Merge branch 'master' into pr-malicious-inbox-triggering

2021-10-03 18:39:37 -07:00 · 2021-10-03 18:39:37 -07:00 · bbde89f744
--- a/.script/tests/KqlvalidationsTests/CustomTables/GCP_IAM.json
+++ b/.script/tests/KqlvalidationsTests/CustomTables/GCP_IAM.json
@ -0,0 +1,313 @@
+{
+    "Name": "GCP_IAM",
+    "Properties": [
+        {
+            "Name": "TimeGenerated",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "PayloadStatusCode",
+            "Type": "Double"
+        },
+        {
+            "Name": "PayloadStatusMessage",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestKeyTypes",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadServicedataPermissiondeltaRemovedpermissions",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestUpdateMaskPaths",
+            "Type": "String"
+        },
+        {
+            "Name": "ResourceLabelsTopicId",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadServicedataPolicydeltaBindingdeltas",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestPolicyAuditconfigs",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestPolicyEtag",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestPolicyBindings",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestResource",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadResponseBindings",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadResponseAuditconfigs",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestPageSize",
+            "Type": "Double"
+        },
+        {
+            "Name": "PayloadRequestRemoveDeletedServiceAccounts",
+            "Type": "Boolean"
+        },
+        {
+            "Name": "PayloadRequestView",
+            "Type": "Double"
+        },
+        {
+            "Name": "PayloadRequestParent",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestShowDeleted",
+            "Type": "Boolean"
+        },
+        {
+            "Name": "ResourceLabelsRoleName",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadServicedataType",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadServicedataPermissiondeltaAddedpermissions",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestRoleIncludedPermissions",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestRoleTitle",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestRoleDescription",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestRoleId",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadResponseGroupName",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadResponseIncludedPermissions",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadResponseTitle",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadResponseGroupTitle",
+            "Type": "String"
+        },
+        {
+            "Name": "LogName",
+            "Type": "String"
+        },
+        {
+            "Name": "InsertId",
+            "Type": "String"
+        },
+        {
+            "Name": "EventSeverity",
+            "Type": "String"
+        },
+        {
+            "Name": "EventEndTime",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "ResourceType",
+            "Type": "String"
+        },
+        {
+            "Name": "ResourceLabelsEmailId",
+            "Type": "String"
+        },
+        {
+            "Name": "ResourceLabelsProjectId",
+            "Type": "String"
+        },
+        {
+            "Name": "ResourceLabelsUniqueId",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadType",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadAuthenticationinfoPrincipalemail",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadAuthenticationinfoPrincipalsubject",
+            "Type": "String"
+        },
+        {
+            "Name": "SrcIpAddr",
+            "Type": "String"
+        },
+        {
+            "Name": "HttpUserAgentOriginal",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestmetadataRequestattributesTime",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadServicename",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadMethodname",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadAuthorizationinfo",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadResourcename",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestType",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestName",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestAccountId",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestServiceAccountDescription",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestServiceAccountDisplayName",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadResponseOauth2ClientId",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadResponseName",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadResponseEtag",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadResponseUniqueId",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadResponseDescription",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadResponseProjectId",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadResponseDisplayName",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadResponseType",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadResponseEmail",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestPrivateKeyType",
+            "Type": "Double"
+        },
+        {
+            "Name": "PayloadResponseValidBeforeTimeSeconds",
+            "Type": "Double"
+        },
+        {
+            "Name": "PayloadResponseValidAfterTimeSeconds",
+            "Type": "Double"
+        },
+        {
+            "Name": "PayloadResponseKeyType",
+            "Type": "Double"
+        },
+        {
+            "Name": "PayloadResponseKeyOrigin",
+            "Type": "Double"
+        },
+        {
+            "Name": "PayloadResponsePrivateKeyType",
+            "Type": "Double"
+        },
+        {
+            "Name": "PayloadResponseKeyAlgorithm",
+            "Type": "Double"
+        },
+        {
+            "Name": "ResourceLabelsService",
+            "Type": "String"
+        },
+        {
+            "Name": "ResourceLabelsVersion",
+            "Type": "String"
+        },
+        {
+            "Name": "ResourceLabelsLocation",
+            "Type": "String"
+        },
+        {
+            "Name": "ResourceLabelsMethod",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestFullResourceName",
+            "Type": "String"
+        },
+        {
+            "Name": "PayloadRequestOptionsRequestedPolicyVersion",
+            "Type": "Double"
+        },
+        {
+            "Name": "PayloadRequestSkipVisibilityCheck",
+            "Type": "Boolean"
+        },
+        {
+            "Name": "PayloadRequestPageToken",
+            "Type": "String"
+        }
+    ]
+}
--- a/.script/tests/KqlvalidationsTests/CustomTables/InformationProtectionLogs_CL.json
+++ b/.script/tests/KqlvalidationsTests/CustomTables/InformationProtectionLogs_CL.json
@ -0,0 +1,346 @@
+{
+  "Name": "InformationProtectionLogs_CL",
+  "Properties": [
+    {
+      "Name": "TenantId",
+      "Type": "string"
+    },
+    {
+      "Name": "SourceSystem",
+      "Type": "string"
+    },
+    {
+      "Name": "MG",
+      "Type": "string"
+    },
+    {
+      "Name": "ManagementGroupName",
+      "Type": "string"
+    },
+    {
+      "Name": "TimeGenerated",
+      "Type": "datetime"
+    },
+    {
+      "Name": "Computer",
+      "Type": "string"
+    },
+    {
+      "Name": "RawData",
+      "Type": "string"
+    },
+    {
+      "Name": "PK_LA___Content_Types__xml_MN_0_H_nY_t_Q_Ic_g_b_2p_J_6_oE_V_P_t_3_vX_I_u_p_e_nd_z_Q_Q_K_oH_X_U_s",
+      "Type": "string"
+    },
+    {
+      "Name": "ProtectionTime_s",
+      "Type": "string"
+    },
+    {
+      "Name": "Protected_s",
+      "Type": "string"
+    },
+    {
+      "Name": "TimeGenerated_s",
+      "Type": "string"
+    },
+    {
+      "Name": "TimeGenerated_UTC__s",
+      "Type": "string"
+    },
+    {
+      "Name": "TemplateId_g_g",
+      "Type": "string"
+    },
+    {
+      "Name": "ProtectionType_s_s",
+      "Type": "string"
+    },
+    {
+      "Name": "ProtectionOwner_s_s",
+      "Type": "string"
+    },
+    {
+      "Name": "ContentId_g_g",
+      "Type": "string"
+    },
+    {
+      "Name": "ProtectionTime_t_UTC__s",
+      "Type": "string"
+    },
+    {
+      "Name": "ProcessVersion_s_s",
+      "Type": "string"
+    },
+    {
+      "Name": "AadTenantId_g_g",
+      "Type": "string"
+    },
+    {
+      "Name": "UserId_s_s",
+      "Type": "string"
+    },
+    {
+      "Name": "Version_s_s",
+      "Type": "string"
+    },
+    {
+      "Name": "Workload_s_s",
+      "Type": "string"
+    },
+    {
+      "Name": "ProcessName_s_s",
+      "Type": "string"
+    },
+    {
+      "Name": "ApplicationName_s_s",
+      "Type": "string"
+    },
+    {
+      "Name": "Operation_s_s",
+      "Type": "string"
+    },
+    {
+      "Name": "Protected_b_s",
+      "Type": "string"
+    },
+    {
+      "Name": "Platform_s_s",
+      "Type": "string"
+    },
+    {
+      "Name": "Activity_s_s",
+      "Type": "string"
+    },
+    {
+      "Name": "DataState_s_s",
+      "Type": "string"
+    },
+    {
+      "Name": "LogId_g_g",
+      "Type": "string"
+    },
+    {
+      "Name": "IPv4_s_s",
+      "Type": "string"
+    },
+    {
+      "Name": "MatchedLabelId_g",
+      "Type": "string"
+    },
+    {
+      "Name": "MatchedLabelName_s",
+      "Type": "string"
+    },
+    {
+      "Name": "ProtectionTypeBefore_s",
+      "Type": "string"
+    },
+    {
+      "Name": "TemplateIdBefore_g",
+      "Type": "string"
+    },
+    {
+      "Name": "ParentLabelNameBefore_s",
+      "Type": "string"
+    },
+    {
+      "Name": "LabelIdBeforeAction_g",
+      "Type": "string"
+    },
+    {
+      "Name": "SensitivityChange_s",
+      "Type": "string"
+    },
+    {
+      "Name": "LabelNameBefore_s",
+      "Type": "string"
+    },
+    {
+      "Name": "ActionIdBefore_g",
+      "Type": "string"
+    },
+    {
+      "Name": "TemplateId_g",
+      "Type": "string"
+    },
+    {
+      "Name": "ProtectionType_s",
+      "Type": "string"
+    },
+    {
+      "Name": "ProtectionOwner_s",
+      "Type": "string"
+    },
+    {
+      "Name": "ContentId_g",
+      "Type": "string"
+    },
+    {
+      "Name": "ProtectionTime_t",
+      "Type": "datetime"
+    },
+    {
+      "Name": "ProcessVersion_s",
+      "Type": "string"
+    },
+    {
+      "Name": "DeviceId_s",
+      "Type": "string"
+    },
+    {
+      "Name": "InformationTypes_s",
+      "Type": "string"
+    },
+    {
+      "Name": "DiscoveredInformationTypes_s",
+      "Type": "string"
+    },
+    {
+      "Name": "InformationTypesAbove55_s",
+      "Type": "string"
+    },
+    {
+      "Name": "InformationTypesAbove65_s",
+      "Type": "string"
+    },
+    {
+      "Name": "InformationTypesAbove75_s",
+      "Type": "string"
+    },
+    {
+      "Name": "InformationTypesAbove85_s",
+      "Type": "string"
+    },
+    {
+      "Name": "InformationTypesAbove95_s",
+      "Type": "string"
+    },
+    {
+      "Name": "DeviceRisk_s",
+      "Type": "string"
+    },
+    {
+      "Name": "MachineId_s",
+      "Type": "string"
+    },
+    {
+      "Name": "ActionSource_s",
+      "Type": "string"
+    },
+    {
+      "Name": "DeviceId_g",
+      "Type": "string"
+    },
+    {
+      "Name": "AadTenantId_g",
+      "Type": "string"
+    },
+    {
+      "Name": "LabelName_s",
+      "Type": "string"
+    },
+    {
+      "Name": "ParentLabelName_s",
+      "Type": "string"
+    },
+    {
+      "Name": "UserId_s",
+      "Type": "string"
+    },
+    {
+      "Name": "MachineName_s",
+      "Type": "string"
+    },
+    {
+      "Name": "Version_s",
+      "Type": "string"
+    },
+    {
+      "Name": "Workload_s",
+      "Type": "string"
+    },
+    {
+      "Name": "ProcessName_s",
+      "Type": "string"
+    },
+    {
+      "Name": "ApplicationName_s",
+      "Type": "string"
+    },
+    {
+      "Name": "Operation_s",
+      "Type": "string"
+    },
+    {
+      "Name": "ObjectId_s",
+      "Type": "string"
+    },
+    {
+      "Name": "LabelId_g",
+      "Type": "string"
+    },
+    {
+      "Name": "Protected_b",
+      "Type": "bool"
+    },
+    {
+      "Name": "ProtectedBeforeAction_b",
+      "Type": "bool"
+    },
+    {
+      "Name": "Platform_s",
+      "Type": "string"
+    },
+    {
+      "Name": "Activity_s",
+      "Type": "string"
+    },
+    {
+      "Name": "Location_s",
+      "Type": "string"
+    },
+    {
+      "Name": "ApplicationId_g",
+      "Type": "string"
+    },
+    {
+      "Name": "DataState_s",
+      "Type": "string"
+    },
+    {
+      "Name": "IsLabelChanged_b",
+      "Type": "bool"
+    },
+    {
+      "Name": "IsProtectionChanged_b",
+      "Type": "bool"
+    },
+    {
+      "Name": "ProductVersion_s",
+      "Type": "string"
+    },
+    {
+      "Name": "LogId_g",
+      "Type": "string"
+    },
+    {
+      "Name": "ActionId_g",
+      "Type": "string"
+    },
+    {
+      "Name": "IPv4_s",
+      "Type": "string"
+    },
+    {
+      "Name": "Type",
+      "Type": "string"
+    },
+    {
+      "Name": "_ResourceId",
+      "Type": "string"
+    }
+  ]
+}
+
--- a/.script/tests/KqlvalidationsTests/CustomTables/SecurityRecommendation.json
+++ b/.script/tests/KqlvalidationsTests/CustomTables/SecurityRecommendation.json
@ -0,0 +1,109 @@
+{
+  "Name": "SecurityRecommendation",
+  "Properties": [
+    {
+      "Name": "TenantId",
+      "Type": "string"
+    },
+    {
+      "Name": "ResourceTenantId",
+      "Type": "string"
+    },
+    {
+      "Name": "RecommendationId",
+      "Type": "string"
+    },
+    {
+      "Name": "RecommendationName",
+      "Type": "string"
+    },
+    {
+      "Name": "RecommendationDisplayName",
+      "Type": "string"
+    },
+    {
+      "Name": "ProviderName",
+      "Type": "string"
+    },
+    {
+      "Name": "Description",
+      "Type": "string"
+    },
+    {
+      "Name": "RemediationDescription",
+      "Type": "string"
+    },
+    {
+      "Name": "RecommendationState",
+      "Type": "string"
+    },
+    {
+      "Name": "TimeGenerated",
+      "Type": "datetime"
+    },
+    {
+      "Name": "DiscoveredTimeUTC",
+      "Type": "datetime"
+    },
+    {
+      "Name": "ResolvedTimeUTC",
+      "Type": "datetime"
+    },
+    {
+      "Name": "PolicyDefinitionId",
+      "Type": "string"
+    },
+    {
+      "Name": "RecommendationSeverity",
+      "Type": "string"
+    },
+    {
+      "Name": "NotApplicableReason",
+      "Type": "string"
+    },
+    {
+      "Name": "AgentId",
+      "Type": "string"
+    },
+    {
+      "Name": "AssessedResourceId",
+      "Type": "string"
+    },
+    {
+      "Name": "DeviceId",
+      "Type": "string"
+    },
+    {
+      "Name": "ResourceRegion",
+      "Type": "string"
+    },
+    {
+      "Name": "SourceSystem",
+      "Type": "string"
+    },
+    {
+      "Name": "RecommendationLink",
+      "Type": "string"
+    },
+    {
+      "Name": "IsSnapshot",
+      "Type": "bool"
+    },
+    {
+      "Name": "RecommendationAdditionalData",
+      "Type": "dynamic"
+    },
+    {
+      "Name": "FirstEvaluationDate",
+      "Type": "datetime"
+    },
+    {
+      "Name": "StatusChangeDate",
+      "Type": "datetime"
+    },
+    {
+      "Name": "Type",
+      "Type": "string"
+    }
+  ]
+}
--- a/.script/tests/KqlvalidationsTests/Kqlvalidations.Tests.csproj
+++ b/.script/tests/KqlvalidationsTests/Kqlvalidations.Tests.csproj
@ -12,7 +12,7 @@
      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
    </PackageReference>
    <PackageReference Include="YamlDotNet" Version="6.0.0" />
-    <PackageReference Include="Microsoft.Azure.Sentinel.KustoServices" Version="2.1.0" />
+    <PackageReference Include="Microsoft.Azure.Sentinel.KustoServices" Version="2.2.0" />
  </ItemGroup>

 </Project>
--- a/.script/tests/KqlvalidationsTests/Microsoft.Azure.Sentinel.KustoServices.2.1.0.nupkg
+++ b/.script/tests/KqlvalidationsTests/Microsoft.Azure.Sentinel.KustoServices.2.1.0.nupkg
--- a/.script/tests/KqlvalidationsTests/microsoft.azure.sentinel.kustoservices.2.2.0.nupkg
+++ b/.script/tests/KqlvalidationsTests/microsoft.azure.sentinel.kustoservices.2.2.0.nupkg
--- a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
+++ b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
@ -126,5 +126,6 @@
  "illusiveAttackManagementSystem",
  "WindowsSecurityEvents",
  "IronNetIronDefense",
+  "GCPIAMDataConnector",
  "Illusive"
 ]
--- a/DataConnectors/AWS-S3/ConfigCloudTrailDataConnector.ps1
+++ b/DataConnectors/AWS-S3/ConfigCloudTrailDataConnector.ps1
@ -345,7 +345,7 @@ if($kmsCofirmation -eq 'y')
 		$currentKmsPolicyObject = $currentKmsPolicy | ConvertFrom-Json 	
 		$currentKmsPolicies = ($currentKmsPolicyObject.Policy) | ConvertFrom-Json
 		
-		$kmsRequiredPoliciesThatNotExistInCurrentPolicy =  $kmsRequiredPoliciesObject.Statement | Where-Object { ($_ | ConvertTo-Json) -notin ($currentKmsPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json}  )}
+		$kmsRequiredPoliciesThatNotExistInCurrentPolicy =  $kmsRequiredPoliciesObject.Statement | Where-Object { ($_ | ConvertTo-Json -Depth 5) -notin ($currentKmsPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json -Depth 5}  )}
 		if($kmsRequiredPoliciesThatNotExistInCurrentPolicy -ne $null)
 		{
 			$currentKmsPolicies.Statement += $kmsRequiredPoliciesThatNotExistInCurrentPolicy
@ -373,7 +373,7 @@ if($currentSqsPolicy -ne $null)
 	$currentSqsPolicyObject = $currentSqsPolicy | ConvertFrom-Json 	
 	$currentSqsPolicies = ($currentSqsPolicyObject.Attributes.Policy) | ConvertFrom-Json 
 	
-	$sqsRequiredPoliciesThatNotExistInCurrentPolicy =  $sqsRequiredPoliciesObject.Statement | Where-Object { ($_ | ConvertTo-Json) -notin ($currentSqsPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json}  )}
+	$sqsRequiredPoliciesThatNotExistInCurrentPolicy =  $sqsRequiredPoliciesObject.Statement | Where-Object { ($_ | ConvertTo-Json -Depth 5) -notin ($currentSqsPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json -Depth 5}  )}
 	if($sqsRequiredPoliciesThatNotExistInCurrentPolicy -ne $null)
 	{
 		$currentSqsPolicies.Statement += $sqsRequiredPoliciesThatNotExistInCurrentPolicy
@ -413,7 +413,7 @@ if($isBucketPolicyExist)
 	$currentBucketPolicyObject = $currentBucketPolicy | ConvertFrom-Json 	
 	$currentBucketPolicies = ($currentBucketPolicyObject.Policy) | ConvertFrom-Json 
 	 
-    $sqsRequiredPolicyThatNotExistInCurrentPolicy = $s3RequiredPolicyObject.Statement | Where-Object { ($_ | ConvertTo-Json) -notin ($currentBucketPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json}  )}
+    $sqsRequiredPolicyThatNotExistInCurrentPolicy = $s3RequiredPolicyObject.Statement | Where-Object { ($_ | ConvertTo-Json -Depth 5) -notin ($currentBucketPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json -Depth 5}  )}
 	if($sqsRequiredPolicyThatNotExistInCurrentPolicy -ne $null)
 	{
 		$currentBucketPolicies.Statement += $sqsRequiredPolicyThatNotExistInCurrentPolicy
--- a/DataConnectors/AWS-S3/ConfigGuardDutyDataConnector.ps1
+++ b/DataConnectors/AWS-S3/ConfigGuardDutyDataConnector.ps1
@ -280,13 +280,13 @@ $callerAccount = (aws sts get-caller-identity | ConvertFrom-Json).Account

 Write-Output `n`n'Kms Definition.'
 Retry-Action({
-	$kmaAliasName = Read-Host 'Please insert KMS alias Name'
-	$kmsKeyDescription = aws kms describe-key --key-id alias/$kmaAliasName 2>&1
+	$script:kmaAliasName = Read-Host 'Please insert KMS alias Name'
+	$script:kmsKeyDescription = aws kms describe-key --key-id alias/$kmaAliasName 2>&1
 	$isKmsNotExist = $lastexitcode -ne 0
 	if($isKmsNotExist)
 	{
-		$kmsKeyDescription = aws kms create-key
-		$kmsKeyId = ($kmsKeyDescription | ConvertFrom-Json).KeyMetadata.KeyId
+		$script:kmsKeyDescription = aws kms create-key
+		$kmsKeyId = ($script:kmsKeyDescription | ConvertFrom-Json).KeyMetadata.KeyId
 		$tempForOutput = aws kms create-alias --alias-name alias/$kmaAliasName --target-key-id $kmsKeyId 2>&1
 		if($lastexitcode -eq 0)
 		{
@ -318,7 +318,7 @@ if($currentKmsPolicy -ne $null)
 	$currentKmsPolicyObject = $currentKmsPolicy | ConvertFrom-Json 	
 	$currentKmsPolicies = ($currentKmsPolicyObject.Policy) | ConvertFrom-Json
 	
-	$kmsRequiredPoliciesThatNotExistInCurrentPolicy =  $kmsRequiredPoliciesObject.Statement | Where-Object { ($_ | ConvertTo-Json) -notin ($currentKmsPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json}  )}
+	$kmsRequiredPoliciesThatNotExistInCurrentPolicy =  $kmsRequiredPoliciesObject.Statement | Where-Object { ($_ | ConvertTo-Json -Depth 5) -notin ($currentKmsPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json -Depth 5}  )}
 	if($kmsRequiredPoliciesThatNotExistInCurrentPolicy -ne $null)
 	{
 		$currentKmsPolicies.Statement += $kmsRequiredPoliciesThatNotExistInCurrentPolicy
@ -346,7 +346,7 @@ if($currentSqsPolicy -ne $null)
 	$currentSqsPolicyObject = $currentSqsPolicy | ConvertFrom-Json 	
 	$currentSqsPolicies = ($currentSqsPolicyObject.Attributes.Policy) | ConvertFrom-Json 
 	
-	$sqsRequiredPoliciesThatNotExistInCurrentPolicy =  $sqsRequiredPoliciesObject.Statement | Where-Object { ($_ | ConvertTo-Json) -notin ($currentSqsPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json}  )}
+	$sqsRequiredPoliciesThatNotExistInCurrentPolicy =  $sqsRequiredPoliciesObject.Statement | Where-Object { ($_ | ConvertTo-Json -Depth 5) -notin ($currentSqsPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json -Depth 5}  )}
 	if($sqsRequiredPoliciesThatNotExistInCurrentPolicy -ne $null)
 	{
 		$currentSqsPolicies.Statement += $sqsRequiredPoliciesThatNotExistInCurrentPolicy
@ -433,9 +433,9 @@ Write-Output `n'Enabling GuardDuty'
 	}
 	else
 	{
-		$detectorId = ($newGuarduty | ConvertFrom-Json).DetectorId
+		$script:detectorId = ($newGuarduty | ConvertFrom-Json).DetectorId
 	}
-	$currentDestinations = aws guardduty list-publishing-destinations --detector-id $detectorId 2>&1
+	$script:currentDestinations = aws guardduty list-publishing-destinations --detector-id $detectorId 2>&1
 })
 
 $currentDestinationsObject = $currentDestinations | ConvertFrom-Json
--- a/DataConnectors/AWS-S3/ConfigVpcFlowDataConnector.ps1
+++ b/DataConnectors/AWS-S3/ConfigVpcFlowDataConnector.ps1
@ -221,7 +221,7 @@ if($currentSqsPolicy -ne $null)
 	$currentSqsPolicyObject = $currentSqsPolicy | ConvertFrom-Json 	
 	$currentSqsPolicies = ($currentSqsPolicyObject.Attributes.Policy) | ConvertFrom-Json 
 	
-	$sqsRequiredPoliciesThatNotExistInCurrentPolicy =  $sqsRequiredPoliciesObject.Statement | Where-Object { ($_ | ConvertTo-Json) -notin ($currentSqsPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json}  )}
+	$sqsRequiredPoliciesThatNotExistInCurrentPolicy =  $sqsRequiredPoliciesObject.Statement | Where-Object { ($_ | ConvertTo-Json -Depth 5) -notin ($currentSqsPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json -Depth 5}  )}
 	if($sqsRequiredPoliciesThatNotExistInCurrentPolicy -ne $null)
 	{
 		$currentSqsPolicies.Statement += $sqsRequiredPoliciesThatNotExistInCurrentPolicy
@ -250,7 +250,7 @@ if($isBucketPolicyExist)
 	$currentBucketPolicyObject = $currentBucketPolicy | ConvertFrom-Json 	
 	$currentBucketPolicies = ($currentBucketPolicyObject.Policy) | ConvertFrom-Json 
 	 
-	$s3RequiredPolicyThatNotExistInCurrentPolicy =  $s3RequiredPolicyObject | Where-Object { ($_ | ConvertTo-Json) -notin ($currentBucketPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json}  )}
+	$s3RequiredPolicyThatNotExistInCurrentPolicy =  $s3RequiredPolicyObject | Where-Object { ($_ | ConvertTo-Json -Depth 5) -notin ($currentBucketPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json -Depth 5}  )}
 	if($s3RequiredPolicyThatNotExistInCurrentPolicy -ne $null)
 	{
 		$currentBucketPolicies.Statement += $s3RequiredPolicyThatNotExistInCurrentPolicy
--- a/DataConnectors/AWS-S3/README.md
+++ b/DataConnectors/AWS-S3/README.md
@ -0,0 +1,8 @@
+
+# AWS S3 Scripts
+The scripts under this directory can be used to configure AWS S3 connectors.
+These are optional scripts instead of set AWS configurations manually.
+
+# Script pre requirements 
+* PowerShell [Installation instructions](https://docs.microsoft.com/powershell/scripting/install/installing-powershell?view=powershell-7.1)
+* AWS CLI [Installation instructions](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html)
--- a/Networks/PaloAltoNetworks.json
+++ b/Networks/PaloAltoNetworks.json
@ -1,6 +1,6 @@
 {
    "id": "PaloAltoNetworks",
-    "title": "Palo Alto Networks",
+    "title": "Palo Alto Networks (Firewall)",
    "publisher": "Palo Alto Networks",
    "descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Azure Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.",
    "graphQueries": [
--- a/Detections/ASimAuthentication/imAuthBruteForce.yaml
+++ b/Detections/ASimAuthentication/imAuthBruteForce.yaml
@ -43,3 +43,4 @@ entityMappings:
      - identifier: Address
        columnName: IPCustomEntity
 version: 1.1.0
+kind: scheduled
--- a/Detections/ASimAuthentication/imAuthPasswordSpray.yaml
+++ b/Detections/ASimAuthentication/imAuthPasswordSpray.yaml
@ -36,4 +36,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.1.0
+version: 1.1.0
+kind: scheduled
--- a/Detections/ASimAuthentication/imAuthSigninsMultipleCountries.yaml
+++ b/Detections/ASimAuthentication/imAuthSigninsMultipleCountries.yaml
@ -38,4 +38,4 @@ entityMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
 version: 1.1.0
-
+kind: scheduled
--- a/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml
+++ b/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml
@ -50,3 +50,4 @@ entityMappings:
      - identifier: Address
        columnName: IPCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Detections/ASimDNS/imDNS_Miners.yaml
+++ b/Detections/ASimDNS/imDNS_Miners.yaml
@ -39,4 +39,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.2.0
+version: 1.2.0
+kind: scheduled
--- a/Detections/ASimDNS/imDNS_TorProxies.yaml
+++ b/Detections/ASimDNS/imDNS_TorProxies.yaml
@ -34,4 +34,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.2.0
+version: 1.2.0
+kind: scheduled
--- a/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml
+++ b/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml
@ -66,3 +66,4 @@ customDetails:
  DnsQuery: DnsQuery
  QueryType: QueryType
 version: 1.0.0
+kind: scheduled
--- a/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml
+++ b/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml
@ -34,4 +34,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.2.0
+version: 1.2.0
+kind: scheduled
--- a/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml
+++ b/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml
@ -48,4 +48,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml
+++ b/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml
@ -75,3 +75,4 @@ customDetails:
  SubType: SubType 
  DnsQuery: DnsQuery
 version: 1.0.0
+kind: scheduled
--- a/Detections/ASimFileEvent/imFileESolarWindsSunburstSupernova.yaml
+++ b/Detections/ASimFileEvent/imFileESolarWindsSunburstSupernova.yaml
@ -46,3 +46,4 @@ entityMappings:
      - identifier: Value
        columnName: FileHashCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Detections/ASimProcess/imProcess_AdFind_Usage.yaml
+++ b/Detections/ASimProcess/imProcess_AdFind_Usage.yaml
@ -53,3 +53,4 @@ entityMappings:
      - identifier: Value
        columnName: FileHashCustomEntity
 version: 1.1.0
+kind: scheduled
--- a/Detections/ASimProcess/imProcess_NOBELIUM_SuspiciousRundll32Exec.yaml
+++ b/Detections/ASimProcess/imProcess_NOBELIUM_SuspiciousRundll32Exec.yaml
@ -36,4 +36,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: HostCustomEntity
-version: 1.1.0
+version: 1.1.0
+kind: scheduled
--- a/Detections/ASimProcess/imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml
+++ b/Detections/ASimProcess/imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml
@ -50,4 +50,5 @@ entityMappings:
        columnName: MD5
      - identifier: Value
        columnName: FileHashCustomEntity
-version: 1.1.0
+version: 1.1.0
+kind: scheduled
--- a/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml
+++ b/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml
@ -38,4 +38,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: HostCustomEntity
-version: 1.1.0
+version: 1.1.0
+kind: scheduled
--- a/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml
+++ b/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml
@ -38,4 +38,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: HostCustomEntity
-version: 1.1.0
+version: 1.1.0
+kind: scheduled
--- a/Detections/AWSCloudTrail/AWS_ChangeToRDSDatabase.yaml
+++ b/Detections/AWSCloudTrail/AWS_ChangeToRDSDatabase.yaml
@ -35,4 +35,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AWSCloudTrail/AWS_ChangeToVPC.yaml
+++ b/Detections/AWSCloudTrail/AWS_ChangeToVPC.yaml
@ -37,4 +37,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AWSCloudTrail/AWS_ClearStopChangeTrailLogs.yaml
+++ b/Detections/AWSCloudTrail/AWS_ClearStopChangeTrailLogs.yaml
@ -36,4 +36,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AWSCloudTrail/AWS_ConsoleLogonWithoutMFA.yaml
+++ b/Detections/AWSCloudTrail/AWS_ConsoleLogonWithoutMFA.yaml
@ -39,4 +39,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AWSCloudTrail/AWS_CredentialHijack.yaml
+++ b/Detections/AWSCloudTrail/AWS_CredentialHijack.yaml
@ -36,4 +36,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AWSCloudTrail/AWS_FullAdminPolicyAttachedToRolesUsersGroups.yaml
+++ b/Detections/AWSCloudTrail/AWS_FullAdminPolicyAttachedToRolesUsersGroups.yaml
@ -69,4 +69,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AWSCloudTrail/AWS_IngressEgressSecurityGroupChange.yaml
+++ b/Detections/AWSCloudTrail/AWS_IngressEgressSecurityGroupChange.yaml
@ -36,4 +36,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AWSCloudTrail/AWS_LoadBalancerSecGroupChange.yaml
+++ b/Detections/AWSCloudTrail/AWS_LoadBalancerSecGroupChange.yaml
@ -37,4 +37,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AlsidForAD/ADAttacksPathways.yaml
+++ b/Detections/AlsidForAD/ADAttacksPathways.yaml
@ -27,4 +27,5 @@ query: |
  | where MessageType == 0 and Codename in~ (codeNameList)
  | lookup kind=leftouter SeverityTable on Severity
  | order by Level
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AlsidForAD/DCShadow.yaml
+++ b/Detections/AlsidForAD/DCShadow.yaml
@ -18,4 +18,5 @@ relevantTechniques:
 query: |
    afad_parser
    | where MessageType == 2 and Codename == "DCShadow"
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AlsidForAD/DCSync.yaml
+++ b/Detections/AlsidForAD/DCSync.yaml
@ -18,4 +18,5 @@ relevantTechniques:
 query: |
    afad_parser
    | where MessageType == 2 and Codename == "DCSync"
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AlsidForAD/GoldenTicket.yaml
+++ b/Detections/AlsidForAD/GoldenTicket.yaml
@ -18,4 +18,5 @@ relevantTechniques:
 query: |
    afad_parser
    | where MessageType == 2 and Codename == "Golden Ticket"
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AlsidForAD/IndicatorsOfAttack.yaml
+++ b/Detections/AlsidForAD/IndicatorsOfAttack.yaml
@ -26,4 +26,5 @@ query: |
    | where MessageType == 2
    | lookup kind=leftouter SeverityTable on Severity
    | order by Level
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AlsidForAD/IndicatorsOfExposures.yaml
+++ b/Detections/AlsidForAD/IndicatorsOfExposures.yaml
@ -26,4 +26,5 @@ query: |
    | where MessageType == 0
    | lookup kind=leftouter SeverityTable on Severity
    | order by Level
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AlsidForAD/LSASSMemory.yaml
+++ b/Detections/AlsidForAD/LSASSMemory.yaml
@ -18,4 +18,5 @@ relevantTechniques:
 query: |
    afad_parser
    | where MessageType == 2 and Codename == "OS Credential Dumping: LSASS Memory"
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AlsidForAD/PasswordGuessing.yaml
+++ b/Detections/AlsidForAD/PasswordGuessing.yaml
@ -18,4 +18,5 @@ relevantTechniques:
 query: |
    afad_parser
    | where MessageType == 2 and Codename == "Password Guessing"
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AlsidForAD/PasswordIssues.yaml
+++ b/Detections/AlsidForAD/PasswordIssues.yaml
@ -27,4 +27,5 @@ query: |
  | where MessageType == 0 and Codename in~ (codeNameList)
  | lookup kind=leftouter SeverityTable on Severity
  | order by Level
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AlsidForAD/PasswordSpraying.yaml
+++ b/Detections/AlsidForAD/PasswordSpraying.yaml
@ -18,4 +18,5 @@ relevantTechniques:
 query: |
    afad_parser
    | where MessageType == 2 and Codename == "Password Spraying"
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AlsidForAD/PrivilegedAccountIssues.yaml
+++ b/Detections/AlsidForAD/PrivilegedAccountIssues.yaml
@ -27,4 +27,5 @@ query: |
  | where MessageType == 0 and Codename in~ (codeNameList)
  | lookup kind=leftouter SeverityTable on Severity
  | order by Level
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AlsidForAD/UserAccountIssues.yaml
+++ b/Detections/AlsidForAD/UserAccountIssues.yaml
@ -27,4 +27,5 @@ query: |
  | where MessageType == 0 and Codename in~ (codeNameList)
  | lookup kind=leftouter SeverityTable on Severity
  | order by Level
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AuditLogs/ADFSDomainTrustMods.yaml
+++ b/Detections/AuditLogs/ADFSDomainTrustMods.yaml
@ -57,4 +57,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AuditLogs/CredentialAddedAfterAdminConsent.yaml
+++ b/Detections/AuditLogs/CredentialAddedAfterAdminConsent.yaml
@ -66,4 +66,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AuditLogs/FirstAppOrServicePrincipalCredential.yaml
+++ b/Detections/AuditLogs/FirstAppOrServicePrincipalCredential.yaml
@ -55,4 +55,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AuditLogs/MailPermissionsAddedToApplication.yaml
+++ b/Detections/AuditLogs/MailPermissionsAddedToApplication.yaml
@ -54,4 +54,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml
+++ b/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml
@ -70,4 +70,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AuditLogs/MaliciousOAuthApp_PwnAuth.yaml
+++ b/Detections/AuditLogs/MaliciousOAuthApp_PwnAuth.yaml
@ -70,4 +70,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml
+++ b/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml
@ -57,4 +57,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AuditLogs/RareApplicationConsent.yaml
+++ b/Detections/AuditLogs/RareApplicationConsent.yaml
@ -78,3 +78,4 @@ entityMappings:
      - identifier: Address
        columnName: IPCustomEntity
 version: 1.1.0
+kind: scheduled
--- a/Detections/AuditLogs/SuspiciousOAuthApp_OfflineAccess.yaml
+++ b/Detections/AuditLogs/SuspiciousOAuthApp_OfflineAccess.yaml
@ -68,4 +68,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml
+++ b/Detections/AuditLogs/UseraddedtoPrivilgedGroups.yaml
@ -58,3 +58,4 @@ entityMappings:
      - identifier: FullName
        columnName: TargetUserPrincipalName
 version: 1.0.1
+kind: scheduled
--- a/Detections/AzureActivity/AADHybridHealthADFSNewServer.yaml
+++ b/Detections/AzureActivity/AADHybridHealthADFSNewServer.yaml
@ -39,4 +39,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureActivity/AADHybridHealthADFSServiceDelete.yaml
+++ b/Detections/AzureActivity/AADHybridHealthADFSServiceDelete.yaml
@ -40,4 +40,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml
+++ b/Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml
@ -45,4 +45,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
+++ b/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
@ -19,7 +19,7 @@ relevantTechniques:
  - T1496
 query: |

-  let szOperationNames = dynamic(["Microsoft.Compute/virtualMachines/write", "Microsoft.Resources/deployments/write"]);
+  let szOperationNames = dynamic(["microsoft.compute/virtualMachines/write", "microsoft.resources/deployments/write"]);
  let starttime = 7d;
  let endtime = 1d;
  AzureActivity
@ -60,4 +60,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.1.0
+kind: scheduled
--- a/Detections/AzureActivity/Creation_of_Expensive_Computes_in_Azure.yaml
+++ b/Detections/AzureActivity/Creation_of_Expensive_Computes_in_Azure.yaml
@ -21,9 +21,9 @@ relevantTechniques:
  - T1578
 query: |
  let tokens = dynamic(["416","208","128","120","96","80","72","64","48","44","40","g5","gs5","g4","gs4","nc12","nc24","nv12"]);
-  let operationList = dynamic(["Create or Update Virtual Machine", "Create Deployment"]);
+  let operationList = dynamic(["microsoft.compute/virtualmachines/write", "microsoft.resources/deployments/write"]);
  AzureActivity
-  | where OperationNameValue in (operationList)
+  | where tolower(OperationNameValue) in (operationList)
  | where ActivityStatusValue == "Accepted" 
  | where isnotempty(Properties)
  | extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))
@ -42,4 +42,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.1.0
+kind: scheduled
--- a/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
+++ b/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
@ -23,7 +23,7 @@ query: |
  // The number of operations below which an IP address is considered an unusual source of role assignment operations
  let alertOperationThreshold = 5;
  let createRoleAssignmentActivity = AzureActivity
-  | where OperationNameValue == "Create role assignment";
+  | where OperationNameValue =~ "microsoft.authorization/roleassignments/write";
  createRoleAssignmentActivity 
  | where TimeGenerated between (ago(starttime) .. ago(endtime))
  | summarize count() by CallerIpAddress, Caller
@ -31,8 +31,8 @@ query: |
  | join kind = rightanti ( 
  createRoleAssignmentActivity
  | where TimeGenerated > ago(endtime)
-  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), 
-  OperationIds = makelist(OperationId), CorrelationId = makelist(CorrelationId), ActivityCountByCallerIPAddress = count()  
+  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), 
+  OperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count()  
  by ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup
  ) on CallerIpAddress, Caller
  | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
@ -45,4 +45,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.1.0
+kind: scheduled
--- a/Detections/AzureActivity/New-CloudShell-User.yaml
+++ b/Detections/AzureActivity/New-CloudShell-User.yaml
@ -34,4 +34,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureActivity/NewResourceGroupsDeployedTo.yaml
+++ b/Detections/AzureActivity/NewResourceGroupsDeployedTo.yaml
@ -46,4 +46,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureActivity/RareOperations.yaml
+++ b/Detections/AzureActivity/RareOperations.yaml
@ -14,25 +14,24 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - CredentialAccess 
+  - CredentialAccess
  - Persistence
 relevantTechniques:
  - T1003
  - T1098
 query: |
- 
+
  let starttime = 14d;
  let endtime = 1d;
  // The number of operations below which an IP address is considered an unusual source of role assignment operations
  let alertOperationThreshold = 5;
-  let SensitiveOperationList = dynamic(
-  ["List keys", "List Storage Account Keys", "Register Subscription", "Create or Update Snapshot", "Create or Update Network Security Group"]);
+  let SensitiveOperationList =  dynamic(["microsoft.compute/snapshots/write", "microsoft.network/networksecuritygroups/write", "microsoft.storage/storageaccounts/listkeys/action"]);
  let SensitiveActivity = AzureActivity
-  | where OperationNameValue in~ (SensitiveOperationList)
+  | where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix "listkeys/action"
  | where ActivityStatusValue =~ "Succeeded";
  SensitiveActivity
  | where TimeGenerated between (ago(starttime) .. ago(endtime))
-  | summarize count() by CallerIpAddress, Caller
+  | summarize count() by CallerIpAddress, Caller, OperationNameValue
  | where count_ >= alertOperationThreshold
  | join kind = rightanti ( 
  SensitiveActivity
@ -40,7 +39,7 @@ query: |
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), 
  OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count()  
  by CallerIpAddress, Caller, OperationNameValue
-  ) on CallerIpAddress, Caller
+  ) on CallerIpAddress, Caller, OperationNameValue
  | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
 entityMappings:
  - entityType: Account
@ -51,4 +50,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.1.0
+kind: scheduled
--- a/Detections/AzureAppServices/AVScan_Failure.yaml
+++ b/Detections/AzureAppServices/AVScan_Failure.yaml
@ -20,3 +20,4 @@ entityMappings:
      - identifier: FullName
        columnName: HostCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml
+++ b/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml
@ -19,4 +19,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: HostCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDevOpsAuditing/ADOAgentPoolCreatedDeleted.yaml
+++ b/Detections/AzureDevOpsAuditing/ADOAgentPoolCreatedDeleted.yaml
@ -45,4 +45,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDevOpsAuditing/ADOAuditStreamDisabled.yaml
+++ b/Detections/AzureDevOpsAuditing/ADOAuditStreamDisabled.yaml
@ -27,4 +27,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDevOpsAuditing/ADONewExtensionAdded.yaml
+++ b/Detections/AzureDevOpsAuditing/ADONewExtensionAdded.yaml
@ -30,4 +30,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDevOpsAuditing/ADOPATUsedWithBrowser.yaml
+++ b/Detections/AzureDevOpsAuditing/ADOPATUsedWithBrowser.yaml
@ -27,4 +27,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDevOpsAuditing/ADOPipelineModifiedbyNewUser.yaml
+++ b/Detections/AzureDevOpsAuditing/ADOPipelineModifiedbyNewUser.yaml
@ -54,4 +54,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDevOpsAuditing/ADORetentionReducedto0.yaml
+++ b/Detections/AzureDevOpsAuditing/ADORetentionReducedto0.yaml
@ -28,4 +28,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDevOpsAuditing/ADOSecretNotSecured.yaml
+++ b/Detections/AzureDevOpsAuditing/ADOSecretNotSecured.yaml
@ -33,4 +33,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDevOpsAuditing/ADOVariableModifiedByNewUser.yaml
+++ b/Detections/AzureDevOpsAuditing/ADOVariableModifiedByNewUser.yaml
@ -42,4 +42,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDevOpsAuditing/AzDOAdminGroupAdditions.yaml
+++ b/Detections/AzureDevOpsAuditing/AzDOAdminGroupAdditions.yaml
@ -38,4 +38,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDevOpsAuditing/AzDOHistoricPrPolicyBypassing.yaml
+++ b/Detections/AzureDevOpsAuditing/AzDOHistoricPrPolicyBypassing.yaml
@ -39,4 +39,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDevOpsAuditing/AzDOHistoricServiceConnectionAdds.yaml
+++ b/Detections/AzureDevOpsAuditing/AzDOHistoricServiceConnectionAdds.yaml
@ -58,4 +58,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDevOpsAuditing/AzDOPatSessionMisuse.yaml
+++ b/Detections/AzureDevOpsAuditing/AzDOPatSessionMisuse.yaml
@ -41,4 +41,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDevOpsAuditing/AzDOPipelineCreatedDeletedOneDay.yaml
+++ b/Detections/AzureDevOpsAuditing/AzDOPipelineCreatedDeletedOneDay.yaml
@ -56,4 +56,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: DeletingIP
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDevOpsAuditing/AzDOServiceConnectionUsage.yaml
+++ b/Detections/AzureDevOpsAuditing/AzDOServiceConnectionUsage.yaml
@ -38,4 +38,5 @@ query: |
    Type == "Build", strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_build?definitionId=', DefId),
    strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_release?_a=releases&view=mine&definitionId=', DefId))
  | extend timestamp = StartTime
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDevOpsAuditing/ExternalUpstreamSourceAddedtoAzureDevOpsFeed.yaml
+++ b/Detections/AzureDevOpsAuditing/ExternalUpstreamSourceAddedtoAzureDevOpsFeed.yaml
@ -44,4 +44,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDevOpsAuditing/NewAgentAddedToPoolbyNewUserorofNewOS.yaml
+++ b/Detections/AzureDevOpsAuditing/NewAgentAddedToPoolbyNewUserorofNewOS.yaml
@ -61,4 +61,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDevOpsAuditing/NewPAPCAPCASaddedtoADO.yaml
+++ b/Detections/AzureDevOpsAuditing/NewPAPCAPCASaddedtoADO.yaml
@ -39,4 +39,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDiagnostics/KeyVaultSensitiveOperations.yaml
+++ b/Detections/AzureDiagnostics/KeyVaultSensitiveOperations.yaml
@ -40,4 +40,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDiagnostics/KeyvaultMassSecretRetrieval.yaml
+++ b/Detections/AzureDiagnostics/KeyvaultMassSecretRetrieval.yaml
@ -52,4 +52,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDiagnostics/MaliciousWAFSessions.yaml
+++ b/Detections/AzureDiagnostics/MaliciousWAFSessions.yaml
@ -56,4 +56,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureDiagnostics/TimeSeriesKeyvaultAccessAnomaly.yaml
+++ b/Detections/AzureDiagnostics/TimeSeriesKeyvaultAccessAnomaly.yaml
@ -73,4 +73,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml
+++ b/Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml
@ -43,4 +43,5 @@ entityMappings:
    fieldMappings:
      - identifier: Url
        columnName: URLCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml
+++ b/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml
@ -33,4 +33,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml
+++ b/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml
@ -40,4 +40,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/CiscoUmbrella/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml
+++ b/Detections/CiscoUmbrella/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml
@ -31,4 +31,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/CiscoUmbrella/CiscoUmbrellaEmptyUserAgentDetected.yaml
+++ b/Detections/CiscoUmbrella/CiscoUmbrellaEmptyUserAgentDetected.yaml
@ -31,4 +31,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml
+++ b/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml
@ -79,4 +79,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml
+++ b/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml
@ -32,4 +32,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/CiscoUmbrella/CiscoUmbrellaRareUserAgentDetected.yaml
+++ b/Detections/CiscoUmbrella/CiscoUmbrellaRareUserAgentDetected.yaml
@ -37,4 +37,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml
+++ b/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml
@ -50,4 +50,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml
+++ b/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml
@ -35,4 +35,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Показать больше
+++ b/Показать больше