEvent/ChiaCryptoMining_WindowsEvent.yaml b/Solutions/Windows Forwarded Events/Analytic Rules/ChiaCryptoMining_WindowsEvent.yaml
similarity index 98%
rename from Detections/WindowsEvent/ChiaCryptoMining_WindowsEvent.yaml
rename to Solutions/Windows Forwarded Events/Analytic Rules/ChiaCryptoMining_WindowsEvent.yaml
index f7a0fa080b..4df21e636d 100644
--- a/Detections/WindowsEvent/ChiaCryptoMining_WindowsEvent.yaml
+++ b/Solutions/Windows Forwarded Events/Analytic Rules/ChiaCryptoMining_WindowsEvent.yaml
@@ -2,7 +2,8 @@ id: 4d173248-439b-4741-8b37-f63ad0c896ae
name: Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021
description: |
'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.'
-severity: Low
+severity: Low
+status: Available
requiredDataConnectors:
- connectorId: WindowsSecurityEvents
dataTypes:
diff --git a/Detections/WindowsEvent/SOURGUM_IOC_WindowsEvent.yaml b/Solutions/Windows Forwarded Events/Analytic Rules/SOURGUM_IOC_WindowsEvent.yaml
similarity index 98%
rename from Detections/WindowsEvent/SOURGUM_IOC_WindowsEvent.yaml
rename to Solutions/Windows Forwarded Events/Analytic Rules/SOURGUM_IOC_WindowsEvent.yaml
index b1b9b0175f..97d5260bc0 100644
--- a/Detections/WindowsEvent/SOURGUM_IOC_WindowsEvent.yaml
+++ b/Solutions/Windows Forwarded Events/Analytic Rules/SOURGUM_IOC_WindowsEvent.yaml
@@ -2,7 +2,8 @@ id: 066395ac-ef91-4993-8bf6-25c61ab0ca5a
name: SOURGUM Actor IOC - July 2021
description: |
'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM'
-severity: High
+severity: High
+status: Available
requiredDataConnectors:
- connectorId: WindowsSecurityEvents
dataTypes:
diff --git a/Solutions/Windows Forwarded Events/Data Connectors/WindowsForwardedEvents.JSON b/Solutions/Windows Forwarded Events/Data Connectors/WindowsForwardedEvents.JSON
new file mode 100644
index 0000000000..2eed62ee30
--- /dev/null
+++ b/Solutions/Windows Forwarded Events/Data Connectors/WindowsForwardedEvents.JSON
@@ -0,0 +1,89 @@
+{
+ "id": "WindowsForwardedEvents",
+ "title": "Windows Forwarded Events",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "You can stream all Windows Event Forwarding (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA).\n\tThis connection enables you to view dashboards, create custom alerts, and improve investigation.\n\tThis gives you more insight into your organization’s network and improves your security operation capabilities.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "WindowsEvents",
+ "baseQuery": "WindowsEvent"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All logs",
+ "query": "WindowsEvent\n | sort by TimeGenerated"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "WindowsForwardedEvents",
+ "value": null
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "WindowsEvents",
+ "lastDataReceivedQuery": "WindowsEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "availability": {
+ "status": 2,
+ "isPreview": false,
+ "featureFlag": {
+ "feature": "WindowsForwardedEventsFeature",
+ "featureStates": {
+ "1": 2,
+ "2": 2,
+ "3": 2,
+ "4": 2,
+ "5": 2
+ }
+ }
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/datasources",
+ "permissionsDisplayText": "read and write permissions.",
+ "providerDisplayName": "Workspace data sources",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "Enable data collection rule",
+ "description": "> Windows Forwarded Events logs are collected only from **Windows** agents.",
+ "instructions": [
+ {
+ "type": "WindowsForwardedEvents"
+ },
+ {
+ "parameters": {
+ "linkType": "OpenCreateDataCollectionRule",
+ "dataCollectionRuleType": 1
+ },
+ "type": "InstallAgent"
+ },
+ {
+ "parameters": {
+ "linkType": "OpenCustomDeploymentBlade",
+ "dataCollectionRuleType": 1
+ },
+ "type": "InstallAgent"
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Solutions/Windows Forwarded Events/Data/Solution_Windows Forwarded Events.json b/Solutions/Windows Forwarded Events/Data/Solution_Windows Forwarded Events.json
new file mode 100644
index 0000000000..75c8591251
--- /dev/null
+++ b/Solutions/Windows Forwarded Events/Data/Solution_Windows Forwarded Events.json
@@ -0,0 +1,18 @@
+{
+ "Name": "Windows Forwarded Events",
+ "Author": "Microsoft - support@microsoft.com",
+ "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
",
+ "Description": "The Windows Forwarded Events solution allows you to ingest all [Windows Event Forwarding](https://docs.microsoft.com/advanced-threat-analytics/configure-event-collection) (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA).\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent based logs collection from Windows and Linux machines](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)",
+ "Data Connectors": [
+ "Data Connectors/WindowsForwardedEvents.json"
+ ],
+ "Analytic Rules": [
+ "Analytic Rules/ChiaCryptoMining_WindowsEvent.yaml",
+ "Analytic Rules/SOURGUM_IOC_WindowsEvent.yaml"
+ ],
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Windows Forwarded Events",
+ "Version": "2.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1Pconnector": true
+}
\ No newline at end of file
diff --git a/Solutions/Windows Forwarded Events/Package/2.0.0.zip b/Solutions/Windows Forwarded Events/Package/2.0.0.zip
new file mode 100644
index 0000000000..e400718b56
Binary files /dev/null and b/Solutions/Windows Forwarded Events/Package/2.0.0.zip differ
diff --git a/Solutions/Windows Forwarded Events/Package/createUiDefinition.json b/Solutions/Windows Forwarded Events/Package/createUiDefinition.json
new file mode 100644
index 0000000000..c6cf83c6b4
--- /dev/null
+++ b/Solutions/Windows Forwarded Events/Package/createUiDefinition.json
@@ -0,0 +1,141 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Windows Forwarded Events solution allows you to ingest all [Windows Event Forwarding](https://docs.microsoft.com/advanced-threat-analytics/configure-event-collection) (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA).\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent based logs collection from Windows and Linux machines](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)\n\n**Data Connectors:** 1, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "dataconnectors",
+ "label": "Data Connectors",
+ "bladeTitle": "Data Connectors",
+ "elements": [
+ {
+ "name": "dataconnectors1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Windows Forwarded Events. You can get Windows Forwarded Events custom log data in your Microsoft Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) WindowsEvents in your Microsoft Sentinel / Azure Log Analytics workspace."
+ }
+ },
+ {
+ "name": "dataconnectors-link2",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytics",
+ "label": "Analytics",
+ "subLabel": {
+ "preValidation": "Configure the analytics",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Analytics",
+ "elements": [
+ {
+ "name": "analytics-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
+ }
+ },
+ {
+ "name": "analytics-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ },
+ {
+ "name": "analytic1",
+ "type": "Microsoft.Common.Section",
+ "label": "Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021",
+ "elements": [
+ {
+ "name": "analytic1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic2",
+ "type": "Microsoft.Common.Section",
+ "label": "SOURGUM Actor IOC - July 2021",
+ "elements": [
+ {
+ "name": "analytic2-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
diff --git a/Solutions/Windows Forwarded Events/Package/mainTemplate.json b/Solutions/Windows Forwarded Events/Package/mainTemplate.json
new file mode 100644
index 0000000000..405cc3ebe2
--- /dev/null
+++ b/Solutions/Windows Forwarded Events/Package/mainTemplate.json
@@ -0,0 +1,591 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Microsoft - support@microsoft.com",
+ "comments": "Solution template for Windows Forwarded Events"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+ },
+ "variables": {
+ "solutionId": "azuresentinel.azure-sentinel-solution-windowsforwardedevents-preview",
+ "_solutionId": "[variables('solutionId')]",
+ "email": "support@microsoft.com",
+ "_email": "[variables('email')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "uiConfigId1": "WindowsForwardedEvents",
+ "_uiConfigId1": "[variables('uiConfigId1')]",
+ "dataConnectorContentId1": "WindowsForwardedEvents",
+ "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
+ "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "_dataConnectorId1": "[variables('dataConnectorId1')]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
+ "dataConnectorVersion1": "1.0.0",
+ "analyticRuleVersion1": "1.0.1",
+ "analyticRulecontentId1": "4d173248-439b-4741-8b37-f63ad0c896ae",
+ "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
+ "analyticRuleVersion2": "1.0.0",
+ "analyticRulecontentId2": "066395ac-ef91-4993-8bf6-25c61ab0ca5a",
+ "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Resources/templateSpecs",
+ "apiVersion": "2021-05-01",
+ "name": "[variables('dataConnectorTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "tags": {
+ "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
+ "hidden-sentinelContentType": "DataConnector"
+ },
+ "properties": {
+ "description": "Windows Forwarded Events data connector with template",
+ "displayName": "Windows Forwarded Events template"
+ }
+ },
+ {
+ "type": "Microsoft.Resources/templateSpecs/versions",
+ "apiVersion": "2021-05-01",
+ "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
+ "location": "[parameters('workspace-location')]",
+ "tags": {
+ "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
+ "hidden-sentinelContentType": "DataConnector"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+ ],
+ "properties": {
+ "description": "Windows Forwarded Events data connector with template version 2.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "StaticUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId1')]",
+ "title": "Windows Forwarded Events",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "You can stream all Windows Event Forwarding (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA).\n\tThis connection enables you to view dashboards, create custom alerts, and improve investigation.\n\tThis gives you more insight into your organization’s network and improves your security operation capabilities.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "WindowsEvents",
+ "baseQuery": "WindowsEvent"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "WindowsForwardedEvents",
+ "value": null
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "WindowsEvents",
+ "lastDataReceivedQuery": "WindowsEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Windows Forwarded Events",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId1')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Windows Forwarded Events",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "StaticUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "Windows Forwarded Events",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "You can stream all Windows Event Forwarding (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA).\n\tThis connection enables you to view dashboards, create custom alerts, and improve investigation.\n\tThis gives you more insight into your organization’s network and improves your security operation capabilities.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "WindowsEvents",
+ "baseQuery": "WindowsEvent"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "WindowsEvents",
+ "lastDataReceivedQuery": "WindowsEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "WindowsForwardedEvents",
+ "value": null
+ }
+ ],
+ "id": "[variables('_uiConfigId1')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/templateSpecs",
+ "apiVersion": "2021-05-01",
+ "name": "[variables('analyticRuleTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "tags": {
+ "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
+ "hidden-sentinelContentType": "AnalyticsRule"
+ },
+ "properties": {
+ "description": "Windows Forwarded Events Analytics Rule 1 with template",
+ "displayName": "Windows Forwarded Events Analytics Rule template"
+ }
+ },
+ {
+ "type": "Microsoft.Resources/templateSpecs/versions",
+ "apiVersion": "2021-05-01",
+ "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
+ "location": "[parameters('workspace-location')]",
+ "tags": {
+ "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
+ "hidden-sentinelContentType": "AnalyticsRule"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
+ ],
+ "properties": {
+ "description": "ChiaCryptoMining_WindowsEvent_AnalyticalRules Analytics Rule with template version 2.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('AnalyticRulecontentId1')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.",
+ "displayName": "Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021",
+ "enabled": false,
+ "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet process = (iocs | where Type =~ \"process\" | project IoC);\n//This query uses sysmon data, sections that have - | where Source == \"Microsoft-Windows-Sysmon\" - may need to be updated with latest\nWindowsEvent\n| where EventID == '4688' and EventData has_any (process)\n| extend NewProcessName = tostring(EventData.NewProcessName)\n| where NewProcessName has_any (process)\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n , Account = strcat(tostring(EventData.SubjectDomainName),\"\\\\\", tostring(EventData.SubjectUserName))\n , NewProcessId = tostring(EventData.NewProcessId)\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, '\\\\', -1)[-1]), AlertDetail = 'Chia crypto IOC detected'\n| extend FilePath = replace_string(NewProcessName, File, '')\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\n",
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "severity": "Low",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "SecurityEvents"
+ ],
+ "connectorId": "WindowsSecurityEvents"
+ },
+ {
+ "dataTypes": [
+ "WindowsEvent"
+ ],
+ "connectorId": "WindowsForwardedEvents"
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "entityMappings": [
+ {
+ "fieldMappings": [
+ {
+ "columnName": "AccountCustomEntity",
+ "identifier": "FullName"
+ }
+ ],
+ "entityType": "Account"
+ },
+ {
+ "fieldMappings": [
+ {
+ "columnName": "HostCustomEntity",
+ "identifier": "FullName"
+ }
+ ],
+ "entityType": "Host"
+ },
+ {
+ "fieldMappings": [
+ {
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
+ }
+ ],
+ "entityType": "IP"
+ },
+ {
+ "fieldMappings": [
+ {
+ "columnName": "FileCustomEntity",
+ "identifier": "Name"
+ },
+ {
+ "columnName": "FilePathCustomEntity",
+ "identifier": "Directory"
+ }
+ ],
+ "entityType": "File"
+ },
+ {
+ "fieldMappings": [
+ {
+ "columnName": "FileHashAlgo",
+ "identifier": "Algorithm"
+ },
+ {
+ "columnName": "FileHashCustomEntity",
+ "identifier": "Value"
+ }
+ ],
+ "entityType": "FileHash"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+ "properties": {
+ "description": "Windows Forwarded Events Analytics Rule 1",
+ "parentId": "[variables('analyticRuleId1')]",
+ "contentId": "[variables('_analyticRulecontentId1')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Windows Forwarded Events",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/templateSpecs",
+ "apiVersion": "2021-05-01",
+ "name": "[variables('analyticRuleTemplateSpecName2')]",
+ "location": "[parameters('workspace-location')]",
+ "tags": {
+ "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
+ "hidden-sentinelContentType": "AnalyticsRule"
+ },
+ "properties": {
+ "description": "Windows Forwarded Events Analytics Rule 2 with template",
+ "displayName": "Windows Forwarded Events Analytics Rule template"
+ }
+ },
+ {
+ "type": "Microsoft.Resources/templateSpecs/versions",
+ "apiVersion": "2021-05-01",
+ "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]",
+ "location": "[parameters('workspace-location')]",
+ "tags": {
+ "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
+ "hidden-sentinelContentType": "AnalyticsRule"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
+ ],
+ "properties": {
+ "description": "SOURGUM_IOC_WindowsEvent_AnalyticalRules Analytics Rule with template version 2.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion2')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('AnalyticRulecontentId2')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM",
+ "displayName": "SOURGUM Actor IOC - July 2021",
+ "enabled": false,
+ "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet domains = (iocs | where Type =~ \"domainname\"| project IoC);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\nlet file_path1 = (iocs | where Type =~ \"filepath1\" | project IoC);\nlet file_path2 = (iocs | where Type =~ \"filepath2\" | project IoC);\nlet file_path3 = (iocs | where Type =~ \"filepath3\" | project IoC);\nlet reg_key = (iocs | where Type =~ \"regkey\" | project IoC);\nWindowsEvent\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any ('reg add') or EventData has_any (reg_key) )\n| extend CommandLine = tostring(EventData.CommandLine)\n| extend NewProcessName = tostring(EventData.NewProcessName)\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n| where (CommandLine has_any (file_path1)) or\n (CommandLine has_any (file_path3)) or\n (CommandLine has 'reg add' and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \n (NewProcessName has_any (file_path1)) or\n (NewProcessName has_any (file_path3)) or\n (ParentProcessName has_any (file_path1)) or \n (ParentProcessName has_any (file_path3)) \n| extend Account = strcat(EventData.SubjectDomainName,\"\\\\\", EventData.SubjectUserName)\n| extend NewProcessId = tostring(EventData.NewProcessId)\n| extend IPCustomEntity = tostring(EventData.IpAddress)\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected'\n",
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "SecurityEvents"
+ ],
+ "connectorId": "WindowsSecurityEvents"
+ },
+ {
+ "dataTypes": [
+ "WindowsEvent"
+ ],
+ "connectorId": "WindowsForwardedEvents"
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "entityMappings": [
+ {
+ "fieldMappings": [
+ {
+ "columnName": "AccountCustomEntity",
+ "identifier": "FullName"
+ }
+ ],
+ "entityType": "Account"
+ },
+ {
+ "fieldMappings": [
+ {
+ "columnName": "HostCustomEntity",
+ "identifier": "FullName"
+ }
+ ],
+ "entityType": "Host"
+ },
+ {
+ "fieldMappings": [
+ {
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
+ }
+ ],
+ "entityType": "IP"
+ },
+ {
+ "fieldMappings": [
+ {
+ "columnName": "ProcessCustomEntity",
+ "identifier": "ProcessId"
+ }
+ ],
+ "entityType": "Process"
+ },
+ {
+ "fieldMappings": [
+ {
+ "columnName": "AlgorithmCustomEntity",
+ "identifier": "Algorithm"
+ },
+ {
+ "columnName": "FileHashCustomEntity",
+ "identifier": "Value"
+ }
+ ],
+ "entityType": "FileHash"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+ "properties": {
+ "description": "Windows Forwarded Events Analytics Rule 2",
+ "parentId": "[variables('analyticRuleId2')]",
+ "contentId": "[variables('_analyticRulecontentId2')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Windows Forwarded Events",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "version": "2.0.0",
+ "kind": "Solution",
+ "contentSchemaVersion": "2.0.0",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Windows Forwarded Events",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId1')]",
+ "version": "[variables('analyticRuleVersion1')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId2')]",
+ "version": "[variables('analyticRuleVersion2')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2022-05-02",
+ "providers": [
+ "Microsoft"
+ ],
+ "categories": {
+ "domains": [
+ "IT Operations"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/Windows Forwarded Events/SolutionMetadata.json b/Solutions/Windows Forwarded Events/SolutionMetadata.json
new file mode 100644
index 0000000000..204f082063
--- /dev/null
+++ b/Solutions/Windows Forwarded Events/SolutionMetadata.json
@@ -0,0 +1,20 @@
+{
+ "publisherId": "azuresentinel",
+ "offerId": "azure-sentinel-solution-windowsforwardedevents",
+ "firstPublishDate": "2022-05-02",
+ "providers": ["Microsoft"],
+ "categories": {
+ "domains" : ["IT Operations"],
+ "verticals": []
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+}
+
+
+
+
diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
deleted file mode 100644
index 6811c7f15b..0000000000
--- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
+++ /dev/null
@@ -1,1602 +0,0 @@
-[
- {
- "workbookKey": "ForcepointNGFWAdvanced",
- "logoFileName": "FPAdvLogo.svg",
- "description": "Gain threat intelligence correlated security and application insights on Forcepoint NGFW (Next Generation Firewall). Monitor Forcepoint logging servers health.",
- "dataTypesDependencies": [ "CommonSecurityLog" , "ThreatIntelligenceIndicator"],
- "dataConnectorsDependencies": [ "ForcepointNgfw", "ThreatIntelligence" ],
- "previewImagesFileNames": [ "ForcepointNGFWAdvancedWhite.png", "ForcepointNGFWAdvancedBlack.png" ],
- "version": "1.0.0",
- "title": "Forcepoint Next Generation Firewall (NGFW) Advanced Workbook",
- "templateRelativePath": "ForcepointNGFWAdvanced.json",
- "subtitle": "",
- "provider": "Forcepoint"
- },
- {
- "workbookKey": "AzureActivityWorkbook",
- "logoFileName": "azureactivity_logo.svg",
- "description": "Gain extensive insight into your organization's Azure Activity by analyzing, and correlating all user operations and events.\nYou can learn about all user operations, trends, and anomalous changes over time.\nThis workbook gives you the ability to drill down into caller activities and summarize detected failure and warning events.",
- "dataTypesDependencies": [ "AzureActivity" ],
- "dataConnectorsDependencies": [ "AzureActivity" ],
- "previewImagesFileNames": [ "AzureActivityWhite1.png", "AzureActivityBlack1.png" ],
- "version": "1.4.0",
- "title": "Azure Activity",
- "templateRelativePath": "AzureActivity.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "IdentityAndAccessWorkbook",
- "logoFileName": "Microsoft_logo.svg",
- "description": "Gain insights into Identity and access operations by collecting and analyzing security logs, using the audit and sign-in logs to gather insights into use of Microsoft products.\nYou can view anomalies and trends across login events from all users and machines. This workbook also identifies suspicious entities from login and access events.",
- "dataTypesDependencies": [ "SecurityEvent" ],
- "dataConnectorsDependencies": [ "SecurityEvents", "WindowsSecurityEvents" ],
- "previewImagesFileNames": [ "IdentityAndAccessWhite.png", "IdentityAndAccessBlack.png" ],
- "version": "1.1.0",
- "title": "Identity & Access",
- "templateRelativePath": "IdentityAndAccess.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "CheckPointWorkbook",
- "logoFileName": "checkpoint_logo.svg",
- "description": "Gain insights into Check Point network activities, including number of gateways and servers, security incidents, and identify infected hosts.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "CheckPoint" ],
- "previewImagesFileNames": [ "CheckPointWhite.png", "CheckPointBlack.png" ],
- "version": "1.0.0",
- "title": "Check Point Software Technologies",
- "templateRelativePath": "CheckPoint.json",
- "subtitle": "",
- "provider": "Check Point"
- },
- {
- "workbookKey": "CiscoWorkbook",
- "logoFileName": "cisco_logo.svg",
- "description": "Gain insights into your Cisco ASA firewalls by analyzing traffic, events, and firewall operations.\nThis workbook analyzes Cisco ASA threat events and identifies suspicious ports, users, protocols and IP addresses.\nYou can learn about trends across user and data traffic directions, and drill down into the Cisco filter results.\nEasily detect attacks on your organization by monitoring management operations, such as configuration and logins.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "CiscoASA" ],
- "previewImagesFileNames": [ "CiscoWhite.png", "CiscoBlack.png" ],
- "version": "1.1.0",
- "title": "Cisco - ASA",
- "templateRelativePath": "Cisco.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "ExchangeOnlineWorkbook",
- "logoFileName": "office365_logo.svg",
- "description": "Gain insights into Microsoft Exchange online by tracing and analyzing all Exchange operations and user activities.\nThis workbook let you monitor user activities, including logins, account operations, permission changes, and mailbox creations to discover suspicious trends among them.",
- "dataTypesDependencies": [ "OfficeActivity" ],
- "dataConnectorsDependencies": [ "Office365" ],
- "previewImagesFileNames": [ "ExchangeOnlineWhite.png", "ExchangeOnlineBlack.png" ],
- "version": "1.1.0",
- "title": "Exchange Online",
- "templateRelativePath": "ExchangeOnline.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "PaloAltoOverviewWorkbook",
- "logoFileName": "paloalto_logo.svg",
- "description": "Gain insights and comprehensive monitoring into Palo Alto firewalls by analyzing traffic and activities.\nThis workbook correlates all Palo Alto data with threat events to identify suspicious entities and relationships.\nYou can learn about trends across user and data traffic, and drill down into Palo Alto Wildfire and filter results.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "PaloAltoNetworks" ],
- "previewImagesFileNames": [ "PaloAltoOverviewWhite1.png", "PaloAltoOverviewBlack1.png", "PaloAltoOverviewWhite2.png", "PaloAltoOverviewBlack2.png", "PaloAltoOverviewWhite3.png", "PaloAltoOverviewBlack3.png" ],
- "version": "1.2.0",
- "title": "Palo Alto overview",
- "templateRelativePath": "PaloAltoOverview.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "PaloAltoNetworkThreatWorkbook",
- "logoFileName": "paloalto_logo.svg",
- "description": "Gain insights into Palo Alto network activities by analyzing threat events.\nYou can extract meaningful security information by correlating data between threats, applications, and time.\nThis workbook makes it easy to track malware, vulnerability, and virus log events.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "PaloAltoNetworks" ],
- "previewImagesFileNames": [ "PaloAltoNetworkThreatWhite1.png", "PaloAltoNetworkThreatBlack1.png", "PaloAltoNetworkThreatWhite2.png", "PaloAltoNetworkThreatBlack2.png" ],
- "version": "1.1.0",
- "title": "Palo Alto Network Threat",
- "templateRelativePath": "PaloAltoNetworkThreat.json",
- "subtitle": "",
- "provider": "Palo Alto Networks"
- },
- {
- "workbookKey": "EsetSMCWorkbook",
- "logoFileName": "eset-logo.svg",
- "description": "Visualize events and threats from Eset Security Management Center.",
- "dataTypesDependencies": [ "eset_CL" ],
- "dataConnectorsDependencies": [ "EsetSMC" ],
- "previewImagesFileNames": [ "esetSMCWorkbook-black.png", "esetSMCWorkbook-white.png" ],
- "version": "1.0.0",
- "title": "Eset Security Management Center Overview",
- "templateRelativePath": "esetSMCWorkbook.json",
- "subtitle": "",
- "provider": "Community"
- },
- {
- "workbookKey": "FortigateWorkbook",
- "logoFileName": "fortinet_logo.svg",
- "description": "Gain insights into Fortigate firewalls by analyzing traffic and activities.\nThis workbook finds correlations in Fortigate threat events and identifies suspicious ports, users, protocols and IP addresses.\nYou can learn about trends across user and data traffic, and drill down into the Fortigate filter results.\nEasily detect attacks on your organization by monitoring management operations such as configuration and logins.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "Fortinet" ],
- "previewImagesFileNames": [ "FortigateWhite.png", "FortigateBlack.png" ],
- "version": "1.1.0",
- "title": "FortiGate",
- "templateRelativePath": "Fortigate.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "DnsWorkbook",
- "logoFileName": "dns_logo.svg",
- "description": "Gain extensive insight into your organization's DNS by analyzing, collecting and correlating all DNS events.\nThis workbook exposes a variety of information about suspicious queries, malicious IP addresses and domain operations.",
- "dataTypesDependencies": [ "DnsInventory", "DnsEvents" ],
- "dataConnectorsDependencies": [ "DNS" ],
- "previewImagesFileNames": [ "DnsWhite.png", "DnsBlack.png" ],
- "version": "1.3.0",
- "title": "DNS",
- "templateRelativePath": "Dns.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "Office365Workbook",
- "logoFileName": "office365_logo.svg",
- "description": "Gain insights into Office 365 by tracing and analyzing all operations and activities. You can drill down into your SharePoint, OneDrive, and Exchange.\nThis workbook lets you find usage trends across users, files, folders, and mailboxes, making it easier to identify anomalies in your network.",
- "dataTypesDependencies": [ "OfficeActivity" ],
- "dataConnectorsDependencies": [ "Office365" ],
- "previewImagesFileNames": [ "Office365White1.png", "Office365Black1.png", "Office365White2.png", "Office365Black2.png", "Office365White3.png", "Office365Black3.png" ],
- "version": "1.3.0",
- "title": "Office 365",
- "templateRelativePath": "Office365.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "SharePointAndOneDriveWorkbook",
- "logoFileName": "office365_logo.svg",
- "description": "Gain insights into SharePoint and OneDrive by tracing and analyzing all operations and activities.\nYou can view trends across user operation, find correlations between users and files, and identify interesting information such as user IP addresses.",
- "dataTypesDependencies": [ "OfficeActivity" ],
- "dataConnectorsDependencies": [ "Office365" ],
- "previewImagesFileNames": [ "SharePointAndOneDriveBlack1.png", "SharePointAndOneDriveBlack2.png", "SharePointAndOneDriveWhite1.png", "SharePointAndOneDriveWhite2.png" ],
- "version": "1.2.0",
- "title": "SharePoint & OneDrive",
- "templateRelativePath": "SharePointAndOneDrive.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AzureActiveDirectorySigninLogsWorkbook",
- "logoFileName": "azureactivedirectory_logo.svg",
- "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures.",
- "dataTypesDependencies": [ "SigninLogs" ],
- "dataConnectorsDependencies": [ "AzureActiveDirectory" ],
- "previewImagesFileNames": [ "AADsigninBlack1.png", "AADsigninBlack2.png", "AADsigninWhite1.png", "AADsigninWhite2.png" ],
- "version": "2.4.0",
- "title": "Azure AD Sign-in logs",
- "templateRelativePath": "AzureActiveDirectorySignins.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "VirtualMachinesInsightsWorkbook",
- "logoFileName": "azurevirtualmachine_logo.svg",
- "description": "Gain rich insight into your organization's virtual machines from Azure Monitor, which analyzes and correlates data in your VM network. \nYou will get visibility on your VM parameters and behavior, and will be able to trace sent and received data. \nIdentify malicious attackers and their targets, and drill down into the protocols, source and destination IP addresses, countries, and ports the attacks occur across.",
- "dataTypesDependencies": [ "VMConnection", "ServiceMapComputer_CL", "ServiceMapProcess_CL" ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "VMInsightBlack1.png", "VMInsightWhite1.png" ],
- "version": "1.3.0",
- "title": "VM insights",
- "templateRelativePath": "VirtualMachinesInsights.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AzureActiveDirectoryAuditLogsWorkbook",
- "logoFileName": "azureactivedirectory_logo.svg",
- "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.",
- "dataTypesDependencies": [ "AuditLogs" ],
- "dataConnectorsDependencies": [ "AzureActiveDirectory" ],
- "previewImagesFileNames": [ "AzureADAuditLogsBlack1.png", "AzureADAuditLogsWhite1.png" ],
- "version": "1.2.0",
- "title": "Azure AD Audit logs",
- "templateRelativePath": "AzureActiveDirectoryAuditLogs.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "ThreatIntelligenceWorkbook",
- "logoFileName": "",
- "description": "Gain insights into threat indicators ingestion and search for indicators at scale across Microsoft 1st Party, 3rd Party, On-Premises, Hybrid, and Multi-Cloud Workloads. Indicators Search facilitates a simple interface for finding IP, File, Hash, Sender and more across your data. Seamless pivots to correlate indicators with Microsoft Sentinel: Incidents to make your threat intelligence actionable.",
- "dataTypesDependencies": [ "ThreatIntelligenceIndicator", "SecurityIncident" ],
- "dataConnectorsDependencies": [ "ThreatIntelligence", "ThreatIntelligenceTaxii" ],
- "previewImagesFileNames": [ "ThreatIntelligenceWhite.png", "ThreatIntelligenceBlack.png" ],
- "version": "5.0.0",
- "title": "Threat Intelligence",
- "templateRelativePath": "ThreatIntelligence.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "WebApplicationFirewallOverviewWorkbook",
- "logoFileName": "waf_logo.svg",
- "description": "Gain insights into your organization's Azure web application firewall (WAF). You will get a general overview of your application gateway firewall and application gateway access events.",
- "dataTypesDependencies": [ "AzureDiagnostics" ],
- "dataConnectorsDependencies": [ "WAF" ],
- "previewImagesFileNames": [ "WAFOverviewBlack.png", "WAFOverviewWhite.png" ],
- "version": "1.1.0",
- "title": "Microsoft Web Application Firewall (WAF) - overview",
- "templateRelativePath": "WebApplicationFirewallOverview.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "WebApplicationFirewallFirewallEventsWorkbook",
- "logoFileName": "waf_logo.svg",
- "description": "Gain insights into your organization's Azure web application firewall (WAF). You will get visibility in to your application gateway firewall. You can view anomalies and trends across all firewall event triggers, attack events, blocked URL addresses and more.",
- "dataTypesDependencies": [ "AzureDiagnostics" ],
- "dataConnectorsDependencies": [ "WAF" ],
- "previewImagesFileNames": [ "WAFFirewallEventsBlack1.png", "WAFFirewallEventsBlack2.png", "WAFFirewallEventsWhite1.png", "WAFFirewallEventsWhite2.png" ],
- "version": "1.1.0",
- "title": "Microsoft Web Application Firewall (WAF) - firewall events",
- "templateRelativePath": "WebApplicationFirewallFirewallEvents.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "WebApplicationFirewallGatewayAccessEventsWorkbook",
- "logoFileName": "waf_logo.svg",
- "description": "Gain insights into your organization's Azure web application firewall (WAF). You will get visibility in to your application gateway access events. You can view anomalies and trends across received and sent data, client IP addresses, URL addresses and more, and drill down into details.",
- "dataTypesDependencies": [ "AzureDiagnostics" ],
- "dataConnectorsDependencies": [ "WAF" ],
- "previewImagesFileNames": [ "WAFGatewayAccessEventsBlack1.png", "WAFGatewayAccessEventsBlack2.png", "WAFGatewayAccessEventsWhite1.png", "WAFGatewayAccessEventsWhite2.png" ],
- "version": "1.2.0",
- "title": "Microsoft Web Application Firewall (WAF) - gateway access events",
- "templateRelativePath": "WebApplicationFirewallGatewayAccessEvents.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "LinuxMachinesWorkbook",
- "logoFileName": "azurevirtualmachine_logo.svg",
- "description": "Gain insights into your workspaces' Linux machines by connecting Microsoft Sentinel and using the logs to gather insights around Linux events and errors.",
- "dataTypesDependencies": [ "Syslog" ],
- "dataConnectorsDependencies": [ "Syslog" ],
- "previewImagesFileNames": [ "LinuxMachinesWhite.png", "LinuxMachinesBlack.png" ],
- "version": "1.1.0",
- "title": "Linux machines",
- "templateRelativePath": "LinuxMachines.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AzureFirewallWorkbook",
- "logoFileName": "AzFirewalls.svg",
- "description": "Gain insights into Azure Firewall events. You can learn about your application and network rules, see metrics for firewall activities across URLs, ports, and addresses across multiple workspaces.",
- "dataTypesDependencies": [ "AzureDiagnostics" ],
- "dataConnectorsDependencies": ["AzureFirewall"],
- "previewImagesFileNames": [ "AzureFirewallWorkbookWhite1.PNG", "AzureFirewallWorkbookBlack1.PNG", "AzureFirewallWorkbookWhite2.PNG", "AzureFirewallWorkbookBlack2.PNG", "AzureFirewallWorkbookWhite3.PNG", "AzureFirewallWorkbookBlack3.PNG", "AzureFirewallWorkbookWhite4.PNG", "AzureFirewallWorkbookBlack4.PNG", "AzureFirewallWorkbookWhite5.PNG", "AzureFirewallWorkbookBlack5.PNG" ],
- "version": "1.3.0",
- "title": "Azure Firewall",
- "templateRelativePath": "AzureFirewallWorkbook.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AzureDDoSStandardProtection",
- "logoFileName": "AzDDoS.svg",
- "description": "This workbook visualizes security-relevant Azure DDoS events across several filterable panels. Offering a summary tab, metrics and a investigate tabs across multiple workspaces.",
- "dataTypesDependencies": [ "AzureDiagnostics" ],
- "dataConnectorsDependencies": ["DDOS"],
- "previewImagesFileNames": [ "AzureDDoSWhite1.PNG", "AzureDDoSBlack1.PNG","AzureDDoSWhite2.PNG", "AzureDDoSBlack2.PNG","AzureDDoSWhite2.PNG", "AzureDDoSBlack2.PNG" ],
- "version": "1.0.0",
- "title": "Azure DDoS Protection Workbook",
- "templateRelativePath": "AzDDoSStandardWorkbook.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "MicrosoftCloudAppSecurityWorkbook",
- "logoFileName": "Microsoft_logo.svg",
- "description": "Using this workbook, you can identify which cloud apps are being used in your organization, gain insights from usage trends and drill down to a specific user and application",
- "dataTypesDependencies": [ "McasShadowItReporting" ],
- "dataConnectorsDependencies": [ "MicrosoftCloudAppSecurity" ],
- "previewImagesFileNames": [ "McasDiscoveryBlack.png", "McasDiscoveryWhite.png" ],
- "version": "1.2.0",
- "title": "Microsoft Cloud App Security - discovery logs",
- "templateRelativePath": "MicrosoftCloudAppSecurity.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "F5BIGIPSytemMetricsWorkbook",
- "logoFileName": "f5_logo.svg",
- "description": "Gain insight into F5 BIG-IP health and performance. This workbook provides visibility of various metrics including CPU, memory, connectivity, throughput and disk utilization.",
- "dataTypesDependencies": [ "F5Telemetry_system_CL", "F5Telemetry_AVR_CL" ],
- "dataConnectorsDependencies": [ "F5BigIp" ],
- "previewImagesFileNames": [ "F5SMBlack.png", "F5SMWhite.png" ],
- "version": "1.1.0",
- "title": "F5 BIG-IP System Metrics",
- "templateRelativePath": "F5BIGIPSystemMetrics.json",
- "subtitle": "",
- "provider": "F5 Networks"
- },
- {
- "workbookKey": "F5NetworksWorkbook",
- "logoFileName": "f5_logo.svg",
- "description": "Gain insights into F5 BIG-IP Application Security Manager (ASM), by analyzing traffic and activities.\nThis workbook provides insight into F5's web application firewall events and identifies attack traffic patterns across multiple ASM instances as well as overall BIG-IP health.",
- "dataTypesDependencies": [ "F5Telemetry_LTM_CL", "F5Telemetry_system_CL", "F5Telemetry_ASM_CL" ],
- "dataConnectorsDependencies": [ "F5BigIp" ],
- "previewImagesFileNames": [ "F5White.png", "F5Black.png" ],
- "version": "1.1.0",
- "title": "F5 BIG-IP ASM",
- "templateRelativePath": "F5Networks.json",
- "subtitle": "",
- "provider": "F5 Networks"
- },
- {
- "workbookKey": "AzureNetworkWatcherWorkbook",
- "logoFileName": "networkwatcher_logo.svg",
- "description": "Gain deeper understanding of your organization's Azure network traffic by analyzing, and correlating Network Security Group flow logs. \nYou can trace malicious traffic flows, and drill down into their protocols, source and destination IP addresses, machines, countries, and subnets. \nThis workbook also helps you protect your network by identifying weak NSG rules.",
- "dataTypesDependencies": [ "AzureNetworkAnalytics_CL" ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "AzureNetworkWatcherWhite.png", "AzureNetworkWatcherBlack.png" ],
- "version": "1.1.0",
- "title": "Azure Network Watcher",
- "templateRelativePath": "AzureNetworkWatcher.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "ZscalerFirewallWorkbook",
- "logoFileName": "zscaler_logo.svg",
- "description": "Gain insights into your ZIA cloud firewall logs by connecting to Microsoft Sentinel.\nThe Zscaler firewall overview workbook provides an overview and ability to drill down into all cloud firewall activity in your Zscaler instance including non-web related networking events, security events, firewall rules, and bandwidth consumption",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "Zscaler" ],
- "previewImagesFileNames": [ "ZscalerFirewallWhite1.png", "ZscalerFirewallBlack1.png", "ZscalerFirewallWhite2.png", "ZscalerFirewallBlack2.png" ],
- "version": "1.1.0",
- "title": "Zscaler Firewall",
- "templateRelativePath": "ZscalerFirewall.json",
- "subtitle": "",
- "provider": "Zscaler"
- },
- {
- "workbookKey": "ZscalerWebOverviewWorkbook",
- "logoFileName": "zscaler_logo.svg",
- "description": "Gain insights into your ZIA web logs by connecting to Microsoft Sentinel.\nThe Zscaler web overview workbook provides a bird's eye view and ability to drill down into all the security and networking events related to web transactions, types of devices, and bandwidth consumption.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "Zscaler" ],
- "previewImagesFileNames": [ "ZscalerWebOverviewWhite.png", "ZscalerWebOverviewBlack.png" ],
- "version": "1.1.0",
- "title": "Zscaler Web Overview",
- "templateRelativePath": "ZscalerWebOverview.json",
- "subtitle": "",
- "provider": "Zscaler"
- },
- {
- "workbookKey": "ZscalerThreatsOverviewWorkbook",
- "logoFileName": "zscaler_logo.svg",
- "description": "Gain insights into threats blocked by Zscaler Internet access on your network.\nThe Zscaler threat overview workbook shows your entire threat landscape including blocked malware, IPS/AV rules, and blocked cloud apps. Threats are displayed by threat categories, filetypes, inbound vs outbound threats, usernames, user location, and more.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "Zscaler" ],
- "previewImagesFileNames": [ "ZscalerThreatsWhite.png", "ZscalerThreatsBlack.png" ],
- "version": "1.2.0",
- "title": "Zscaler Threats",
- "templateRelativePath": "ZscalerThreats.json",
- "subtitle": "",
- "provider": "Zscaler"
- },
- {
- "workbookKey": "ZscalerOffice365AppsWorkbook",
- "logoFileName": "zscaler_logo.svg",
- "description": "Gain insights into Office 365 use on your network.\nThe Zscaler Office 365 overview workbook shows you the Microsoft apps running on your network and their individual bandwidth consumption. It also helps identify phishing attempts in which attackers disguised themselves as Microsoft services.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "Zscaler" ],
- "previewImagesFileNames": [ "ZscalerOffice365White.png", "ZscalerOffice365Black.png" ],
- "version": "1.1.0",
- "title": "Zscaler Office365 Apps",
- "templateRelativePath": "ZscalerOffice365Apps.json",
- "subtitle": "",
- "provider": "Zscaler"
- },
- {
- "workbookKey": "InsecureProtocolsWorkbook",
- "logoFileName": "Microsoft_logo.svg",
- "description": "Gain insights into insecure protocol traffic by collecting and analyzing security events from Microsoft products.\nYou can view analytics and quickly identify use of weak authentication as well as sources of legacy protocol traffic, like NTLM and SMBv1.\nYou will also have the ability to monitor use of weak ciphers, allowing you to find weak spots in your organization's security.",
- "dataTypesDependencies": [ "SecurityEvent", "Event", "SigninLogs" ],
- "dataConnectorsDependencies": [ "SecurityEvents", "AzureActiveDirectory", "WindowsSecurityEvents" ],
- "previewImagesFileNames": [ "InsecureProtocolsWhite1.png", "InsecureProtocolsBlack1.png", "InsecureProtocolsWhite2.png", "InsecureProtocolsBlack2.png" ],
- "version": "2.1.0",
- "title": "Insecure Protocols",
- "templateRelativePath": "InsecureProtocols.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AzureInformationProtectionWorkbook",
- "logoFileName": "informationProtection.svg",
- "description": "The Azure Information Protection Usage report workbook provides information on the volume of labeled and protected documents and emails over time, label distribution of files by label type, along with where the label was applied.",
- "dataTypesDependencies": [ "InformationProtectionLogs_CL" ],
- "dataConnectorsDependencies": [ "AzureInformationProtection" ],
- "previewImagesFileNames": [ "AzureInformationProtectionWhite.png", "AzureInformationProtectionBlack.png" ],
- "version": "1.1.0",
- "title": "Azure Information Protection - Usage Report",
- "templateRelativePath": "AzureInformationProtection.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AmazonWebServicesNetworkActivitiesWorkbook",
- "logoFileName": "amazon_web_services_Logo.svg",
- "description": "Gain insights into AWS network related resource activities, including the creation, update, and deletions of security groups, network ACLs and routes, gateways, elastic load balancers, VPCs, subnets, and network interfaces.",
- "dataTypesDependencies": [ "AWSCloudTrail" ],
- "dataConnectorsDependencies": [ "AWS" ],
- "previewImagesFileNames": [ "AwsNetworkActivitiesWhite.png", "AwsNetworkActivitiesBlack.png" ],
- "version": "1.0.0",
- "title": "AWS Network Activities",
- "templateRelativePath": "AmazonWebServicesNetworkActivities.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AmazonWebServicesUserActivitiesWorkbook",
- "logoFileName": "amazon_web_services_Logo.svg",
- "description": "Gain insights into AWS user activities, including failed sign-in attempts, IP addresses, regions, user agents, and identity types, as well as potential malicious user activities with assumed roles.",
- "dataTypesDependencies": [ "AWSCloudTrail" ],
- "dataConnectorsDependencies": [ "AWS" ],
- "previewImagesFileNames": [ "AwsUserActivitiesWhite.png", "AwsUserActivitiesBlack.png" ],
- "version": "1.0.0",
- "title": "AWS User Activities",
- "templateRelativePath": "AmazonWebServicesUserActivities.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "TrendMicroDeepSecurityAttackActivityWorkbook",
- "logoFileName": "trendmicro_logo.svg",
- "description": "Visualize and gain insights into the MITRE ATT&CK related activity detected by Trend Micro Deep Security.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "TrendMicro" ],
- "previewImagesFileNames": [ "TrendMicroDeepSecurityAttackActivityWhite.png", "TrendMicroDeepSecurityAttackActivityBlack.png" ],
- "version": "1.0.0",
- "title": "Trend Micro Deep Security ATT&CK Related Activity",
- "templateRelativePath": "TrendMicroDeepSecurityAttackActivity.json",
- "subtitle": "",
- "provider": "Trend Micro"
- },
- {
- "workbookKey": "TrendMicroDeepSecurityOverviewWorkbook",
- "logoFileName": "trendmicro_logo.svg",
- "description": "Gain insights into your Trend Micro Deep Security security event data by visualizing your Deep Security Anti-Malware, Firewall, Integrity Monitoring, Intrusion Prevention, Log Inspection, and Web Reputation event data.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "TrendMicro" ],
- "previewImagesFileNames": [ "TrendMicroDeepSecurityOverviewWhite1.png", "TrendMicroDeepSecurityOverviewBlack1.png", "TrendMicroDeepSecurityOverviewWhite2.png", "TrendMicroDeepSecurityOverviewBlack2.png" ],
- "version": "1.0.0",
- "title": "Trend Micro Deep Security Events",
- "templateRelativePath": "TrendMicroDeepSecurityOverview.json",
- "subtitle": "",
- "provider": "Trend Micro"
- },
- {
- "workbookKey": "ExtraHopDetectionSummaryWorkbook",
- "logoFileName": "extrahop_logo.svg",
- "description": "Gain insights into ExtraHop Reveal(x) detections by analyzing traffic and activities.\nThis workbook provides an overview of security detections in your organization's network, including high-risk detections and top participants.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "ExtraHopNetworks" ],
- "previewImagesFileNames": [ "ExtrahopWhite.png", "ExtrahopBlack.png" ],
- "version": "1.0.0",
- "title": "ExtraHop",
- "templateRelativePath": "ExtraHopDetectionSummary.json",
- "subtitle": "",
- "provider": "ExtraHop Networks"
- },
- {
- "workbookKey": "BarracudaCloudFirewallWorkbook",
- "logoFileName": "barracuda_logo.svg",
- "description": "Gain insights into your Barracuda CloudGen Firewall by analyzing firewall operations and events.\nThis workbook provides insights into rule enforcement, network activities, including number of connections, top users, and helps you identify applications that are popular on your network.",
- "dataTypesDependencies": [ "CommonSecurityLog", "Syslog" ],
- "dataConnectorsDependencies": [ "BarracudaCloudFirewall" ],
- "previewImagesFileNames": [ "BarracudaWhite1.png", "BarracudaBlack1.png", "BarracudaWhite2.png", "BarracudaBlack2.png" ],
- "version": "1.0.0",
- "title": "Barracuda CloudGen FW",
- "templateRelativePath": "Barracuda.json",
- "subtitle": "",
- "provider": "Barracuda"
- },
- {
- "workbookKey": "CitrixWorkbook",
- "logoFileName": "citrix_logo.svg",
- "description": "Citrix Analytics for Security aggregates and correlates information across network traffic, users, files and endpoints in Citrix environments. This generates actionable insights that enable Citrix administrators and security teams to remediate user security threats through automation while optimizing IT operations. Machine learning and artificial intelligence empowers Citrix Analytics for Security to identify and take automated action to prevent data exfiltration. While delivered as a cloud service, Citrix Analytics for Security can generate insights from resources located on-premises, in the cloud, or in hybrid architectures. The Citrix Analytics Workbook further enhances the value of both your Citrix Analytics for Security and Azure Sentinel. The Workbook enables you to integrate data sources together, helping you gain even richer insights. It also gives Security Operations (SOC) teams the ability to correlate data from disparate logs, helping you identify and proactively remediate security risk quickly. Additionally, valuable dashboards that were unique to the Citrix Analytics for Security can now be implemented in Sentinel. You can also create new custom Workbooks that were not previously available, helping extend the value of both investments.",
- "dataTypesDependencies": [ "CitrixAnalytics_userProfile_CL", "CitrixAnalytics_riskScoreChange_CL", "CitrixAnalytics_indicatorSummary_CL","CitrixAnalytics_indicatorEventDetails_CL" ],
- "dataConnectorsDependencies": [ "Citrix" ],
- "previewImagesFileNames": [ "CitrixWhite.png", "CitrixBlack.png" ],
- "version": "2.1.0",
- "title": "Citrix Analytics",
- "templateRelativePath": "Citrix.json",
- "subtitle": "",
- "provider": "Citrix Systems Inc."
- },
- {
- "workbookKey": "OneIdentityWorkbook",
- "logoFileName": "oneIdentity_logo.svg",
- "description": "This simple workbook gives an overview of sessions going through your SafeGuard for Privileged Sessions device.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "OneIdentity" ],
- "previewImagesFileNames": [ "OneIdentityWhite.png", "OneIdentityBlack.png" ],
- "version": "1.0.0",
- "title": "One Identity",
- "templateRelativePath": "OneIdentity.json",
- "subtitle": "",
- "provider": "One Identity LLC."
- },
- {
- "workbookKey": "SecurityStatusWorkbook",
- "logoFileName": "",
- "description": "This workbook gives an overview of Security Settings for VMs and Azure Arc.",
- "dataTypesDependencies": [ "CommonSecurityLog", "SecurityEvent", "Syslog" ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "AzureSentinelSecurityStatusBlack.png", "AzureSentinelSecurityStatusWhite.png" ],
- "version": "1.3.0",
- "title": "Security Status",
- "templateRelativePath": "SecurityStatus.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AzureSentinelSecurityAlertsWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Security Alerts dashboard for alerts in your Microsoft Sentinel environment.",
- "dataTypesDependencies": [ "SecurityAlert" ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "AzureSentinelSecurityAlertsWhite.png", "AzureSentinelSecurityAlertsBlack.png" ],
- "version": "1.1.0",
- "title": "Security Alerts",
- "templateRelativePath": "AzureSentinelSecurityAlerts.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "SquadraTechnologiesSecRMMWorkbook",
- "logoFileName": "SquadraTechnologiesLogo.svg",
- "description": "This workbook gives an overview of security data for removable storage activity such as USB thumb drives and USB connected mobile devices.",
- "dataTypesDependencies": [ "secRMM_CL" ],
- "dataConnectorsDependencies": [ "SquadraTechnologiesSecRmm" ],
- "previewImagesFileNames": [ "SquadraTechnologiesSecRMMWhite.PNG", "SquadraTechnologiesSecRMMBlack.PNG" ],
- "version": "1.0.0",
- "title": "Squadra Technologies SecRMM - USB removable storage security",
- "templateRelativePath": "SquadraTechnologiesSecRMM.json",
- "subtitle": "",
- "provider": "Squadra Technologies"
- },
- {
- "workbookKey": "IoT-Alerts",
- "logoFileName": "IoTIcon.svg",
- "description": "Gain insights into your IoT data workloads from Azure IoT Hub managed deployments, monitor alerts across all your IoT Hub deployments, detect devices at risk and act upon potential threats.",
- "dataTypesDependencies": [ "SecurityAlert" ],
- "dataConnectorsDependencies": [ "IoT" ],
- "previewImagesFileNames": [ "IOTBlack1.png", "IOTWhite1.png" ],
- "version": "1.2.0",
- "title": "Azure Defender for IoT Alerts",
- "templateRelativePath": "IOT_Alerts.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "IoTAssetDiscovery",
- "logoFileName": "IoTIcon.svg",
- "description": "IoT Devices asset discovery from Firewall logs By Azure Defender for IoT",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "Fortinet" ],
- "previewImagesFileNames": [ "workbook-iotassetdiscovery-screenshot-Black.PNG", "workbook-iotassetdiscovery-screenshot-White.PNG" ],
- "version": "1.0.0",
- "title": "IoT Asset Discovery",
- "templateRelativePath": "IoTAssetDiscovery.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "ForcepointCASBWorkbook",
- "logoFileName": "FP_Green_Emblem_RGB-01.svg",
- "description": "Get insights on user risk with the Forcepoint CASB (Cloud Access Security Broker) workbook.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "ForcepointCasb" ],
- "previewImagesFileNames": [ "ForcepointCASBWhite.png", "ForcepointCASBBlack.png" ],
- "version": "1.0.0",
- "title": "Forcepoint Cloud Access Security Broker (CASB)",
- "templateRelativePath": "ForcepointCASB.json",
- "subtitle": "",
- "provider": "Forcepoint"
- },
- {
- "workbookKey": "ForcepointNGFWWorkbook",
- "logoFileName": "FP_Green_Emblem_RGB-01.svg",
- "description": "Get insights on firewall activities with the Forcepoint NGFW (Next Generation Firewall) workbook.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "ForcepointNgfw" ],
- "previewImagesFileNames": [ "ForcepointNGFWWhite.png", "ForcepointNGFWBlack.png" ],
- "version": "1.0.0",
- "title": "Forcepoint Next Generation Firewall (NGFW)",
- "templateRelativePath": "ForcepointNGFW.json",
- "subtitle": "",
- "provider": "Forcepoint"
- },
- {
- "workbookKey": "ForcepointDLPWorkbook",
- "logoFileName": "FP_Green_Emblem_RGB-01.svg",
- "description": "Get insights on DLP incidents with the Forcepoint DLP (Data Loss Prevention) workbook.",
- "dataTypesDependencies": [ "ForcepointDLPEvents_CL" ],
- "dataConnectorsDependencies": [ "ForcepointDlp" ],
- "previewImagesFileNames": [ "ForcepointDLPWhite.png", "ForcepointDLPBlack.png" ],
- "version": "1.0.0",
- "title": "Forcepoint Data Loss Prevention (DLP)",
- "templateRelativePath": "ForcepointDLP.json",
- "subtitle": "",
- "provider": "Forcepoint"
- },
- {
- "workbookKey": "ZimperiumMTDWorkbook",
- "logoFileName": "ZIMPERIUM-logo_square2.svg",
- "description": "This workbook provides insights on Zimperium Mobile Threat Defense (MTD) threats and mitigations.",
- "dataTypesDependencies": [ "ZimperiumThreatLog_CL", "ZimperiumMitigationLog_CL" ],
- "dataConnectorsDependencies": [ "ZimperiumMtdAlerts" ],
- "previewImagesFileNames": [ "ZimperiumWhite.png", "ZimperiumBlack.png" ],
- "version": "1.0.0",
- "title": "Zimperium Mobile Threat Defense (MTD)",
- "templateRelativePath": "ZimperiumWorkbooks.json",
- "subtitle": "",
- "provider": "Zimperium"
- },
- {
- "workbookKey": "AzureAuditActivityAndSigninWorkbook",
- "logoFileName": "azureactivedirectory_logo.svg",
- "description": "Gain insights into Azure Active Directory Audit, Activity and Signins with one workbook. This workbook can be used by Security and Azure administrators.",
- "dataTypesDependencies": [ "AzureActivity","AuditLogs","SigninLogs" ],
- "dataConnectorsDependencies": [ "AzureActiveDirectory" ],
- "previewImagesFileNames": ["AzureAuditActivityAndSigninWhite1.png","AzureAuditActivityAndSigninWhite2.png","AzureAuditActivityAndSigninBlack1.png","AzureAuditActivityAndSigninBlack2.png"],
- "version": "1.2.0",
- "title": "Azure AD Audit, Activity and Sign-in logs",
- "templateRelativePath": "AzureAuditActivityAndSignin.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "WindowsFirewall",
- "logoFileName": "Microsoft_logo.svg",
- "description": "Gain insights into Windows Firewall logs in combination with security and Azure signin logs",
- "dataTypesDependencies": [ "WindowsFirewall","SecurityEvent","SigninLogs" ],
- "dataConnectorsDependencies": [ "SecurityEvents", "WindowsFirewall", "WindowsSecurityEvents" ],
- "previewImagesFileNames": ["WindowsFirewallWhite1.png","WindowsFirewallWhite2.png","WindowsFirewallBlack1.png","WindowsFirewallBlack2.png"],
- "version": "1.0.0",
- "title": "Windows Firewall",
- "templateRelativePath": "WindowsFirewall.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "EventAnalyzerwWorkbook",
- "logoFileName": "",
- "description": "The Event Analyzer workbook allows to explore, audit and speed up analysis of Windows Event Logs, including all event details and attributes, such as security, application, system, setup, directory service, DNS and others.",
- "dataTypesDependencies": [ "SecurityEvent" ],
- "dataConnectorsDependencies": [ "SecurityEvents", "WindowsSecurityEvents" ],
- "previewImagesFileNames": ["EventAnalyzer-Workbook-White.png", "EventAnalyzer-Workbook-Black.png"],
- "version": "1.0.0",
- "title": "Event Analyzer",
- "templateRelativePath": "EventAnalyzer.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "ASC-ComplianceandProtection",
- "logoFileName": "",
- "description": "Gain insight into regulatory compliance, alert trends, security posture, and more with this workbook based on Azure Security Center data.",
- "dataTypesDependencies": [ "SecurityAlert", "ProtectionStatus", "SecurityRecommendation", "SecurityBaseline", "SecurityBaselineSummary", "Update", "ConfigurationChange" ],
- "dataConnectorsDependencies": [ "AzureSecurityCenter" ],
- "previewImagesFileNames": [ "ASCCaPBlack.png", "ASCCaPWhite.png" ],
- "version": "1.2.0",
- "title": "ASC Compliance and Protection",
- "templateRelativePath": "ASC-ComplianceandProtection.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "AIVectraDetectWorkbook",
- "logoFileName": "AIVectraDetect.svg",
- "description": "Start investigating network attacks surfaced by Vectra Detect directly from Sentinel. View critical hosts, accounts, campaigns and detections. Also monitor Vectra system health and audit logs.",
- "dataTypesDependencies": ["CommonSecurityLog"],
- "dataConnectorsDependencies": ["AIVectraDetect"],
- "previewImagesFileNames": ["AIVectraDetectWhite1.png", "AIVectraDetectBlack1.png"],
- "version": "1.1.0",
- "title": "AI Vectra Detect",
- "templateRelativePath": "AIVectraDetectWorkbook.json",
- "subtitle": "",
- "provider": "Vectra AI"
- },
- {
- "workbookKey": "Perimeter81OverviewWorkbook",
- "logoFileName": "Perimeter81_Logo.svg",
- "description": "Gain insights and comprehensive monitoring into your Perimeter 81 account by analyzing activities.",
- "dataTypesDependencies": [ "Perimeter81_CL" ],
- "dataConnectorsDependencies": [ "Perimeter81ActivityLogs" ],
- "previewImagesFileNames": [ "Perimeter81OverviewWhite1.png", "Perimeter81OverviewBlack1.png", "Perimeter81OverviewWhite2.png", "Perimeter81OverviewBlack2.png" ],
- "version": "1.0.0",
- "title": "Perimeter 81 Overview",
- "templateRelativePath": "Perimeter81OverviewWorkbook.json",
- "subtitle": "",
- "provider": "Perimeter 81"
- },
- {
- "workbookKey": "SymantecProxySGWorkbook",
- "logoFileName": "symantec_logo.svg",
- "description": "Gain insight into Symantec ProxySG by analyzing, collecting and correlating proxy data.\nThis workbook provides visibility into ProxySG Access logs",
- "dataTypesDependencies": ["Syslog"],
- "dataConnectorsDependencies": [ "SymantecProxySG" ],
- "previewImagesFileNames": [ "SymantecProxySGWhite.png", "SymantecProxySGBlack.png" ],
- "version": "1.0.0",
- "title": "Symantec ProxySG",
- "templateRelativePath": "SymantecProxySG.json",
- "subtitle": "",
- "provider": "Symantec"
- },
- {
- "workbookKey": "IllusiveASMWorkbook",
- "logoFileName": "illusive_logo_workbook.svg",
- "description": "Gain insights into your organization's Cyber Hygiene and Attack Surface risk.\nIllusive ASM automates discovery and clean-up of credential violations, allows drill-down inspection of pathways to critical assets, and provides risk insights that inform intelligent decision-making to reduce attacker mobility.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "illusiveAttackManagementSystem" ],
- "previewImagesFileNames": [ "IllusiveASMWhite.png", "IllusiveASMBlack.png"],
- "version": "1.0.0",
- "title": "Illusive ASM Dashboard",
- "templateRelativePath": "IllusiveASM.json",
- "subtitle": "",
- "provider": "Illusive"
- },
- {
- "workbookKey": "IllusiveADSWorkbook",
- "logoFileName": "illusive_logo_workbook.svg",
- "description": "Gain insights into unauthorized lateral movement in your organization's network.\nIllusive ADS is designed to paralyzes attackers and eradicates in-network threats by creating a hostile environment for the attackers across all the layers of the attack surface.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "illusiveAttackManagementSystem" ],
- "previewImagesFileNames": [ "IllusiveADSWhite.png", "IllusiveADSBlack.png"],
- "version": "1.0.0",
- "title": "Illusive ADS Dashboard",
- "templateRelativePath": "IllusiveADS.json",
- "subtitle": "",
- "provider": "Illusive"
- },
- {
- "workbookKey": "PulseConnectSecureWorkbook",
- "logoFileName": "",
- "description": "Gain insight into Pulse Secure VPN by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into user VPN activities",
- "dataTypesDependencies": ["Syslog"],
- "dataConnectorsDependencies": [ "PulseConnectSecure" ],
- "previewImagesFileNames": [ "PulseConnectSecureWhite.png", "PulseConnectSecureBlack.png" ],
- "version": "1.0.0",
- "title": "Pulse Connect Secure",
- "templateRelativePath": "PulseConnectSecure.json",
- "subtitle": "",
- "provider": "Pulse Secure"
- },
- {
- "workbookKey": "InfobloxNIOSWorkbook",
- "logoFileName": "infoblox_logo.svg",
- "description": "Gain insight into Infoblox NIOS by analyzing, collecting and correlating DHCP and DNS data.\nThis workbook provides visibility into DHCP and DNS traffic",
- "dataTypesDependencies": ["Syslog"],
- "dataConnectorsDependencies": [ "InfobloxNIOS" ],
- "previewImagesFileNames": [ "InfobloxNIOSWhite.png", "InfobloxNIOSBlack.png" ],
- "version": "1.1.0",
- "title": "Infoblox NIOS",
- "templateRelativePath": "InfobloxNIOS.json",
- "subtitle": "",
- "provider": "Infoblox"
- },
- {
- "workbookKey": "SymantecVIPWorkbook",
- "logoFileName": "symantec_logo.svg",
- "description": "Gain insight into Symantec VIP by analyzing, collecting and correlating strong authentication data.\nThis workbook provides visibility into user authentications",
- "dataTypesDependencies": ["Syslog"],
- "dataConnectorsDependencies": [ "SymantecVIP" ],
- "previewImagesFileNames": [ "SymantecVIPWhite.png", "SymantecVIPBlack.png" ],
- "version": "1.0.0",
- "title": "Symantec VIP",
- "templateRelativePath": "SymantecVIP.json",
- "subtitle": "",
- "provider": "Symantec"
- },
- {
- "workbookKey": "ProofPointTAPWorkbook",
- "logoFileName": "proofpointlogo.svg",
- "description": "Gain extensive insight into Proofpoint Targeted Attack Protection (TAP) by analyzing, collecting and correlating TAP log events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked",
- "dataTypesDependencies": [ "ProofPointTAPMessagesBlocked_CL", "ProofPointTAPMessagesDelivered_CL", "ProofPointTAPClicksPermitted_CL", "ProofPointTAPClicksBlocked_CL" ],
- "dataConnectorsDependencies": [ "ProofpointTAP" ],
- "previewImagesFileNames": [ "ProofpointTAPWhite.png", "ProofpointTAPBlack.png" ],
- "version": "1.0.0",
- "title": "Proofpoint TAP",
- "templateRelativePath": "ProofpointTAP.json",
- "subtitle": "",
- "provider": "Proofpoint"
- },
- {
- "workbookKey": "QualysVMWorkbook",
- "logoFileName": "qualys_logo.svg",
- "description": "Gain insight into Qualys Vulnerability Management by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into vulnerabilities detected from vulnerability scans",
- "dataTypesDependencies": ["QualysHostDetection_CL"],
- "dataConnectorsDependencies": [ "QualysVulnerabilityManagement" ],
- "previewImagesFileNames": [ "QualysVMWhite.png", "QualysVMBlack.png" ],
- "version": "1.0.0",
- "title": "Qualys Vulnerability Management",
- "templateRelativePath": "QualysVM.json",
- "subtitle": "",
- "provider": "Qualys"
- },
- {
- "workbookKey": "QualysVMV2Workbook",
- "logoFileName": "qualys_logo.svg",
- "description": "Gain insight into Qualys Vulnerability Management by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into vulnerabilities detected from vulnerability scans",
- "dataTypesDependencies": ["QualysHostDetectionV2_CL"],
- "dataConnectorsDependencies": [ "QualysVulnerabilityManagement" ],
- "previewImagesFileNames": [ "QualysVMWhite.png", "QualysVMBlack.png" ],
- "version": "1.0.0",
- "title": "Qualys Vulnerability Management",
- "templateRelativePath": "QualysVMv2.json",
- "subtitle": "",
- "provider": "Qualys"
- },
- {
- "workbookKey": "GitHubSecurityWorkbook",
- "logoFileName": "GitHub.svg",
- "description": "Gain insights to GitHub activities that may be interesting for security.",
- "dataTypesDependencies": [ "Github_CL", "GitHubRepoLogs_CL" ],
- "dataConnectorsDependencies": [ ],
- "previewImagesFileNames": [ "GitHubSecurityWhite.png", "GitHubSecurityBlack.png"],
- "version": "1.0.0",
- "title": "GitHub Security",
- "templateRelativePath": "GitHubSecurityWorkbook.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "VisualizationDemo",
- "logoFileName": "",
- "description": "Learn and explore the many ways of displaying information within Microsoft Sentinel workbooks",
- "dataTypesDependencies": [ "SecurityAlert" ],
- "dataConnectorsDependencies": [ ],
- "previewImagesFileNames": [ "VisualizationDemoBlack.png","VisualizationDemoWhite.png" ],
- "version": "1.0.0",
- "title": "Visualizations Demo",
- "templateRelativePath": "VisualizationDemo.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "SophosXGFirewallWorkbook",
- "logoFileName": "sophos_logo.svg",
- "description": "Gain insight into Sophos XG Firewall by analyzing, collecting and correlating firewall data.\nThis workbook provides visibility into network traffic",
- "dataTypesDependencies": ["Syslog"],
- "dataConnectorsDependencies": [ "SophosXGFirewall" ],
- "previewImagesFileNames": [ "SophosXGFirewallWhite.png", "SophosXGFirewallBlack.png" ],
- "version": "1.0.0",
- "title": "Sophos XG Firewall",
- "templateRelativePath": "SophosXGFirewall.json",
- "subtitle": "",
- "provider": "Sophos"
- },
- {
- "workbookKey": "SysmonThreatHuntingWorkbook",
- "logoFileName": "",
- "description": "Simplify your threat hunts using Sysmon data mapped to MITRE ATT&CK data. This workbook gives you the ability to drilldown into system activity based on known ATT&CK techniques as well as other threat hunting entry points such as user activity, network connections or virtual machine Sysmon events.\nPlease note that for this workbook to work you must have deployed Sysmon on your virtual machines in line with the instructions at https://github.com/BlueTeamLabs/sentinel-attack/wiki/Onboarding-sysmon-data-to-Azure-Sentinel",
- "dataTypesDependencies": ["Event"],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "SysmonThreatHuntingWhite1.png", "SysmonThreatHuntingBlack1.png"],
- "version": "1.4.0",
- "title": "Sysmon Threat Hunting",
- "templateRelativePath": "SysmonThreatHunting.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "WebApplicationFirewallWAFTypeEventsWorkbook",
- "logoFileName": "webapplicationfirewall(WAF)_logo.svg",
- "description": "Gain insights into your organization's Azure web application firewall (WAF) across various services such as Azure Front Door Service and Application Gateway. You can view event triggers, full messages, attacks over time, among other data. Several aspects of the workbook are interactable to allow users to further understand their data",
- "dataTypesDependencies": [ "AzureDiagnostics" ],
- "dataConnectorsDependencies": [ "WAF" ],
- "previewImagesFileNames": [ "WAFFirewallWAFTypeEventsBlack1.PNG", "WAFFirewallWAFTypeEventsBlack2.PNG", "WAFFirewallWAFTypeEventsBlack3.PNG", "WAFFirewallWAFTypeEventsBlack4.PNG", "WAFFirewallWAFTypeEventsWhite1.png", "WAFFirewallWAFTypeEventsWhite2.PNG", "WAFFirewallWAFTypeEventsWhite3.PNG", "WAFFirewallWAFTypeEventsWhite4.PNG"],
- "version": "1.1.0",
- "title": "Microsoft Web Application Firewall (WAF) - Azure WAF",
- "templateRelativePath": "WebApplicationFirewallWAFTypeEvents.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "OrcaAlertsOverviewWorkbook",
- "logoFileName": "Orca_logo.svg",
- "description": "A visualized overview of Orca security alerts.\nExplore, analize and learn about your security posture using Orca alerts Overview",
- "dataTypesDependencies": [ "OrcaAlerts_CL" ],
- "dataConnectorsDependencies": [ "OrcaSecurityAlerts" ],
- "previewImagesFileNames": [ "OrcaAlertsWhite.png", "OrcaAlertsBlack.png" ],
- "version": "1.1.0",
- "title": "Orca alerts overview",
- "templateRelativePath": "OrcaAlerts.json",
- "subtitle": "",
- "provider": "Orca Security"
- },
- {
- "workbookKey": "CyberArkWorkbook",
- "logoFileName": "CyberArk_Logo.svg",
- "description": "The CyberArk Syslog connector allows you to easily connect all your CyberArk security solution logs with your Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. Integration between CyberArk and Azure Sentinel makes use of the CEF Data Connector to properly parse and display CyberArk Syslog messages.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "CyberArk" ],
- "previewImagesFileNames": [ "CyberArkActivitiesWhite.PNG", "CyberArkActivitiesBlack.PNG" ],
- "version": "1.1.0",
- "title": "CyberArk EPV Events",
- "templateRelativePath": "CyberArkEPV.json",
- "subtitle": "",
- "provider": "CyberArk"
- },
- {
- "workbookKey": "UserEntityBehaviorAnalyticsWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Identify compromised users and insider threats using User and Entity Behavior Analytics. Gain insights into anomalous user behavior from baselines learned from behavior patterns",
- "dataTypesDependencies": [ "BehaviorAnalytics" ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "UserEntityBehaviorAnalyticsBlack1.png", "UserEntityBehaviorAnalyticsWhite1.png" ],
- "version": "1.2.0",
- "title": "User And Entity Behavior Analytics",
- "templateRelativePath": "UserEntityBehaviorAnalytics.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "CitrixWAF",
- "logoFileName": "citrix_logo.svg",
- "description": "Gain insight into the Citrix WAF logs",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "CitrixWAF" ],
- "previewImagesFileNames": [ "CitrixWAFBlack.png", "CitrixWAFWhite.png" ],
- "version": "1.0.0",
- "title": "Citrix WAF (Web App Firewall)",
- "templateRelativePath": "CitrixWAF.json",
- "subtitle": "",
- "provider": "Citrix Systems Inc."
- },
- {
- "workbookKey": "UnifiSGWorkbook",
- "logoFileName": "",
- "description": "Gain insights into Unifi Security Gateways analyzing traffic and activities.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "UnifiSGBlack.png", "UnifiSGWhite.png" ],
- "version": "1.0.0",
- "title": "Unifi Security Gateway",
- "templateRelativePath": "UnfiSG.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "UnifiSGNetflowWorkbook",
- "logoFileName": "",
- "description": "Gain insights into Unifi Security Gateways analyzing traffic and activities using Netflow.",
- "dataTypesDependencies": [ "netflow_CL" ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "UnifiSGNetflowBlack.png", "UnifiSGNetflowWhite.png" ],
- "version": "1.0.0",
- "title": "Unifi Security Gateway - NetFlow",
- "templateRelativePath": "UnfiSGNetflow.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "NormalizedNetworkEventsWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "See insights on multiple networking appliances and other network sessions, that have been parsed or mapped to the normalized networking sessions table. Note this requires enabling parsers for the different products - to learn more, visit https://aka.ms/sentinelnormalizationdocs",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "NormalizedNetworkEventsWhite.png", "NormalizedNetworkEventsBlack.png" ],
- "version": "1.0.0",
- "title": "Normalized network events",
- "templateRelativePath": "NormalizedNetworkEvents.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "WorkspaceAuditingWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Workspace auditing report\r\nUse this report to understand query runs across your workspace.",
- "dataTypesDependencies": [ "LAQueryLogs" ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "WorkspaceAuditingWhite.png", "WorkspaceAuditingBlack.png" ],
- "version": "1.0.0",
- "title": "Workspace audit",
- "templateRelativePath": "WorkspaceAuditing.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "MITREATTACKWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Workbook to showcase MITRE ATT&CK Coverage for Microsoft Sentinel",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "MITREATTACKWhite1.PNG", "MITREATTACKWhite2.PNG", "MITREATTACKBlack1.PNG", "MITREATTACKBlack2.PNG" ],
- "version": "1.0.0",
- "title": "MITRE ATT&CK Workbook",
- "templateRelativePath": "MITREAttack.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
-},
-{
- "workbookKey": "BETTERMTDWorkbook",
- "logoFileName": "BETTER_MTD_logo.svg",
- "description": "Workbook using the BETTER Mobile Threat Defense (MTD) connector, to give insights into your mobile devices, installed application and overall device security posture.",
- "dataTypesDependencies": [ "BetterMTDDeviceLog_CL", "BetterMTDAppLog_CL", "BetterMTDIncidentLog_CL", "BetterMTDNetflowLog_CL"],
- "dataConnectorsDependencies": [ "BetterMTD" ],
- "previewImagesFileNames": [ "BetterMTDWorkbookPreviewWhite1.png", "BetterMTDWorkbookPreviewWhite2.png", "BetterMTDWorkbookPreviewWhite3.png", "BetterMTDWorkbookPreviewBlack1.png", "BetterMTDWorkbookPreviewBlack2.png", "BetterMTDWorkbookPreviewBlack3.png" ],
- "version": "1.1.0",
- "title": "BETTER Mobile Threat Defense (MTD)",
- "templateRelativePath": "BETTER_MTD_Workbook.json",
- "subtitle": "",
- "provider": "BETTER Mobile"
- },
- {
- "workbookKey": "AlsidIoEWorkbook",
- "logoFileName": "Alsid.svg",
- "description": "Workbook showcasing the state and evolution of your Alsid for AD Indicators of Exposures alerts.",
- "dataTypesDependencies": [ "AlsidForADLog_CL" ],
- "dataConnectorsDependencies": [ "AlsidForAD" ],
- "previewImagesFileNames": [ "AlsidIoEBlack1.png", "AlsidIoEBlack2.png", "AlsidIoEBlack3.png", "AlsidIoEWhite1.png", "AlsidIoEWhite2.png", "AlsidIoEWhite3.png" ],
- "version": "1.0.0",
- "title": "Alsid for AD | Indicators of Exposure",
- "templateRelativePath": "AlsidIoE.json",
- "subtitle": "",
- "provider": "Alsid"
- },
- {
- "workbookKey": "AlsidIoAWorkbook",
- "logoFileName": "Alsid.svg",
- "description": "Workbook showcasing the state and evolution of your Alsid for AD Indicators of Attack alerts.",
- "dataTypesDependencies": [ "AlsidForADLog_CL" ],
- "dataConnectorsDependencies": [ "AlsidForAD" ],
- "previewImagesFileNames": [ "AlsidIoABlack1.png", "AlsidIoABlack2.png", "AlsidIoABlack3.png", "AlsidIoAWhite1.png", "AlsidIoAWhite2.png", "AlsidIoAWhite3.png" ],
- "version": "1.0.0",
- "title": "Alsid for AD | Indicators of Attack",
- "templateRelativePath": "AlsidIoA.json",
- "subtitle": "",
- "provider": "Alsid"
- },
- {
- "workbookKey": "InvestigationInsightsWorkbook",
- "logoFileName": "Microsoft_logo.svg",
- "description": "Help analysts gain insight into incident, bookmark and entity data through the Investigation Insights Workbook. This workbook provides common queries and detailed visualizations to help an analyst investigate suspicious activities quickly with an easy to use interface. Analysts can start their investigation from a Sentinel incident, bookmark, or by simply entering the entity data into the workbook manually.",
- "dataTypesDependencies": [ "AuditLogs", "AzureActivity", "CommonSecurityLog", "OfficeActivity", "SecurityEvent", "SigninLogs", "ThreatIntelligenceIndicator" ],
- "dataConnectorsDependencies": [ "AzureActivity", "SecurityEvents", "Office365", "AzureActiveDirectory", "ThreatIntelligence", "ThreatIntelligenceTaxii", "WindowsSecurityEvents" ],
- "previewImagesFileNames": [ "InvestigationInsightsWhite1.png", "InvestigationInsightsBlack1.png", "InvestigationInsightsWhite2.png", "InvestigationInsightsBlack2.png" ],
- "version": "1.4.0",
- "title": "Investigation Insights",
- "templateRelativePath": "InvestigationInsights.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "AksSecurityWorkbook",
- "logoFileName": "Kubernetes_services.svg",
- "description": "See insights about the security of your AKS clusters. The workbook helps to identify sensitive operations in the clusters and get insights based on Azure Defender alerts.",
- "dataTypesDependencies": [ "SecurityAlert", "AzureDiagnostics" ],
- "dataConnectorsDependencies": [ "AzureSecurityCenter","AzureKubernetes"],
- "previewImagesFileNames": [ "AksSecurityWhite.png", "AksSecurityBlack.png" ],
- "version": "1.5.0",
- "title": "Azure Kubernetes Service (AKS) Security",
- "templateRelativePath": "AksSecurity.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AzureKeyVaultWorkbook",
- "logoFileName": "KeyVault.svg",
- "description": "See insights about the security of your Azure key vaults. The workbook helps to identify sensitive operations in the key vaults and get insights based on Azure Defender alerts.",
- "dataTypesDependencies": [ "SecurityAlert", "AzureDiagnostics" ],
- "dataConnectorsDependencies": [ "AzureSecurityCenter", "AzureKeyVault"],
- "previewImagesFileNames": [ "AkvSecurityWhite.png", "AkvSecurityBlack.png" ],
- "version": "1.1.0",
- "title": "Azure Key Vault Security",
- "templateRelativePath": "AzureKeyVaultWorkbook.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "IncidentOverview",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "The Incident Overview workbook is designed to assist in triaging and investigation by providing in-depth information about the incident, including:\r\n* General information\r\n* Entity data\r\n* Triage time (time between incident creation and first response)\r\n* Mitigation time (time between incident creation and closing)\r\n* Comments\r\n\r\nCustomize this workbook by saving and editing it. \r\nYou can reach this workbook template from the incidents panel as well. Once you have customized it, the link from the incident panel will open the customized workbook instead of the template.\r\n",
- "dataTypesDependencies": ["SecurityAlert", "SecurityIncident"],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "IncidentOverviewBlack1.png", "IncidentOverviewWhite1.png", "IncidentOverviewBlack2.png", "IncidentOverviewWhite2.png" ],
- "version": "2.1.0",
- "title": "Incident overview",
- "templateRelativePath": "IncidentOverview.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "SecurityOperationsEfficiency",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Security operations center managers can view overall efficiency metrics and measures regarding the performance of their team. They can find operations by multiple indicators over time including severity, MITRE tactics, mean time to triage, mean time to resolve and more. The SOC manager can develop a picture of the performance in both general and specific areas over time and use it to improve efficiency.",
- "dataTypesDependencies": ["SecurityAlert", "SecurityIncident"],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": ["SecurityEfficiencyWhite1.png", "SecurityEfficiencyWhite2.png", "SecurityEfficiencyBlack1.png", "SecurityEfficiencyBlack2.png"],
- "version": "1.5.0",
- "title": "Security Operations Efficiency",
- "templateRelativePath": "SecurityOperationsEfficiency.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "DataCollectionHealthMonitoring",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Gain insights into your workspace's data ingestion status. In this workbook, you can view additional monitors and detect anomalies that will help you determine your workspace’s data collection health.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "HealthMonitoringWhite1.png", "HealthMonitoringWhite2.png", "HealthMonitoringWhite3.png", "HealthMonitoringBlack1.png", "HealthMonitoringBlack2.png", "HealthMonitoringBlack3.png" ],
- "version": "1.0.0",
- "title": "Data collection health monitoring",
- "templateRelativePath": "DataCollectionHealthMonitoring.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "OnapsisAlarmsWorkbook",
- "logoFileName": "onapsis_logo.svg",
- "description": "Gain insights into what is going on in your SAP Systems with this overview of the alarms triggered in the Onapsis Platform. Incidents are enriched with context and next steps to help your Security team respond effectively.",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "OnapsisPlatform" ],
- "previewImagesFileNames": [ "OnapsisWhite1.PNG", "OnapsisBlack1.PNG", "OnapsisWhite2.PNG", "OnapsisBlack2.PNG" ],
- "version": "1.0.0",
- "title": "Onapsis Alarms Overview",
- "templateRelativePath": "OnapsisAlarmsOverview.json",
- "subtitle": "",
- "provider": "Onapsis"
- },
- {
- "workbookKey": "ThycoticWorkbook",
- "logoFileName": "ThycoticLogo.svg",
- "description": "The Thycotic Secret Server Syslog connector",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "ThycoticSecretServer_CEF" ],
- "previewImagesFileNames": ["ThycoticWorkbookWhite.PNG", "ThycoticWorkbookBlack.PNG"],
- "version": "1.0.0",
- "title": "Thycotic Secret Server Workbook",
- "templateRelativePath": "ThycoticWorkbook.json",
- "subtitle": "",
- "provider": "Thycotic"
- },
- {
- "workbookKey": "ForcepointCloudSecurityGatewayWorkbook",
- "logoFileName": "Forcepoint_new_logo.svg",
- "description": "Use this report to understand query runs across your workspace.",
- "dataTypesDependencies": ["CommonSecurityLog"],
- "dataConnectorsDependencies": ["ForcepointCSG"],
- "previewImagesFileNames": ["ForcepointCloudSecurityGatewayWhite.png","ForcepointCloudSecurityGatewayBlack.png"],
- "version": "1.0.0",
- "title": "Forcepoint Cloud Security Gateway Workbook",
- "templateRelativePath": "ForcepointCloudSecuirtyGatewayworkbook.json",
- "subtitle": "",
- "provider": "Forcepoint"
- },
- {
- "workbookKey": "IntsightsIOCWorkbook",
- "logoFileName": "IntSights_logo.svg",
- "description": "",
- "dataTypesDependencies": [ "ThreatIntelligenceIndicator", "SecurityAlert" ],
- "dataConnectorsDependencies": [ "ThreatIntelligenceTaxii" ],
- "previewImagesFileNames": [ "IntsightsIOCWhite.png", "IntsightsMatchedWhite.png", "IntsightsMatchedBlack.png", "IntsightsIOCBlack.png"],
- "version": "2.0.0",
- "title": "IntSights IOC Workbook",
- "templateRelativePath": "IntsightsIOCWorkbook.json",
- "subtitle": "",
- "provider": "IntSights Cyber Intelligence"
- },
- {
- "workbookKey": "DarktraceSummaryWorkbook",
- "logoFileName": "Darktrace.svg",
- "description": "A workbook containing relevant KQL queries to help you visualise the data in model breaches from the Darktrace Connector",
- "dataTypesDependencies": [ "CommonSecurityLog" ],
- "dataConnectorsDependencies": [ "Darktrace" ],
- "previewImagesFileNames": [ "AIA-DarktraceSummaryWhite.png", "AIA-DarktraceSummaryBlack.png" ],
- "version": "1.1.0",
- "title": "AI Analyst Darktrace Model Breach Summary",
- "templateRelativePath": "AIA-Darktrace.json",
- "subtitle": "",
- "provider": "Darktrace"
- },
- {
- "workbookKey": "TrendMicroXDR",
- "logoFileName": "trendmicro_logo.svg",
- "description": "Gain insights from Trend Micro XDR with this overview of the Alerts triggered.",
- "dataTypesDependencies": [ "TrendMicro_XDR_WORKBENCH_CL" ],
- "dataConnectorsDependencies": [ "TrendMicroXDR" ],
- "previewImagesFileNames": [ "TrendMicroXDROverviewWhite.png", "TrendMicroXDROverviewBlack.png" ],
- "version": "1.2.0",
- "title": "Trend Micro XDR Alert Overview",
- "templateRelativePath": "TrendMicroXDROverview.json",
- "subtitle": "",
- "provider": "Trend Micro"
- },
- {
- "workbookKey": "CyberpionOverviewWorkbook",
- "logoFileName": "cyberpion_logo.svg",
- "description": "Use Cyberpion's Security Logs and this workbook, to get an overview of your online assets, gain insights into their current state, and find ways to better secure your ecosystem.",
- "dataTypesDependencies": [ "CyberpionActionItems_CL" ],
- "dataConnectorsDependencies": [ "CyberpionSecurityLogs" ],
- "previewImagesFileNames": [ "CyberpionActionItemsBlack.png", "CyberpionActionItemsWhite.png" ],
- "version": "1.0.0",
- "title": "Cyberpion Overview",
- "templateRelativePath": "CyberpionOverviewWorkbook.json",
- "subtitle": "",
- "provider": "Cyberpion"
- },
- {
- "workbookKey": "SolarWindsPostCompromiseHuntingWorkbook",
- "logoFileName": "MSTIC-Logo.svg",
- "description": "This hunting workbook is intended to help identify activity related to the Solorigate compromise and subsequent attacks discovered in December 2020",
- "dataTypesDependencies": [ "CommonSecurityLog", "SigninLogs", "AuditLogs", "AADServicePrincipalSignInLogs", "OfficeActivity", "BehaviorAnalytics", "SecurityEvent", "DeviceProcessEvents", "SecurityAlert", "DnsEvents"],
- "dataConnectorsDependencies": [ "AzureActiveDirectory", "SecurityEvents", "Office365", "MicrosoftThreatProtection", "DNS", "WindowsSecurityEvents"],
- "previewImagesFileNames": [ "SolarWindsPostCompromiseHuntingWhite.png", "SolarWindsPostCompromiseHuntingBlack.png" ],
- "version": "1.5.0",
- "title": "SolarWinds Post Compromise Hunting",
- "templateRelativePath": "SolarWindsPostCompromiseHunting.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "ProofpointPODWorkbook",
- "logoFileName": "proofpointlogo.svg",
- "description": "Gain insights into your Proofpoint on Demand Email Security activities, including maillog and messages data. The Workbook provides users with an executive dashboard showing the reporting capabilities, message traceability and monitoring.",
- "dataTypesDependencies": [ "ProofpointPOD_maillog_CL", "ProofpointPOD_message_CL" ],
- "dataConnectorsDependencies": [ "ProofpointPOD" ],
- "previewImagesFileNames": [ "ProofpointPODMainBlack1.png", "ProofpointPODMainBlack2.png", "ProofpointPODMainWhite1.png", "ProofpointPODMainWhite2.png", "ProofpointPODMessageSummaryBlack.png", "ProofpointPODMessageSummaryWhite.png", "ProofpointPODTLSBlack.png", "ProofpointPODTLSWhite.png" ],
- "version": "1.0.0",
- "title": "Proofpoint On-Demand Email Security",
- "templateRelativePath": "ProofpointPOD.json",
- "subtitle": "",
- "provider": "Proofpoint"
- },
- {
- "workbookKey": "CiscoUmbrellaWorkbook",
- "logoFileName": "cisco_logo.svg",
- "description": "Gain insights into Cisco Umbrella activities, including the DNS, Proxy and Cloud Firewall data. Workbook shows general information along with threat landscape including categories, blocked destinations and URLs.",
- "dataTypesDependencies": [ "Cisco_Umbrella_dns_CL", "Cisco_Umbrella_proxy_CL", "Cisco_Umbrella_ip_CL", "Cisco_Umbrella_cloudfirewall_CL" ],
- "dataConnectorsDependencies": [ "CiscoUmbrellaDataConnector" ],
- "previewImagesFileNames": [ "CiscoUmbrellaDNSBlack1.png", "CiscoUmbrellaDNSBlack2.png", "CiscoUmbrellaDNSWhite1.png", "CiscoUmbrellaDNSWhite2.png", "CiscoUmbrellaFirewallBlack.png", "CiscoUmbrellaFirewallWhite.png", "CiscoUmbrellaMainBlack1.png", "CiscoUmbrellaMainBlack2.png", "CiscoUmbrellaMainWhite1.png", "CiscoUmbrellaMainWhite2.png", "CiscoUmbrellaProxyBlack1.png", "CiscoUmbrellaProxyBlack2.png", "CiscoUmbrellaProxyWhite1.png", "CiscoUmbrellaProxyWhite2.png" ],
- "version": "1.0.0",
- "title": "Cisco Umbrella",
- "templateRelativePath": "CiscoUmbrella.json",
- "subtitle": "",
- "provider": "Cisco"
- },
- {
- "workbookKey": "AnalyticsEfficiencyWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Gain insights into the efficacy of your analytics rules. In this workbook you can analyze and monitor the analytics rules found in your workspace to achieve better performance by your SOC.",
- "dataTypesDependencies": ["SecurityAlert", "SecurityIncident"],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "AnalyticsEfficiencyBlack.png", "AnalyticsEfficiencyWhite.png" ],
- "version": "1.2.0",
- "title": "Analytics Efficiency",
- "templateRelativePath": "AnalyticsEfficiency.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "WorkspaceUsage",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Gain insights into your workspace's usage. In this workbook, you can view your workspace’s data consumption, latency, recommended tasks and Cost and Usage statistics.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "WorkspaceUsageBlack.png", "WorkspaceUsageWhite.png"],
- "version": "1.6.0",
- "title": "Workspace Usage Report",
- "templateRelativePath": "WorkspaceUsage.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "SentinelCentral",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Use this report to view Incident (and Alert data) across many workspaces, this works with Azure Lighthouse and across any subscription you have access to.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "SentinelCentralBlack.png", "SentinelCentralWhite.png"],
- "version": "2.1.0",
- "title": "Sentinel Central",
- "templateRelativePath": "SentinelCentral.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "CognniIncidentsWorkbook",
- "logoFileName": "cognni-logo.svg",
- "description": "Gain intelligent insights into the risks to your important financial, legal, HR, and governance information. This workbook lets you monitor your at-risk information to determine when and why incidents occurred, as well as who was involved. These incidents are broken into high, medium, and low risk incidents for each information category.",
- "dataTypesDependencies": ["CognniIncidents_CL"],
- "dataConnectorsDependencies": ["CognniSentinelDataConnector"],
- "previewImagesFileNames": [ "CognniBlack.PNG", "CognniWhite.PNG"],
- "version": "1.0.0",
- "title": "Cognni Important Information Incidents",
- "templateRelativePath": "CognniIncidentsWorkbook.json",
- "subtitle": "",
- "provider": "Cognni"
- },
- {
- "workbookKey": "pfsense",
- "logoFileName": "pfsense_logo.svg",
- "description": "Gain insights into pfsense logs from both filterlog and nginx.",
- "dataTypesDependencies": ["CommonSecurityLog"],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "pfsenseBlack.png", "pfsenseWhite.png"],
- "version": "1.0.0",
- "title": "pfsense",
- "templateRelativePath": "pfsense.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "ExchangeCompromiseHunting",
- "logoFileName": "MSTIC-Logo.svg",
- "description": "This workbook is intended to help defenders in responding to the Exchange Server vulnerabilities disclosed in March 2021, as well as hunting for potential compromise activity. More details on these vulnearbilities can be found at: https://aka.ms/exchangevulns",
- "dataTypesDependencies": ["SecurityEvent", "W3CIISLog"],
- "dataConnectorsDependencies": ["SecurityEvents", "AzureMonitor(IIS)", "WindowsSecurityEvents"],
- "previewImagesFileNames": ["ExchangeBlack.png", "ExchangeWhite.png"],
- "version": "1.0.0",
- "title": "Exchange Compromise Hunting",
- "templateRelativePath": "ExchangeCompromiseHunting.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "SOCProcessFramework",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Azure Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": ["SOCProcessFrameworkCoverImage1White.png", "SOCProcessFrameworkCoverImage1Black.png", "SOCProcessFrameworkCoverImage2White.png", "SOCProcessFrameworkCoverImage2Black.png"],
- "version": "1.1.0",
- "title": "SOC Process Framework",
- "templateRelativePath": "SOCProcessFramework.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "Microsoft365SecurityPosture",
- "logoFileName": "M365securityposturelogo.svg",
- "description": "This workbook presents security posture data collected from Azure Security Center, M365 Defender, Defender for Endpoint, and Microsoft Cloud App Security. This workbook relies on the M365 Security Posture Playbook in order to bring the data in.",
- "dataTypesDependencies": [ "M365SecureScore_CL", "MDfESecureScore_CL", "MDfEExposureScore_CL", "MDfERecommendations_CL", "MDfEVulnerabilitiesList_CL", "McasShadowItReporting"],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": ["M365securitypostureblack.png", "M365securityposturewhite.png" ],
- "version": "1.0.0",
- "title": "Microsoft 365 Security Posture",
- "templateRelativePath": "M365SecurityPosture.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "AzureSentinelCost",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "This workbook provides an estimated cost across the main billed items in Microsoft Sentinel: ingestion, retention and automation. It also provides insight about the possible impact of the Microsoft 365 E5 offer.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "AzureSentinelCostWhite.png", "AzureSentinelCostBlack.png"],
- "version": "1.5.0",
- "title": "Microsoft Sentinel Cost",
- "templateRelativePath": "AzureSentinelCost.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "ADXvsLA",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "This workbook shows the tables from Microsoft Sentinel which are backed up in ADX. It also provides a comparison between the entries in the Microsoft Sentinel tables and the ADX tables. Lastly some general information about the queries and ingestion on ADX is shown.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "ADXvsLABlack.PNG", "ADXvsLAWhite.PNG"],
- "version": "1.0.0",
- "title": "ADXvsLA",
- "templateRelativePath": "ADXvsLA.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "MicrosoftDefenderForOffice365",
- "logoFileName": "office365_logo.svg",
- "description": "Gain insights into your Microsoft Defender for Office 365 raw data logs. This workbook lets you look at trends in email senders, attachments and embedded URL data to find anomalies. You can also search by, sender, recipient, subject, attachment or embedded URL to find where the related messages have been sent.",
- "dataTypesDependencies": [ "EmailEvents", "EmailUrlInfo", "EmailAttachmentInfo" ],
- "dataConnectorsDependencies": [ ],
- "previewImagesFileNames": [ "MDOWhite1.png", "MDOBlack1.png", "MDOWhite2.png", "MDOBlack2.png" ],
- "version": "1.0.0",
- "title": "Microsoft Defender For Office 365",
- "templateRelativePath": "MicrosoftDefenderForOffice365.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "ProofPointThreatDashboard",
- "logoFileName": "",
- "description": "Provides an overview of email threat activity based on log data provided by ProofPoint",
- "dataTypesDependencies": [ "ProofpointPOD_message_CL", "ProofpointPOD_maillog_CL", "ProofPointTAPClicksBlocked_CL", "ProofPointTAPClicksPermitted_CL", "ProofPointTAPMessagesBlocked_CL", "ProofPointTAPMessagesDelivered_CL" ],
- "dataConnectorsDependencies": ["ProofpointTAP", "ProofpointPOD"],
- "previewImagesFileNames": [ "ProofPointThreatDashboardBlack1.png", "ProofPointThreatDashboardWhite1.png"],
- "version": "1.0.0",
- "title": "ProofPoint Threat Dashboard",
- "templateRelativePath": "ProofPointThreatDashboard.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "AMAmigrationTracker",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "See what Azure and Azure Arc servers have Log Analytics agent or Azure Monitor agent installed. Review what DCR (data collection rules) apply to your machines and whether you are collecting logs from those machines into your selected workspaces.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "AMAtrackingWhite1.png", "AMAtrackingWhite2.png", "AMAtrackingWhite3.png", "AMAtrackingBlack1.png", "AMAtrackingBlack2.png", "AMAtrackingBlack3.png" ],
- "version": "1.1.0",
- "title": "AMA migration tracker",
- "templateRelativePath": "AMAmigrationTracker.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "AdvancedKQL",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "This interactive Workbook is designed to improve your KQL proficiency by using a use-case driven approach.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "AdvancedKQLWhite.png", "AdvancedKQLBlack.png"],
- "version": "1.3.0",
- "title": "Advanced KQL for Microsoft Sentinel",
- "templateRelativePath": "AdvancedKQL.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "DSTIMWorkbook",
- "logoFileName": "DSTIM.svg",
- "description": "Identify sensitive data blast radius (i.e., who accessed sensitive data, what kinds of sensitive data, from where and when) in a given data security incident investigation or as part of Threat Hunting. Prioritize your investigation based on insights provided with integrations with Watchlists(VIPUsers, TerminatedEmployees and HighValueAssets), Threat Intelligence feed, UEBA baselines and much more.",
- "dataTypesDependencies": [ "DSMAzureBlobStorageLogs", "DSMDataClassificationLogs", "DSMDataLabelingLogs", "Anomalies", "ThreatIntelligenceIndicator", "AADManagedIdentitySignInLogs", "SecurityAlert", "SigninLogs" ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "DSTIMWorkbookBlack.png", "DSTIMWorkbookWhite.png" ],
- "version": "1.9.0",
- "title": "Data Security - Sensitive Data Impact Assessment",
- "templateRelativePath": "DSTIMWorkbook.json",
- "subtitle": "",
- "provider": "Microsoft",
- "featureFlag": "DSTIMWorkbook"
- },
- {
- "workbookKey": "IntrotoKQLWorkbook",
- "logoFileName": "",
- "description": "Learn and practice the Kusto Query Language. This workbook introduces and provides 100 to 200 level content for new and existing users looking to learn KQL. This workbook will be updated with content over time.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "IntrotoKQL-black.png", "IntrotoKQL-white.png" ],
- "version": "1.0.0",
- "title": "Intro to KQL",
- "templateRelativePath": "IntrotoKQL.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "Log4jPostCompromiseHunting",
- "logoFileName": "",
- "description": "This hunting workbook is intended to help identify activity related to the Log4j compromise discovered in December 2021.",
- "dataTypesDependencies": [ "SecurityNestedRecommendation", "AzureDiagnostics", "OfficeActivity", "W3CIISLog", "AWSCloudTrail", "SigninLogs", "AADNonInteractiveUserSignInLogs", "imWebSessions", "imNetworkSession"],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "Log4jPostCompromiseHuntingBlack.png", "Log4jPostCompromiseHuntingWhite.png" ],
- "version": "1.0.0",
- "title": "Log4j Post Compromise Hunting",
- "templateRelativePath": "Log4jPostCompromiseHunting.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "UserMap",
- "logoFileName": "",
- "description": "This Workbook shows MaliciousIP, User SigninLog Data (this shows user Signin Locations and distance between as well as order visited) and WAF information.",
- "dataTypesDependencies": [ "SigninLogs", "AzureDiagnostics", "WireData", "VMconnection", "CommonSecurityLog", "WindowsFirewall", "W3CIISLog","DnsEvents"],
- "dataConnectorsDependencies": ["AzureActiveDirectory"],
- "previewImagesFileNames": [ "UserMapBlack.png", "UserMapWhite.png" ],
- "version": "1.0.0",
- "title": "User Map information",
- "templateRelativePath": "UserMap.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "AWSS3",
- "logoFileName": "",
- "description": ".",
- "dataTypesDependencies": [ "AWSCloudTrail", "AWSGuardDuty", "AWSVPCFlow"],
- "dataConnectorsDependencies": ["AWSS3"],
- "previewImagesFileNames": [ "AWSS3Black.png", "AWSS3White.png","AWSS3White1.png" ],
- "version": "1.0.0",
- "title": "AWS S3 Workbook",
- "templateRelativePath": "AWSS3.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "LogSourcesAndAnalyticRulesCoverageWorkbook",
- "logoFileName": "",
- "description": "This workbook is intended to show how the different tables in a Log Analytics workspace are being used by the different Microsoft Sentinel features, like analytics, hunting queries, playbooks and queries in general.",
- "dataTypesDependencies": [ ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "LogSourcesAndAnalyticRulesCoverageBlack.png", "LogSourcesAndAnalyticRulesCoverageWhite.png" ],
- "version": "1.1.0",
- "title": "Log Sources & Analytic Rules Coverage",
- "templateRelativePath": "LogSourcesAndAnalyticRulesCoverage.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "CiscoFirepower",
- "logoFileName": "",
- "description": "Gain insights into your Cisco Firepower firewalls. This workbook analyzes Cisco Firepower device logs.",
- "dataTypesDependencies": [ "CommonSecurityLog"],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "CiscoFirepowerBlack.png", "CiscoFirepowerWhite.png" ],
- "version": "1.0.0",
- "title": "Cisco Firepower",
- "templateRelativePath": "CiscoFirepower.json",
- "subtitle": "",
- "provider": "Azure Sentinel Community"
- },
- {
- "workbookKey": "MicrorosftTeams",
- "logoFileName": "microsoftteams.svg",
- "description": "This workbook is intended to identify the activities on Microrsoft Teams.",
- "dataTypesDependencies": [ "OfficeActivity" ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "MicrosoftTeamsBlack.png", "MicrosoftTeamsWhite.png" ],
- "version": "1.0.0",
- "title": "Microsoft Teams",
- "templateRelativePath": "MicrosoftTeams.json",
- "subtitle": "",
- "provider": "Azure Sentinel Community"
- },
- {
- "workbookKey": "ArchivingBasicLogsRetention",
- "logoFileName": "ArchivingBasicLogsRetention.svg",
- "description": "This workbooks shows workspace and table retention periods, basic logs, and search & restore tables. It also allows you to update table retention periods, plans, and delete search or restore tables.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "ArchivingBasicLogsRetentionBlack1.png", "ArchivingBasicLogsRetentionWhite1.png" ],
- "version": "1.1.0",
- "title": "Archiving, Basic Logs, and Retention",
- "templateRelativePath": "ArchivingBasicLogsRetention.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "OktaSingleSignOnWorkbook",
- "logoFileName": "okta_logo.svg",
- "description": "Gain extensive insight into Okta Single Sign-On (SSO) by analyzing, collecting and correlating Audit and Event events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked",
- "dataTypesDependencies": [ "Okta_CL" ],
- "dataConnectorsDependencies": [ "OktaSSO" ],
- "previewImagesFileNames": [ "OktaSingleSignOnWhite.png", "OktaSingleSignOnBlack.png" ],
- "version": "1.2",
- "title": "Okta Single Sign-On",
- "templateRelativePath": "OktaSingleSignOn.json",
- "subtitle": "",
- "provider": "Okta"
- },
- {
- "workbookKey": "MicrosoftDefenderForEndPoint",
- "logoFileName": "",
- "description": "A wokbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through M365 Defender Connector.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [ "microsoftdefenderforendpointwhite.png", "microsoftdefenderforendpointblack.png" ],
- "version": "1.0.0",
- "title": "MicrosoftDefenderForEndPoint",
- "templateRelativePath": "MicrosoftDefenderForEndPoint.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- }
-]