diff --git a/Detections/AlsidForAD/ADAttacksPathways.yaml b/Solutions/Alsid For AD/Analytic Rules/ADAttacksPathways.yaml similarity index 100% rename from Detections/AlsidForAD/ADAttacksPathways.yaml rename to Solutions/Alsid For AD/Analytic Rules/ADAttacksPathways.yaml diff --git a/Detections/AlsidForAD/DCShadow.yaml b/Solutions/Alsid For AD/Analytic Rules/DCShadow.yaml similarity index 100% rename from Detections/AlsidForAD/DCShadow.yaml rename to Solutions/Alsid For AD/Analytic Rules/DCShadow.yaml diff --git a/Detections/AlsidForAD/DCSync.yaml b/Solutions/Alsid For AD/Analytic Rules/DCSync.yaml similarity index 100% rename from Detections/AlsidForAD/DCSync.yaml rename to Solutions/Alsid For AD/Analytic Rules/DCSync.yaml diff --git a/Detections/AlsidForAD/GoldenTicket.yaml b/Solutions/Alsid For AD/Analytic Rules/GoldenTicket.yaml similarity index 100% rename from Detections/AlsidForAD/GoldenTicket.yaml rename to Solutions/Alsid For AD/Analytic Rules/GoldenTicket.yaml diff --git a/Detections/AlsidForAD/IndicatorsOfAttack.yaml b/Solutions/Alsid For AD/Analytic Rules/IndicatorsOfAttack.yaml similarity index 100% rename from Detections/AlsidForAD/IndicatorsOfAttack.yaml rename to Solutions/Alsid For AD/Analytic Rules/IndicatorsOfAttack.yaml diff --git a/Detections/AlsidForAD/IndicatorsOfExposures.yaml b/Solutions/Alsid For AD/Analytic Rules/IndicatorsOfExposures.yaml similarity index 100% rename from Detections/AlsidForAD/IndicatorsOfExposures.yaml rename to Solutions/Alsid For AD/Analytic Rules/IndicatorsOfExposures.yaml diff --git a/Detections/AlsidForAD/LSASSMemory.yaml b/Solutions/Alsid For AD/Analytic Rules/LSASSMemory.yaml similarity index 100% rename from Detections/AlsidForAD/LSASSMemory.yaml rename to Solutions/Alsid For AD/Analytic Rules/LSASSMemory.yaml diff --git a/Detections/AlsidForAD/PasswordGuessing.yaml b/Solutions/Alsid For AD/Analytic Rules/PasswordGuessing.yaml similarity index 100% rename from Detections/AlsidForAD/PasswordGuessing.yaml rename to Solutions/Alsid For AD/Analytic Rules/PasswordGuessing.yaml diff --git a/Detections/AlsidForAD/PasswordIssues.yaml b/Solutions/Alsid For AD/Analytic Rules/PasswordIssues.yaml similarity index 100% rename from Detections/AlsidForAD/PasswordIssues.yaml rename to Solutions/Alsid For AD/Analytic Rules/PasswordIssues.yaml diff --git a/Detections/AlsidForAD/PasswordSpraying.yaml b/Solutions/Alsid For AD/Analytic Rules/PasswordSpraying.yaml similarity index 100% rename from Detections/AlsidForAD/PasswordSpraying.yaml rename to Solutions/Alsid For AD/Analytic Rules/PasswordSpraying.yaml diff --git a/Detections/AlsidForAD/PrivilegedAccountIssues.yaml b/Solutions/Alsid For AD/Analytic Rules/PrivilegedAccountIssues.yaml similarity index 100% rename from Detections/AlsidForAD/PrivilegedAccountIssues.yaml rename to Solutions/Alsid For AD/Analytic Rules/PrivilegedAccountIssues.yaml diff --git a/Detections/AlsidForAD/UserAccountIssues.yaml b/Solutions/Alsid For AD/Analytic Rules/UserAccountIssues.yaml similarity index 100% rename from Detections/AlsidForAD/UserAccountIssues.yaml rename to Solutions/Alsid For AD/Analytic Rules/UserAccountIssues.yaml diff --git a/DataConnectors/AlsidForAD.json b/Solutions/Alsid For AD/Data Connectors/AlsidForAD.json similarity index 99% rename from DataConnectors/AlsidForAD.json rename to Solutions/Alsid For AD/Data Connectors/AlsidForAD.json index 1259c2e579..b76366d200 100644 --- a/DataConnectors/AlsidForAD.json +++ b/Solutions/Alsid For AD/Data Connectors/AlsidForAD.json @@ -57,7 +57,7 @@ ], "availability": { "status": 1, - "isPreview": true + "isPreview": false }, "permissions": { "resourceProvider": [ diff --git a/Solutions/Alsid For AD/Package/2.0.0.zip b/Solutions/Alsid For AD/Package/2.0.0.zip new file mode 100644 index 0000000000..a6abc97837 Binary files /dev/null and b/Solutions/Alsid For AD/Package/2.0.0.zip differ diff --git a/Solutions/Alsid For AD/Package/createUiDefinition.json b/Solutions/Alsid For AD/Package/createUiDefinition.json new file mode 100644 index 0000000000..c478d81c95 --- /dev/null +++ b/Solutions/Alsid For AD/Package/createUiDefinition.json @@ -0,0 +1,319 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Alsid for AD solution for Microsoft Sentinel enables you to ingest VMWare ESXi logs into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/en-us/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent-based log collection (Syslog)](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog)\r\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 2, **Analytic Rules:** 12\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Alsid for Active Directory connector allows to export Alsid Indicators of Exposures, TrailFlow, and Indicators of Attacks logs to Microsoft Sentinel in real time. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-parser-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + } + + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Alsid Active Directory attacks pathways", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Searches for triggered Indicators of Exposures related to Active Directory attacks pathways" + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Alsid DCShadow", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Searches for DCShadow attacks" + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "Alsid DCSync", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Searches for DCSync attacks" + } + } + ] + }, + { + "name": "analytic4", + "type": "Microsoft.Common.Section", + "label": "Alsid Golden Ticket", + "elements": [ + { + "name": "analytic4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Searches for Golden Ticket attacks" + } + } + ] + }, + { + "name": "analytic5", + "type": "Microsoft.Common.Section", + "label": "Alsid Indicators of Attack", + "elements": [ + { + "name": "analytic5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Searches for triggered Indicators of Attack" + } + } + ] + }, + { + "name": "analytic6", + "type": "Microsoft.Common.Section", + "label": "Alsid Indicators of Exposures", + "elements": [ + { + "name": "analytic6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Searches for triggered Indicators of Exposures" + } + } + ] + }, + { + "name": "analytic7", + "type": "Microsoft.Common.Section", + "label": "Alsid LSASS Memory", + "elements": [ + { + "name": "analytic7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Searches for OS Credentials dumping attacks" + } + } + ] + }, + { + "name": "analytic8", + "type": "Microsoft.Common.Section", + "label": "Alsid Password Guessing", + "elements": [ + { + "name": "analytic8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Searches for bruteforce Password Guessing attacks" + } + } + ] + }, + { + "name": "analytic9", + "type": "Microsoft.Common.Section", + "label": "Alsid Password issues", + "elements": [ + { + "name": "analytic9-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Searches for triggered Indicators of Exposures related to password issues" + } + } + ] + }, + { + "name": "analytic10", + "type": "Microsoft.Common.Section", + "label": "Alsid Password Spraying", + "elements": [ + { + "name": "analytic10-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Searches for Password spraying attacks" + } + } + ] + }, + { + "name": "analytic11", + "type": "Microsoft.Common.Section", + "label": "Alsid privileged accounts issues", + "elements": [ + { + "name": "analytic11-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Searches for triggered Indicators of Exposures related to privileged accounts issues" + } + } + ] + }, + { + "name": "analytic12", + "type": "Microsoft.Common.Section", + "label": "Alsid user accounts issues", + "elements": [ + { + "name": "analytic12-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Searches for triggered Indicators of Exposures related to user accounts issues" + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]", + "workbook1-name": "[steps('workbooks').workbook1.workbook1-name]", + "workbook2-name": "[steps('workbooks').workbook2.workbook2-name]" + } + } +} diff --git a/Solutions/Alsid For AD/Package/mainTemplate.json b/Solutions/Alsid For AD/Package/mainTemplate.json new file mode 100644 index 0000000000..30e3cbe84f --- /dev/null +++ b/Solutions/Alsid For AD/Package/mainTemplate.json @@ -0,0 +1,2159 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Microsoft - support@microsoft.com", + "comments": "Solution template for Alsid For AD" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Alsid for AD | Indicators of Attack", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook2-name": { + "type": "string", + "defaultValue": "Alsid for AD | Indicators of Exposure", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } + }, + "variables": { + "solutionId": "azuresentinel.azure-sentinel-solution-isvtesting1", + "_solutionId": "[variables('solutionId')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "uiConfigId1": "AlsidForAD", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "AlsidForAD", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-DataConnector-',variables('_dataConnectorContentId1'))]", + "dataConnectorVersion1": "2.0.0", + "parserVersion1": "2.0.0", + "parserContentId1": "afad_parser-Parser", + "_parserContentId1": "[variables('parserContentId1')]", + "parserName1": "afad_parser.kql", + "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", + "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "_parserId1": "[variables('parserId1')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'-Parser-',variables('_parserContentId1'))]", + "workbookVersion1": "2.0.0", + "workbookContentId1": "AlsidIoAWorkbook", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-Workbook-',variables('_workbookContentId1'))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "workbookVersion2": "2.0.0", + "workbookContentId2": "AlsidIoEWorkbook", + "workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]", + "workbookTemplateSpecName2": "[concat(parameters('workspace'),'-Workbook-',variables('_workbookContentId2'))]", + "_workbookContentId2": "[variables('workbookContentId2')]", + "analyticRuleVersion1": "2.0.0", + "analyticRulecontentId1": "9649e203-3cb7-47ff-89a9-42f2a5eefe31", + "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-AnalyticsRule-',variables('_analyticRulecontentId1'))]", + "analyticRuleVersion2": "2.0.0", + "analyticRulecontentId2": "25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c", + "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-AnalyticsRule-',variables('_analyticRulecontentId2'))]", + "analyticRuleVersion3": "2.0.0", + "analyticRulecontentId3": "d3c658bd-8da9-4372-82e4-aaffa922f428", + "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-AnalyticsRule-',variables('_analyticRulecontentId3'))]", + "analyticRuleVersion4": "2.0.0", + "analyticRulecontentId4": "21ab3f52-6d79-47e3-97f8-ad65f2cb29fb", + "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-AnalyticsRule-',variables('_analyticRulecontentId4'))]", + "analyticRuleVersion5": "2.0.0", + "analyticRulecontentId5": "3caa67ef-8ed3-4ab5-baf2-3850d3667f3d", + "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-AnalyticsRule-',variables('_analyticRulecontentId5'))]", + "analyticRuleVersion6": "2.0.0", + "analyticRulecontentId6": "154fde9f-ae00-4422-a8da-ef00b11da3fc", + "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-AnalyticsRule-',variables('_analyticRulecontentId6'))]", + "analyticRuleVersion7": "2.0.0", + "analyticRulecontentId7": "3acf5617-7c41-4085-9a79-cc3a425ba83a", + "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-AnalyticsRule-',variables('_analyticRulecontentId7'))]", + "analyticRuleVersion8": "2.0.0", + "analyticRulecontentId8": "ba239935-42c2-472d-80ba-689186099ea1", + "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-AnalyticsRule-',variables('_analyticRulecontentId8'))]", + "analyticRuleVersion9": "2.0.0", + "analyticRulecontentId9": "472b7cf4-bf1a-4061-b9ab-9fe4894e3c17", + "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-AnalyticsRule-',variables('_analyticRulecontentId9'))]", + "analyticRuleVersion10": "2.0.0", + "analyticRulecontentId10": "9e20eb4e-cc0d-4349-a99d-cad756859dfb", + "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'-AnalyticsRule-',variables('_analyticRulecontentId10'))]", + "analyticRuleVersion11": "2.0.0", + "analyticRulecontentId11": "a5fe9489-cf8b-47ae-a87e-8f3a13e4203e", + "_analyticRulecontentId11": "[variables('analyticRulecontentId11')]", + "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId11'))]", + "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'-AnalyticsRule-',variables('_analyticRulecontentId11'))]", + "analyticRuleVersion12": "2.0.0", + "analyticRulecontentId12": "fb9e0b51-8867-48d7-86f4-6e76f2176bf8", + "_analyticRulecontentId12": "[variables('analyticRulecontentId12')]", + "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId12'))]", + "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'-AnalyticsRule-',variables('_analyticRulecontentId12'))]" + }, + "resources": [ + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "DataConnector" + }, + "properties": { + "description": "Alsid For AD data connector with template", + "displayName": "Alsid For AD template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "DataConnector" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" + ], + "properties": { + "description": "Alsid For AD data connector with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Alsid for Active Directory", + "publisher": "Alsid", + "descriptionMarkdown": "Alsid for Active Directory connector allows to export Alsid Indicators of Exposures, trailflow and Indicators of Attacks logs to Azure Sentinel in real time.\nIt provides a data parser to manipulate the logs more easily. The different workbooks ease your Active Directory monitoring and provide different ways to visualize the data. The analytic templates allow to automate responses regarding different events, exposures, or attacks.", + "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **afad_parser** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-alsidforad-parser) ", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "AlsidForADLog_CL", + "baseQuery": "AlsidForADLog_CL" + } + ], + "sampleQueries": [ + { + "description": "Get the number of alerts triggered by each IoE", + "query": "afad_parser\n | where MessageType == 0\n | summarize AlertCount = count() by Codename" + }, + { + "description": "Get all IoE alerts with severity superior to the threshold", + "query": "let threshold = 2;\n let SeverityTable=datatable(Severity:string,Level:int) [\n \"low\", 1,\n \"medium\", 2,\n \"high\", 3,\n \"critical\", 4\n ];\n afad_parser\n | where MessageType == 0\n | lookup kind=leftouter SeverityTable on Severity\n | where Level >= ['threshold']" + }, + { + "description": "Get all IoE alerts for the last 24 hours", + "query": "afad_parser\r\n| where MessageType == 0 and TimeGenerated > ago(1d)" + }, + { + "description": "Get all IoE alerts for the last 7 days", + "query": "afad_parser\r\n| where MessageType == 0 and TimeGenerated > ago(7d)" + }, + { + "description": "Get all IoE alerts for the last 30 days", + "query": "afad_parser\r\n| where MessageType == 0 and TimeGenerated > ago(30d)" + }, + { + "description": "Get all trailflow changes for the last 24 hours", + "query": "afad_parser\r\n| where MessageType == 1 and TimeGenerated > ago(1d)" + }, + { + "description": "Get all trailflow changes for the last 7 days", + "query": "afad_parser\r\n| where MessageType == 1 and TimeGenerated > ago(7d)" + } + ], + "dataTypes": [ + { + "name": "AlsidForADLog_CL", + "lastDataReceivedQuery": "AlsidForADLog_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "afad_parser\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": ">This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-alsidforad-parser) to create the Kusto Functions alias, **afad_parser**" + }, + { + "description": "You will first need a **linux Syslog** server that Alsid for AD will send logs to. Typically you can run **rsyslog** on **Ubuntu**.\n You can then configure this server as you wish, but it is recommended to be able to output AFAD logs in a separate file.\nAlternatively you can use [this Quickstart template](https://azure.microsoft.com/resources/templates/alsid-syslog-proxy/) which will deploy the Syslog server and the Microsoft agent for you. If you do use this template, you can skip step 3.", + "title": "1. Configure the Syslog server" + }, + { + "description": "On your **Alsid for AD** portal, go to *System*, *Configuration* and then *Syslog*.\nFrom there you can create a new Syslog alert toward your Syslog server.\n\nOnce this is done, check that the logs are correctly gathered on your server in a seperate file (to do this, you can use the *Test the configuration* button in the Syslog alert configuration in AFAD).\nIf you used the Quickstart template, the Syslog server will by default listen on port 514 in UDP and 1514 in TCP, without TLS.", + "title": "2. Configure Alsid to send logs to your Syslog server" + }, + { + "description": "You can skip this step if you used the Quickstart template in step 1", + "instructions": [ + { + "parameters": { + "title": "Choose where to install the agent:", + "instructionSteps": [ + { + "title": "Install agent on Azure Linux Virtual Machine", + "description": "Select the machine to install the agent on and then click **Connect**.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnLinuxVirtualMachine" + }, + "type": "InstallAgent" + } + ] + }, + { + "title": "Install agent on a non-Azure Linux Machine", + "description": "Download the agent on the relevant machine and follow the instructions.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnLinuxNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "3. Install and onboard the Microsoft agent for Linux" + }, + { + "description": "Configure the agent to collect the logs.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Custom Logs**.\n2. Select **Apply below configuration to my machines** and click **Add**.\n3. Upload a sample AFAD Syslog file from the **Linux** machine running the **Syslog** server and click **Next**, for your convenience, you can find such a file [here](https://github.com/Azure/azure-quickstart-templates/blob/master/alsid-syslog-proxy/logs/AlsidForAD.log).\n4. Set the record delimiter to **New Line** if not already the case and click **Next**.\n5. Select **Linux** and enter the file path to the **Syslog** file, click **+** then **Next**. If you used the Quickstart template in step 1, the default location of the file is `/var/log/AlsidForAD.log`.\n6. Set the **Name** to *AlsidForADLog_CL* then click **Done** (Azure automatically adds *_CL* at the end of the name, there must be only one, make sure the name is not *AlsidForADLog_CL_CL*).\n\nAll of these steps are showcased [here](https://www.youtube.com/watch?v=JwV1uZSyXM4&feature=youtu.be) as an example", + "instructions": [ + { + "parameters": { + "linkType": "OpenSyslogSettings" + }, + "type": "InstallAgent" + } + ], + "title": "4. Configure the logs to be collected by the agents" + }, + { + "description": "> You should now be able to receive logs in the *AlsidForADLog_CL* table, logs data can be parse using the **afad_parser()** function, used by all query samples, workbooks and analytic templates." + } + ], + "metadata": { + "id": "12ff1831-b733-4861-a3e7-6115d20106f4", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "community" + }, + "author": { + "name": "Alsid" + }, + "support": { + "name": "Alsid", + "link": "https://www.alsid.com/contact-us/", + "tier": "developer" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Alsid For AD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Alsid For AD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Alsid for Active Directory", + "publisher": "Alsid", + "descriptionMarkdown": "Alsid for Active Directory connector allows to export Alsid Indicators of Exposures, trailflow and Indicators of Attacks logs to Azure Sentinel in real time.\nIt provides a data parser to manipulate the logs more easily. The different workbooks ease your Active Directory monitoring and provide different ways to visualize the data. The analytic templates allow to automate responses regarding different events, exposures, or attacks.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "AlsidForADLog_CL", + "baseQuery": "AlsidForADLog_CL" + } + ], + "dataTypes": [ + { + "name": "AlsidForADLog_CL", + "lastDataReceivedQuery": "AlsidForADLog_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "afad_parser\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Get the number of alerts triggered by each IoE", + "query": "afad_parser\n | where MessageType == 0\n | summarize AlertCount = count() by Codename" + }, + { + "description": "Get all IoE alerts with severity superior to the threshold", + "query": "let threshold = 2;\n let SeverityTable=datatable(Severity:string,Level:int) [\n \"low\", 1,\n \"medium\", 2,\n \"high\", 3,\n \"critical\", 4\n ];\n afad_parser\n | where MessageType == 0\n | lookup kind=leftouter SeverityTable on Severity\n | where Level >= ['threshold']" + }, + { + "description": "Get all IoE alerts for the last 24 hours", + "query": "afad_parser\r\n| where MessageType == 0 and TimeGenerated > ago(1d)" + }, + { + "description": "Get all IoE alerts for the last 7 days", + "query": "afad_parser\r\n| where MessageType == 0 and TimeGenerated > ago(7d)" + }, + { + "description": "Get all IoE alerts for the last 30 days", + "query": "afad_parser\r\n| where MessageType == 0 and TimeGenerated > ago(30d)" + }, + { + "description": "Get all trailflow changes for the last 24 hours", + "query": "afad_parser\r\n| where MessageType == 1 and TimeGenerated > ago(1d)" + }, + { + "description": "Get all trailflow changes for the last 7 days", + "query": "afad_parser\r\n| where MessageType == 1 and TimeGenerated > ago(7d)" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": ">This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-alsidforad-parser) to create the Kusto Functions alias, **afad_parser**" + }, + { + "description": "You will first need a **linux Syslog** server that Alsid for AD will send logs to. Typically you can run **rsyslog** on **Ubuntu**.\n You can then configure this server as you wish, but it is recommended to be able to output AFAD logs in a separate file.\nAlternatively you can use [this Quickstart template](https://azure.microsoft.com/resources/templates/alsid-syslog-proxy/) which will deploy the Syslog server and the Microsoft agent for you. If you do use this template, you can skip step 3.", + "title": "1. Configure the Syslog server" + }, + { + "description": "On your **Alsid for AD** portal, go to *System*, *Configuration* and then *Syslog*.\nFrom there you can create a new Syslog alert toward your Syslog server.\n\nOnce this is done, check that the logs are correctly gathered on your server in a seperate file (to do this, you can use the *Test the configuration* button in the Syslog alert configuration in AFAD).\nIf you used the Quickstart template, the Syslog server will by default listen on port 514 in UDP and 1514 in TCP, without TLS.", + "title": "2. Configure Alsid to send logs to your Syslog server" + }, + { + "description": "You can skip this step if you used the Quickstart template in step 1", + "instructions": [ + { + "parameters": { + "title": "Choose where to install the agent:", + "instructionSteps": [ + { + "title": "Install agent on Azure Linux Virtual Machine", + "description": "Select the machine to install the agent on and then click **Connect**.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnLinuxVirtualMachine" + }, + "type": "InstallAgent" + } + ] + }, + { + "title": "Install agent on a non-Azure Linux Machine", + "description": "Download the agent on the relevant machine and follow the instructions.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnLinuxNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "3. Install and onboard the Microsoft agent for Linux" + }, + { + "description": "Configure the agent to collect the logs.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Custom Logs**.\n2. Select **Apply below configuration to my machines** and click **Add**.\n3. Upload a sample AFAD Syslog file from the **Linux** machine running the **Syslog** server and click **Next**, for your convenience, you can find such a file [here](https://github.com/Azure/azure-quickstart-templates/blob/master/alsid-syslog-proxy/logs/AlsidForAD.log).\n4. Set the record delimiter to **New Line** if not already the case and click **Next**.\n5. Select **Linux** and enter the file path to the **Syslog** file, click **+** then **Next**. If you used the Quickstart template in step 1, the default location of the file is `/var/log/AlsidForAD.log`.\n6. Set the **Name** to *AlsidForADLog_CL* then click **Done** (Azure automatically adds *_CL* at the end of the name, there must be only one, make sure the name is not *AlsidForADLog_CL_CL*).\n\nAll of these steps are showcased [here](https://www.youtube.com/watch?v=JwV1uZSyXM4&feature=youtu.be) as an example", + "instructions": [ + { + "parameters": { + "linkType": "OpenSyslogSettings" + }, + "type": "InstallAgent" + } + ], + "title": "4. Configure the logs to be collected by the agents" + }, + { + "description": "> You should now be able to receive logs in the *AlsidForADLog_CL* table, logs data can be parse using the **afad_parser()** function, used by all query samples, workbooks and analytic templates." + } + ], + "id": "[variables('_uiConfigId1')]", + "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **afad_parser** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-alsidforad-parser) " + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('parserTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "Parser" + }, + "properties": { + "description": "afad_parser.kql Data Parser with template", + "displayName": "afad_parser.kql Data Parser template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "Parser" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]" + ], + "properties": { + "description": "afad_parser.kql Data Parser with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('_parserName1')]", + "apiVersion": "2020-08-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "afad_parser.kql", + "category": "Samples", + "functionAlias": "afad_parser", + "query": "\nlet CodenameTable=datatable(Codename: string, Explanation: string) [\r\n\"test-checker-codename\", \"This is a test checker\",\r\n\"\", \"Not an alert\",\r\n\"C-ADM-ACC-USAGE\", \"Recent use of the default administrator account\",\r\n\"C-UNCONST-DELEG\", \"Dangerous delegation\",\r\n\"C-PASSWORD-DONT-EXPIRE\", \"Accounts with never expiring passwords\",\r\n\"C-USERS-CAN-JOIN-COMPUTERS\", \"Users allowed to join computers to the domain\",\r\n\"C-CLEARTEXT-PASSWORD\", \"Potential clear-text password\",\r\n\"C-PROTECTED-USERS-GROUP-UNUSED\", \"Protected Users group not used\",\r\n\"C-PASSWORD-POLICY\", \"Weak password policies are applied on users\",\r\n\"C-GPO-HARDENING\", \"Domain without computer-hardening GPOs\",\r\n\"C-LAPS-UNSECURE-CONFIG\", \"Local administrative account management\",\r\n\"C-AAD-CONNECT\", \"Verify permissions related to AAD Connect accounts\",\r\n\"C-AAD-SSO-PASSWORD\", \"Verify AAD SSO account password last change\",\r\n\"C-GPO-SD-CONSISTENCY\", \"Verify sensitive GPO objects and files permissions\",\r\n\"C-DSHEURISTICS\", \"Domain using a dangerous backward-compatibility configuration\",\r\n\"C-DOMAIN-FUNCTIONAL-LEVEL\", \"Domains have an outdated functional level\",\r\n\"C-DISABLED-ACCOUNTS-PRIV-GROUPS\", \"Disabled accounts in privileged groups\",\r\n\"C-DCSHADOW\", \"Rogue domain controllers\",\r\n\"C-DC-ACCESS-CONSISTENCY\", \"Domain controllers managed by illegitimate users\",\r\n\"C-DANGEROUS-TRUST-RELATIONSHIP\", \"Dangerous trust relationship\",\r\n\"C-DANGEROUS-SENSITIVE-PRIVILEGES\", \"Dangerous sensitive privileges\",\r\n\"C-DANG-PRIMGROUPID\", \"User Primary Group ID\",\r\n\"C-BAD-PASSWORD-COUNT\", \"Brute-force attack detection\",\r\n\"C-ADMINCOUNT-ACCOUNT-PROPS\", \"AdminCount attribute set on standard users\",\r\n\"C-ACCOUNTS-DANG-SID-HISTORY\", \"Accounts having a dangerous SID History attribute\",\r\n\"C-ABNORMAL-ENTRIES-IN-SCHEMA\", \"Dangerous rights in AD's schema\",\r\n\"C-GPOLICY-DISABLED-UNLINKED\", \"Unlinked, disabled or orphan GPO\",\r\n\"C-KERBEROS-CONFIG-ACCOUNT\", \"Kerberos configuration on user account\",\r\n\"C-KRBTGT-PASSWORD\", \"KDC password last change\",\r\n\"C-LAPS-UNSECURE-CONFIG\", \"Local administrative account management\",\r\n\"C-NATIVE-ADM-GROUP-MEMBERS\", \"Native administrative group members\",\r\n\"C-NETLOGON-SECURITY\", \"Unsecured configuration of Netlogon protocol\",\r\n\"C-OBSOLETE-SYSTEMS\", \"Computers running an obsolete OS\",\r\n\"C-PASSWORD-NOT-REQUIRED\", \"Account that might have an empty password\",\r\n\"C-PKI-WEAK-CRYPTO\", \"Use of weak cryptography algorithms into Active Directory PKI\",\r\n\"C-PRE-WIN2000-ACCESS-MEMBERS\", \"Accounts using a pre-Windows 2000 compatible access control\",\r\n\"C-PRIV-ACCOUNTS-SPN\", \"Privileged accounts running Kerberos services\",\r\n\"C-REVER-PWD-GPO\", \"Reversible passwords in GPO\",\r\n\"C-ROOTOBJECTS-SD-CONSISTENCY\", \"Root objects permissions allowing DCSync-like attacks\",\r\n\"C-SDPROP-CONSISTENCY\", \"Ensure SDProp consistency\",\r\n\"C-SENSITIVE-CERTIFICATES-ON-USER\", \"Ensure SDProp consistency\",\r\n\"C-SLEEPING-ACCOUNTS\", \"Sleeping accounts\",\r\n\"C-USER-PASSWORD\", \"User account using old password\",\r\n\"C-USERS-REVER-PWDS\", \"Reversible passwords\",\r\n\"DCSync\",\"The DCSync command in Mimikatz allows an attacker to pretend to be a domain controller and retrieve password hashes and encryption keys from other domain controllers, without executing any code on the target.\",\r\n\"I-DCSync\",\"The DCSync command in Mimikatz allows an attacker to pretend to be a domain controller and retrieve password hashes and encryption keys from other domain controllers, without executing any code on the target.\",\r\n\"Golden Ticket\",\"A Golden Ticket attack is a type of attack in which an adversary gains control over an Active Directory Key Distribution Service Account (KRBTGT), and uses that account to create valid Kerberos Ticket Granting Tickets (TGTs).\",\r\n\"I-GoldenTicket\",\"A Golden Ticket attack is a type of attack in which an adversary gains control over an Active Directory Key Distribution Service Account (KRBTGT), and uses that account to create valid Kerberos Ticket Granting Tickets (TGTs).\",\r\n\"Password Guessing\",\"A brute force password guessing attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.\",\r\n\"I-Bruteforce\",\"A brute force password guessing attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.\",\r\n\"Password Spraying\",\"Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords - also known as the \\\"low-and-slow\\\" method.\",\r\n\"I-PasswordSpraying\",\"Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords - also known as the \\\"low-and-slow\\\" method.\",\r\n\"DCShadow\",\"DCShadow is another late-stage kill chain attack that allows an attacker with privileged credentials to register a rogue domain controller in order to push changes to a domain via domain replication.\",\r\n\"I-DCShadow\",\"DCShadow is another late-stage kill chain attack that allows an attacker with privileged credentials to register a rogue domain controller in order to push changes to a domain via domain replication.\",\r\n\"OS Credential Dumping: LSASS Memory\",\"After a user logs on, attackers may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\",\r\n\"I-ProcessInjectionLsass\",\"After a user logs on, attackers may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\",\r\n\"Suspicious process\",\"Attackers can use well-known tools to exploit a vulnerability.\",\r\n\"I-ProcessExec\",\"Attackers can use well-known tools to exploit a vulnerability.\",\r\n\"Suspicious service\",\"Before or after an exploit, malicious tools might require to create a service to gain privileges or to be executed in another context.\",\r\n\"I-ServiceInstall\",\"Before or after an exploit, malicious tools might require to create a service to gain privileges or to be executed in another context.\"\r\n];\r\nlet Common = AlsidForADLog_CL\r\n| parse RawData with\r\n Time:datetime \" \"\r\n Host:string \" \"\r\n Product:string \"[\"\r\n PID:int \"]: \\\"\"\r\n MessageType:int \"\\\" \\\"\"\r\n AlertID:int \"\\\" \\\"\"\r\n Forest:string \"\\\" \\\"\"\r\n Domain:string \"\\\" \"\r\n DistinctPart:string;\r\nlet Deviances = Common\r\n| where MessageType == 0 | parse DistinctPart with \"\\\"\"\r\n Codename:string \"\\\" \\\"\"\r\n Severity:string \"\\\" \\\"\"\r\n ADObject:string \"\\\" \\\"\"\r\n DevianceID:string \"\\\" \\\"\"\r\n ProfileID:string \"\\\" \\\"\"\r\n ReasonCodename:string \"\\\" \\\"\"\r\n EventID:string \"\\\"\"\r\n Attributes:string;\r\nlet Changes = Common\r\n| where MessageType == 1\r\n| parse kind=regex DistinctPart with \"\\\"\"\r\n ADObject:string \"\\\" \\\"\"\r\n EventID:string \"\\\" \\\"\"\r\n EventType:string \"\\\" \"\r\n Attributes:string;\r\nlet Attacks = Common\r\n| where MessageType == 2\r\n| parse DistinctPart with \"\\\"\"\r\n Codename:string \"\\\" \\\"\"\r\n Severity:string \"\\\" \\\"\"\r\n SourceHostname:string \"\\\" \\\"\"\r\n SourceIP:string \"\\\" \\\"\"\r\n DestinationHostname:string \"\\\" \\\"\"\r\n DestinationIP:string \"\\\" \\\"\"\r\n Attributes:string;\r\nunion Changes, Deviances, Attacks\r\n| project-away DistinctPart, Product, _ResourceId, _SubscriptionId\r\n| lookup kind=leftouter CodenameTable on Codename;\r\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "afad_parser.kql" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "dependsOn": [ + "[variables('_parserName1')]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "contentId": "[variables('_parserContentId1')]", + "kind": "Parser", + "version": "[variables('parserVersion1')]", + "source": { + "name": "Alsid For AD", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2021-06-01", + "name": "[variables('_parserName1')]", + "properties": { + "eTag": "*", + "displayName": "afad_parser.kql", + "category": "Samples", + "functionAlias": "afad_parser", + "query": "\nlet CodenameTable=datatable(Codename: string, Explanation: string) [\r\n\"test-checker-codename\", \"This is a test checker\",\r\n\"\", \"Not an alert\",\r\n\"C-ADM-ACC-USAGE\", \"Recent use of the default administrator account\",\r\n\"C-UNCONST-DELEG\", \"Dangerous delegation\",\r\n\"C-PASSWORD-DONT-EXPIRE\", \"Accounts with never expiring passwords\",\r\n\"C-USERS-CAN-JOIN-COMPUTERS\", \"Users allowed to join computers to the domain\",\r\n\"C-CLEARTEXT-PASSWORD\", \"Potential clear-text password\",\r\n\"C-PROTECTED-USERS-GROUP-UNUSED\", \"Protected Users group not used\",\r\n\"C-PASSWORD-POLICY\", \"Weak password policies are applied on users\",\r\n\"C-GPO-HARDENING\", \"Domain without computer-hardening GPOs\",\r\n\"C-LAPS-UNSECURE-CONFIG\", \"Local administrative account management\",\r\n\"C-AAD-CONNECT\", \"Verify permissions related to AAD Connect accounts\",\r\n\"C-AAD-SSO-PASSWORD\", \"Verify AAD SSO account password last change\",\r\n\"C-GPO-SD-CONSISTENCY\", \"Verify sensitive GPO objects and files permissions\",\r\n\"C-DSHEURISTICS\", \"Domain using a dangerous backward-compatibility configuration\",\r\n\"C-DOMAIN-FUNCTIONAL-LEVEL\", \"Domains have an outdated functional level\",\r\n\"C-DISABLED-ACCOUNTS-PRIV-GROUPS\", \"Disabled accounts in privileged groups\",\r\n\"C-DCSHADOW\", \"Rogue domain controllers\",\r\n\"C-DC-ACCESS-CONSISTENCY\", \"Domain controllers managed by illegitimate users\",\r\n\"C-DANGEROUS-TRUST-RELATIONSHIP\", \"Dangerous trust relationship\",\r\n\"C-DANGEROUS-SENSITIVE-PRIVILEGES\", \"Dangerous sensitive privileges\",\r\n\"C-DANG-PRIMGROUPID\", \"User Primary Group ID\",\r\n\"C-BAD-PASSWORD-COUNT\", \"Brute-force attack detection\",\r\n\"C-ADMINCOUNT-ACCOUNT-PROPS\", \"AdminCount attribute set on standard users\",\r\n\"C-ACCOUNTS-DANG-SID-HISTORY\", \"Accounts having a dangerous SID History attribute\",\r\n\"C-ABNORMAL-ENTRIES-IN-SCHEMA\", \"Dangerous rights in AD's schema\",\r\n\"C-GPOLICY-DISABLED-UNLINKED\", \"Unlinked, disabled or orphan GPO\",\r\n\"C-KERBEROS-CONFIG-ACCOUNT\", \"Kerberos configuration on user account\",\r\n\"C-KRBTGT-PASSWORD\", \"KDC password last change\",\r\n\"C-LAPS-UNSECURE-CONFIG\", \"Local administrative account management\",\r\n\"C-NATIVE-ADM-GROUP-MEMBERS\", \"Native administrative group members\",\r\n\"C-NETLOGON-SECURITY\", \"Unsecured configuration of Netlogon protocol\",\r\n\"C-OBSOLETE-SYSTEMS\", \"Computers running an obsolete OS\",\r\n\"C-PASSWORD-NOT-REQUIRED\", \"Account that might have an empty password\",\r\n\"C-PKI-WEAK-CRYPTO\", \"Use of weak cryptography algorithms into Active Directory PKI\",\r\n\"C-PRE-WIN2000-ACCESS-MEMBERS\", \"Accounts using a pre-Windows 2000 compatible access control\",\r\n\"C-PRIV-ACCOUNTS-SPN\", \"Privileged accounts running Kerberos services\",\r\n\"C-REVER-PWD-GPO\", \"Reversible passwords in GPO\",\r\n\"C-ROOTOBJECTS-SD-CONSISTENCY\", \"Root objects permissions allowing DCSync-like attacks\",\r\n\"C-SDPROP-CONSISTENCY\", \"Ensure SDProp consistency\",\r\n\"C-SENSITIVE-CERTIFICATES-ON-USER\", \"Ensure SDProp consistency\",\r\n\"C-SLEEPING-ACCOUNTS\", \"Sleeping accounts\",\r\n\"C-USER-PASSWORD\", \"User account using old password\",\r\n\"C-USERS-REVER-PWDS\", \"Reversible passwords\",\r\n\"DCSync\",\"The DCSync command in Mimikatz allows an attacker to pretend to be a domain controller and retrieve password hashes and encryption keys from other domain controllers, without executing any code on the target.\",\r\n\"I-DCSync\",\"The DCSync command in Mimikatz allows an attacker to pretend to be a domain controller and retrieve password hashes and encryption keys from other domain controllers, without executing any code on the target.\",\r\n\"Golden Ticket\",\"A Golden Ticket attack is a type of attack in which an adversary gains control over an Active Directory Key Distribution Service Account (KRBTGT), and uses that account to create valid Kerberos Ticket Granting Tickets (TGTs).\",\r\n\"I-GoldenTicket\",\"A Golden Ticket attack is a type of attack in which an adversary gains control over an Active Directory Key Distribution Service Account (KRBTGT), and uses that account to create valid Kerberos Ticket Granting Tickets (TGTs).\",\r\n\"Password Guessing\",\"A brute force password guessing attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.\",\r\n\"I-Bruteforce\",\"A brute force password guessing attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.\",\r\n\"Password Spraying\",\"Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords - also known as the \\\"low-and-slow\\\" method.\",\r\n\"I-PasswordSpraying\",\"Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords - also known as the \\\"low-and-slow\\\" method.\",\r\n\"DCShadow\",\"DCShadow is another late-stage kill chain attack that allows an attacker with privileged credentials to register a rogue domain controller in order to push changes to a domain via domain replication.\",\r\n\"I-DCShadow\",\"DCShadow is another late-stage kill chain attack that allows an attacker with privileged credentials to register a rogue domain controller in order to push changes to a domain via domain replication.\",\r\n\"OS Credential Dumping: LSASS Memory\",\"After a user logs on, attackers may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\",\r\n\"I-ProcessInjectionLsass\",\"After a user logs on, attackers may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\",\r\n\"Suspicious process\",\"Attackers can use well-known tools to exploit a vulnerability.\",\r\n\"I-ProcessExec\",\"Attackers can use well-known tools to exploit a vulnerability.\",\r\n\"Suspicious service\",\"Before or after an exploit, malicious tools might require to create a service to gain privileges or to be executed in another context.\",\r\n\"I-ServiceInstall\",\"Before or after an exploit, malicious tools might require to create a service to gain privileges or to be executed in another context.\"\r\n];\r\nlet Common = AlsidForADLog_CL\r\n| parse RawData with\r\n Time:datetime \" \"\r\n Host:string \" \"\r\n Product:string \"[\"\r\n PID:int \"]: \\\"\"\r\n MessageType:int \"\\\" \\\"\"\r\n AlertID:int \"\\\" \\\"\"\r\n Forest:string \"\\\" \\\"\"\r\n Domain:string \"\\\" \"\r\n DistinctPart:string;\r\nlet Deviances = Common\r\n| where MessageType == 0 | parse DistinctPart with \"\\\"\"\r\n Codename:string \"\\\" \\\"\"\r\n Severity:string \"\\\" \\\"\"\r\n ADObject:string \"\\\" \\\"\"\r\n DevianceID:string \"\\\" \\\"\"\r\n ProfileID:string \"\\\" \\\"\"\r\n ReasonCodename:string \"\\\" \\\"\"\r\n EventID:string \"\\\"\"\r\n Attributes:string;\r\nlet Changes = Common\r\n| where MessageType == 1\r\n| parse kind=regex DistinctPart with \"\\\"\"\r\n ADObject:string \"\\\" \\\"\"\r\n EventID:string \"\\\" \\\"\"\r\n EventType:string \"\\\" \"\r\n Attributes:string;\r\nlet Attacks = Common\r\n| where MessageType == 2\r\n| parse DistinctPart with \"\\\"\"\r\n Codename:string \"\\\" \\\"\"\r\n Severity:string \"\\\" \\\"\"\r\n SourceHostname:string \"\\\" \\\"\"\r\n SourceIP:string \"\\\" \\\"\"\r\n DestinationHostname:string \"\\\" \\\"\"\r\n DestinationIP:string \"\\\" \\\"\"\r\n Attributes:string;\r\nunion Changes, Deviances, Attacks\r\n| project-away DistinctPart, Product, _ResourceId, _SubscriptionId\r\n| lookup kind=leftouter CodenameTable on Codename;\r\n", + "version": 1 + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "dependsOn": [ + "[variables('_parserId1')]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "contentId": "[variables('_parserContentId1')]", + "kind": "Parser", + "version": "[variables('parserVersion1')]", + "source": { + "kind": "Solution", + "name": "Alsid For AD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "Workbook" + }, + "properties": { + "description": "Alsid For AD Workbook with template", + "displayName": "Alsid For AD workbook template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "Workbook" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" + ], + "properties": { + "description": "AlsidIoAWorkbook Workbook with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Workbook showcasing the state and evolution of your Alsid for AD Indicators of Attack alerts." + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"be5a3a6e-51b1-4c1a-86f9-0847b3bd1dd5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\"Specify the time range on which to query the data\",\"isRequired\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":false},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"876a8c8a-7378-475b-800b-bf7560a5f80b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SamplingPeriod\",\"label\":\"Sampling Period\",\"type\":4,\"description\":\"Specify the sampling period for the time charts\",\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"afad_parser()\\r\\n| where MessageType == 2\\r\\n| summarize AlertCount = count() by Explanation, Codename\",\"size\":3,\"title\":\"Detected IoAs list with codenames explanations\",\"noDataMessage\":\"No alerts\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Codename\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"AlertCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"rightContent\":{\"columnMatch\":\"Explanation\"},\"showBorder\":false,\"size\":\"full\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Explanation\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"AlertCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"100\",\"name\":\"query - 4\"}]},\"name\":\"group - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"afad_parser()\\n| where MessageType == 2\\n| summarize AlertCount = count() by Codename\",\"size\":3,\"title\":\"IoAs chart\",\"noDataMessage\":\"No alerts\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"yAxis\":[\"AlertCount\"],\"group\":\"Codename\",\"createOtherGroup\":20,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"40\",\"name\":\"Piechart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"afad_parser\\r\\n| where MessageType == 2\\r\\n| summarize by Time, Codename, SourceHostname, SourceIP, DestinationHostname, DestinationIP\",\"size\":2,\"title\":\"Triggered IoA alerts list\",\"noDataMessage\":\"No alerts\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"DevianceID\",\"exportParameterName\":\"SelectedDevianceID\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"60\",\"showPin\":false,\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"0px\",\"padding\":\"0px\"}}]},\"name\":\"IoAs\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"afad_parser()\\r\\n| where MessageType == 2\\r\\n| summarize AlertCount = count() by Severity\",\"size\":0,\"title\":\"IoAs severity chart\",\"noDataMessage\":\"No alerts\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"graph\",\"graphSettings\":{\"type\":2,\"topContent\":{\"columnMatch\":\"Severity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"AlertCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"nodeIdField\":\"Severity\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"staticNodeSize\":100,\"colorSettings\":{\"nodeColorField\":\"Severity\",\"type\":1,\"colorPalette\":\"default\"},\"hivesMargin\":5}},\"customWidth\":\"25\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let threshold = 1;\\r\\nlet SeverityTable=datatable(Severity:string,Level:int) [\\r\\n\\\"low\\\", 1,\\r\\n\\\"medium\\\", 2,\\r\\n\\\"high\\\", 3,\\r\\n\\\"critical\\\", 4\\r\\n];\\r\\nafad_parser\\r\\n| where MessageType == 2 \\r\\n| lookup kind=leftouter SeverityTable on Severity\\r\\n| where Level >= ['threshold']\\r\\n| summarize Count = count() by bin(Time, {SamplingPeriod:seconds}), Severity\",\"size\":0,\"title\":\"Alerts raised over time grouped by severity\",\"noDataMessage\":\"No alerts\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"75\",\"name\":\"query - 2\"}]},\"name\":\"Severity\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-Alsid for AD | Indicators of Attack\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=AlsidIoAWorkbook; logoFileName=Alsid.svg; description=Workbook showcasing the state and evolution of your Alsid for AD Indicators of Attack alerts.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0; title=Alsid for AD | Indicators of Attack; templateRelativePath=AlsidIoA.json; subtitle=; provider=Alsid}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Alsid For AD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "AlsidForADLog_CL", + "kind": "DataType" + }, + { + "contentId": "AlsidForAD", + "kind": "DataConnector" + } + ] + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('workbookTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "Workbook" + }, + "properties": { + "description": "Alsid For AD Workbook with template", + "displayName": "Alsid For AD workbook template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('workbookTemplateSpecName2'),'/',variables('workbookVersion2'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "Workbook" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName2'))]" + ], + "properties": { + "description": "AlsidIoEWorkbook Workbook with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId2')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Workbook showcasing the state and evolution of your Alsid for AD Indicators of Exposures alerts." + }, + "properties": { + "displayName": "[parameters('workbook2-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"be5a3a6e-51b1-4c1a-86f9-0847b3bd1dd5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\"Specify the time range on which to query the data\",\"isRequired\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":false},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"876a8c8a-7378-475b-800b-bf7560a5f80b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SamplingPeriod\",\"label\":\"Sampling Period\",\"type\":4,\"description\":\"Specify the sampling period for the time charts\",\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"c449f281-ad2e-4f64-b9cf-505a82146c64\",\"cellValue\":\"ioes\",\"linkTarget\":\"parameter\",\"linkLabel\":\"General\",\"subTarget\":\"(\\\"\\\")\",\"style\":\"link\"},{\"id\":\"6405bfad-3e9c-4a78-812c-5a41b2433ef2\",\"cellValue\":\"ioes\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Password issues\",\"subTarget\":\"(\\\"C-CLEARTEXT-PASSWORD\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-USER-REVER-PWDS\\\", \\\"C-PASSWORD-POLICY\\\", \\\"C-USER-PASSWORD\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-AAD-SSO-PASSWORD\\\", \\\"C-REVER-PWD-GPO\\\")\",\"style\":\"link\"},{\"id\":\"141c2e6f-725b-4714-93f7-51a77529ef76\",\"cellValue\":\"ioes\",\"linkTarget\":\"parameter\",\"linkLabel\":\"User accounts issues\",\"subTarget\":\"(\\\"C-ACCOUNTS-DANG-SID-HISTORY\\\", \\\"C-PRE-WIN2000-ACCESS-MEMBERS\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-SLEEPING-ACCOUNTS\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-PASSWORD-NOT-REQUIRED\\\", \\\"C-USER-PASSWORD\\\")\",\"style\":\"link\"},{\"id\":\"5dac6d08-ac9c-432b-a0e8-19fb8372ca02\",\"cellValue\":\"ioes\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Privileged accounts issues\",\"subTarget\":\"(\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-NATIVE-ADM-GROUP-MEMBERS\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-PROTECTED-USERS-GROUP-UNUSED\\\", \\\"C-ADMINCOUNT-ACCOUNT-PROPS\\\", \\\"C-ADM-ACC-USAGE\\\", \\\"C-LAPS-UNSECURE-CONFIG\\\", \\\"C-DISABLED-ACCOUNTS-PRIV-GROUPS\\\")\",\"style\":\"link\"},{\"id\":\"d8397566-9823-430b-8390-72e35196ad65\",\"cellValue\":\"ioes\",\"linkTarget\":\"parameter\",\"linkLabel\":\"AD attacks pathways\",\"subTarget\":\"(\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-SDPROP-CONSISTENCY\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-GPO-HARDENING\\\", \\\"C-DC-ACCESS-CONSISTENCY\\\", \\\"C-DANGEROUS-TRUST-RELATIONSHIP\\\", \\\"C-UNCONST-DELEG\\\", \\\"C-ABNORMAL-ENTRIES-IN-SCHEMA\\\")\",\"style\":\"link\"}]},\"customWidth\":\"50\",\"name\":\"links - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"afad_parser()\\r\\n| where MessageType == 0| where MessageType == 0 and (\\\"\\\" in {ioes} or Codename in {ioes})\\r\\n| summarize AlertCount = count() by Explanation, Codename\",\"size\":3,\"title\":\"Detected IoEs list with codenames explanations\",\"noDataMessage\":\"No alerts\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Codename\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"AlertCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"rightContent\":{\"columnMatch\":\"Explanation\"},\"showBorder\":false,\"size\":\"full\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Explanation\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"AlertCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":1,\"content\":{\"json\":\"# Indicators of Exposure\\r\\nOur IoEs are behavioral detection indicators powered by the latest intelligence on the Active Directory threat landscape. Our team builds our IoEs from technical indicators (IOCs) and tactics, techniques and procedures (commonly referred as TTPs), and disseminate them to our users’ platforms transparently, therefore ensuring a permanent state-of-the-art detection capability.\\r\\n\\r\\n\\r\\n**Alsid for AD** measures the security maturity of your AD infrastructures through Indicators of Exposure (IoEs) and assigns severity levels (**Critical**, **High**, **Medium** or **Low**) to the constant flow of events that is being monitored and analyzed.\\r\\n\\r\\n-\\tCritical: The IoE is dealing with AD sensitive object that will lead to a full AD compromise is one of them is accessed by an illegitimate user\\r\\n-\\tHigh : The IoE is either dealing with post exploitation techniques (that could allow credential thefts for example or backdooring) or with exploitation techniques which is requiring some level of administrative right to be exploited\\r\\n\\r\\n-\\tMedium : The IoE is referencing a security issue that will have impact on business related data but without endangering the entire AD infrastructure\\r\\n\\r\\n-\\tLow: The IoE is related to good security practices. Deviances raised by this IoE have a minimal security impact on the monitored infrastructure\\r\\n\\r\\n\\r\\nFrom **Alsid for AD** interface, the **Indicators of Exposure** page displays IoE tiles arranged in the following order:\\r\\n\\r\\n- By severity level via color codes (red for Critical, orange for High, yellow for Medium and blue for Low).\\r\\n\\r\\n- Vertically, by order of severity (red for top priority and blue for least priority).\\r\\n\\r\\n- Horizontally, by order of complexity (starting with the least complex cases and ending with the most complex cases). The complexity indicator is dynamically computed by Alsid's platform to describe how difficult it will be for the Administration team to fix the deviant IoE.\\r\\n\\r\\n\\r\\nIn case of security regressions, **Alsid for AD** will trigger alerts.\"},\"customWidth\":\"50\",\"name\":\"text - 1\"}]},\"name\":\"group - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"afad_parser()\\r\\n| where MessageType == 0 and (\\\"\\\" in {ioes} or Codename in {ioes})\\r\\n| summarize AlertCount = count() by Severity\",\"size\":0,\"title\":\"IoEs severity chart\",\"noDataMessage\":\"No alerts\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"graph\",\"graphSettings\":{\"type\":2,\"topContent\":{\"columnMatch\":\"Severity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"AlertCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"nodeIdField\":\"Severity\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"staticNodeSize\":100,\"colorSettings\":{\"nodeColorField\":\"Severity\",\"type\":1,\"colorPalette\":\"default\"},\"hivesMargin\":5}},\"customWidth\":\"25\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let threshold = 1;\\r\\nlet SeverityTable=datatable(Severity:string,Level:int) [\\r\\n\\\"low\\\", 1,\\r\\n\\\"medium\\\", 2,\\r\\n\\\"high\\\", 3,\\r\\n\\\"critical\\\", 4\\r\\n];\\r\\nafad_parser\\r\\n| where MessageType == 0 and (\\\"\\\" in {ioes} or Codename in {ioes})\\r\\n| lookup kind=leftouter SeverityTable on Severity\\r\\n| where Level >= ['threshold']\\r\\n| summarize Count = count() by bin(Time, {SamplingPeriod:seconds}), Severity\",\"size\":0,\"title\":\"Alerts raised over time grouped by severity\",\"noDataMessage\":\"No alerts\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"75\",\"name\":\"query - 2\"}]},\"name\":\"Severity\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"afad_parser()\\n| where MessageType == 0| where MessageType == 0 and (\\\"\\\" in {ioes} or Codename in {ioes})\\n| summarize AlertCount = count() by Codename\",\"size\":3,\"title\":\"IoEs chart\",\"noDataMessage\":\"No alerts\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"yAxis\":[\"AlertCount\"],\"group\":\"Codename\",\"createOtherGroup\":20,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"name\":\"Piechart\"}]},\"name\":\"group - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"afad_parser\\r\\n| where MessageType == 0 and (\\\"\\\" in {ioes} or Codename in {ioes})\\r\\n| summarize Count = count() by bin(Time, {SamplingPeriod:seconds}), Codename\",\"size\":0,\"title\":\"Number of triggered IoE alerts over time\",\"noDataMessage\":\"No alerts\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"afad_parser\\r\\n| where MessageType == 0 and (\\\"\\\" in {ioes} or Codename in {ioes})\\r\\n| summarize by Time, DevianceID, Explanation\",\"size\":0,\"title\":\"Triggered IoE alerts list\",\"noDataMessage\":\"No alerts\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"DevianceID\",\"exportParameterName\":\"SelectedDevianceID\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"showPin\":false,\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ID_ = dynamic({SelectedDevianceID});\\r\\nafad_parser()\\r\\n| where MessageType == 0 and tostring(DevianceID) == tostring(ID_)\\r\\n| project ADObject\",\"size\":3,\"title\":\"Impacted AD object\",\"noDataMessage\":\"Please select a deviance to show impacted AD Objects\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"AlertID\",\"exportParameterName\":\"SelectedAlertID\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ADObject\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":1,\"content\":{\"json\":\"You can select an alert to show details about it\",\"style\":\"info\"},\"name\":\"text - 5\"}]},\"name\":\"IoEs\",\"styleSettings\":{\"showBorder\":true}}],\"fallbackResourceIds\":[\"/subscriptions/8c038010-3c7a-40c6-985f-db5e8a04e59f/resourcegroups/julien_clement-rg/providers/microsoft.operationalinsights/workspaces/eltanin-demo\"],\"fromTemplateId\":\"sentinel-Alsid for AD | Indicators of Exposure\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", + "properties": { + "description": "@{workbookKey=AlsidIoEWorkbook; logoFileName=Alsid.svg; description=Workbook showcasing the state and evolution of your Alsid for AD Indicators of Exposures alerts.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0; title=Alsid for AD | Indicators of Exposure; templateRelativePath=AlsidIoE.json; subtitle=; provider=Alsid}.description", + "parentId": "[variables('workbookId2')]", + "contentId": "[variables('_workbookContentId2')]", + "kind": "Workbook", + "version": "[variables('workbookVersion2')]", + "source": { + "kind": "Solution", + "name": "Alsid For AD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "AlsidForADLog_CL", + "kind": "DataType" + }, + { + "contentId": "AlsidForAD", + "kind": "DataConnector" + } + ] + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('analyticRuleTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "properties": { + "description": "Alsid For AD Analytics Rule 1 with template", + "displayName": "Alsid For AD Analytics Rule template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]" + ], + "properties": { + "description": "ADAttacksPathways_AnalyticalRules Analytics Rule with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('AnalyticRulecontentId1')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Searches for triggered Indicators of Exposures related to Active Directory attacks pathways", + "displayName": "Alsid Active Directory attacks pathways", + "enabled": false, + "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-PRIV-ACCOUNTS-SPN\", \"C-SDPROP-CONSISTENCY\", \"C-DANG-PRIMGROUPID\", \"C-GPO-HARDENING\", \"C-DC-ACCESS-CONSISTENCY\", \"C-DANGEROUS-TRUST-RELATIONSHIP\", \"C-UNCONST-DELEG\", \"C-ABNORMAL-ENTRIES-IN-SCHEMA\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AlsidForADLog_CL" + ], + "connectorId": "AlsidForAD" + } + ], + "tactics": [ + "CredentialAccess" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "properties": { + "description": "Alsid For AD Analytics Rule 1", + "parentId": "[variables('analyticRuleId1')]", + "contentId": "[variables('_analyticRulecontentId1')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion1')]", + "source": { + "kind": "Solution", + "name": "Alsid For AD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('analyticRuleTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "properties": { + "description": "Alsid For AD Analytics Rule 2 with template", + "displayName": "Alsid For AD Analytics Rule template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]" + ], + "properties": { + "description": "DCShadow_AnalyticalRules Analytics Rule with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('AnalyticRulecontentId2')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Searches for DCShadow attacks", + "displayName": "Alsid DCShadow", + "enabled": false, + "query": "afad_parser\n| where MessageType == 2 and Codename == \"DCShadow\"\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AlsidForADLog_CL" + ], + "connectorId": "AlsidForAD" + } + ], + "tactics": [ + "DefenseEvasion" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "properties": { + "description": "Alsid For AD Analytics Rule 2", + "parentId": "[variables('analyticRuleId2')]", + "contentId": "[variables('_analyticRulecontentId2')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion2')]", + "source": { + "kind": "Solution", + "name": "Alsid For AD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('analyticRuleTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "properties": { + "description": "Alsid For AD Analytics Rule 3 with template", + "displayName": "Alsid For AD Analytics Rule template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]" + ], + "properties": { + "description": "DCSync_AnalyticalRules Analytics Rule with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion3')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('AnalyticRulecontentId3')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Searches for DCSync attacks", + "displayName": "Alsid DCSync", + "enabled": false, + "query": "afad_parser\n| where MessageType == 2 and Codename == \"DCSync\"\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AlsidForADLog_CL" + ], + "connectorId": "AlsidForAD" + } + ], + "tactics": [ + "CredentialAccess" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "properties": { + "description": "Alsid For AD Analytics Rule 3", + "parentId": "[variables('analyticRuleId3')]", + "contentId": "[variables('_analyticRulecontentId3')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion3')]", + "source": { + "kind": "Solution", + "name": "Alsid For AD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('analyticRuleTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "properties": { + "description": "Alsid For AD Analytics Rule 4 with template", + "displayName": "Alsid For AD Analytics Rule template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]" + ], + "properties": { + "description": "GoldenTicket_AnalyticalRules Analytics Rule with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion4')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('AnalyticRulecontentId4')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Searches for Golden Ticket attacks", + "displayName": "Alsid Golden Ticket", + "enabled": false, + "query": "afad_parser\n| where MessageType == 2 and Codename == \"Golden Ticket\"\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AlsidForADLog_CL" + ], + "connectorId": "AlsidForAD" + } + ], + "tactics": [ + "CredentialAccess" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", + "properties": { + "description": "Alsid For AD Analytics Rule 4", + "parentId": "[variables('analyticRuleId4')]", + "contentId": "[variables('_analyticRulecontentId4')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion4')]", + "source": { + "kind": "Solution", + "name": "Alsid For AD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('analyticRuleTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "properties": { + "description": "Alsid For AD Analytics Rule 5 with template", + "displayName": "Alsid For AD Analytics Rule template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]" + ], + "properties": { + "description": "IndicatorsOfAttack_AnalyticalRules Analytics Rule with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion5')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('AnalyticRulecontentId5')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Searches for triggered Indicators of Attack", + "displayName": "Alsid Indicators of Attack", + "enabled": false, + "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nafad_parser\n| where MessageType == 2\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AlsidForADLog_CL" + ], + "connectorId": "AlsidForAD" + } + ], + "tactics": [ + "CredentialAccess" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", + "properties": { + "description": "Alsid For AD Analytics Rule 5", + "parentId": "[variables('analyticRuleId5')]", + "contentId": "[variables('_analyticRulecontentId5')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion5')]", + "source": { + "kind": "Solution", + "name": "Alsid For AD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('analyticRuleTemplateSpecName6')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "properties": { + "description": "Alsid For AD Analytics Rule 6 with template", + "displayName": "Alsid For AD Analytics Rule template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]" + ], + "properties": { + "description": "IndicatorsOfExposures_AnalyticalRules Analytics Rule with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion6')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('AnalyticRulecontentId6')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Searches for triggered Indicators of Exposures", + "displayName": "Alsid Indicators of Exposures", + "enabled": false, + "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nafad_parser\n| where MessageType == 0\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AlsidForADLog_CL" + ], + "connectorId": "AlsidForAD" + } + ], + "tactics": [ + "CredentialAccess" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", + "properties": { + "description": "Alsid For AD Analytics Rule 6", + "parentId": "[variables('analyticRuleId6')]", + "contentId": "[variables('_analyticRulecontentId6')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion6')]", + "source": { + "kind": "Solution", + "name": "Alsid For AD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('analyticRuleTemplateSpecName7')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "properties": { + "description": "Alsid For AD Analytics Rule 7 with template", + "displayName": "Alsid For AD Analytics Rule template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]" + ], + "properties": { + "description": "LSASSMemory_AnalyticalRules Analytics Rule with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion7')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('AnalyticRulecontentId7')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Searches for OS Credentials dumping attacks", + "displayName": "Alsid LSASS Memory", + "enabled": false, + "query": "afad_parser\n| where MessageType == 2 and Codename == \"OS Credential Dumping: LSASS Memory\"\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AlsidForADLog_CL" + ], + "connectorId": "AlsidForAD" + } + ], + "tactics": [ + "CredentialAccess" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", + "properties": { + "description": "Alsid For AD Analytics Rule 7", + "parentId": "[variables('analyticRuleId7')]", + "contentId": "[variables('_analyticRulecontentId7')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion7')]", + "source": { + "kind": "Solution", + "name": "Alsid For AD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('analyticRuleTemplateSpecName8')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "properties": { + "description": "Alsid For AD Analytics Rule 8 with template", + "displayName": "Alsid For AD Analytics Rule template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]" + ], + "properties": { + "description": "PasswordGuessing_AnalyticalRules Analytics Rule with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion8')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('AnalyticRulecontentId8')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Searches for bruteforce Password Guessing attacks", + "displayName": "Alsid Password Guessing", + "enabled": false, + "query": "afad_parser\n| where MessageType == 2 and Codename == \"Password Guessing\"\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AlsidForADLog_CL" + ], + "connectorId": "AlsidForAD" + } + ], + "tactics": [ + "CredentialAccess" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", + "properties": { + "description": "Alsid For AD Analytics Rule 8", + "parentId": "[variables('analyticRuleId8')]", + "contentId": "[variables('_analyticRulecontentId8')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion8')]", + "source": { + "kind": "Solution", + "name": "Alsid For AD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('analyticRuleTemplateSpecName9')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "properties": { + "description": "Alsid For AD Analytics Rule 9 with template", + "displayName": "Alsid For AD Analytics Rule template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]" + ], + "properties": { + "description": "PasswordIssues_AnalyticalRules Analytics Rule with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion9')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('AnalyticRulecontentId9')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Searches for triggered Indicators of Exposures related to password issues", + "displayName": "Alsid Password issues", + "enabled": false, + "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-CLEARTEXT-PASSWORD\", \"C-PASSWORD-DONT-EXPIRE\", \"C-USER-REVER-PWDS\", \"C-PASSWORD-POLICY\", \"C-USER-PASSWORD\", \"C-KRBTGT-PASSWORD\", \"C-AAD-SSO-PASSWORD\", \"C-REVER-PWD-GPO\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AlsidForADLog_CL" + ], + "connectorId": "AlsidForAD" + } + ], + "tactics": [ + "CredentialAccess" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", + "properties": { + "description": "Alsid For AD Analytics Rule 9", + "parentId": "[variables('analyticRuleId9')]", + "contentId": "[variables('_analyticRulecontentId9')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion9')]", + "source": { + "kind": "Solution", + "name": "Alsid For AD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('analyticRuleTemplateSpecName10')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "properties": { + "description": "Alsid For AD Analytics Rule 10 with template", + "displayName": "Alsid For AD Analytics Rule template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('analyticRuleTemplateSpecName10'),'/',variables('analyticRuleVersion10'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]" + ], + "properties": { + "description": "PasswordSpraying_AnalyticalRules Analytics Rule with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion10')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('AnalyticRulecontentId10')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Searches for Password spraying attacks", + "displayName": "Alsid Password Spraying", + "enabled": false, + "query": "afad_parser\n| where MessageType == 2 and Codename == \"Password Spraying\"\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AlsidForADLog_CL" + ], + "connectorId": "AlsidForAD" + } + ], + "tactics": [ + "CredentialAccess" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", + "properties": { + "description": "Alsid For AD Analytics Rule 10", + "parentId": "[variables('analyticRuleId10')]", + "contentId": "[variables('_analyticRulecontentId10')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion10')]", + "source": { + "kind": "Solution", + "name": "Alsid For AD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('analyticRuleTemplateSpecName11')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "properties": { + "description": "Alsid For AD Analytics Rule 11 with template", + "displayName": "Alsid For AD Analytics Rule template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('analyticRuleTemplateSpecName11'),'/',variables('analyticRuleVersion11'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName11'))]" + ], + "properties": { + "description": "PrivilegedAccountIssues_AnalyticalRules Analytics Rule with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion11')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('AnalyticRulecontentId11')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Searches for triggered Indicators of Exposures related to privileged accounts issues", + "displayName": "Alsid privileged accounts issues", + "enabled": false, + "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-PRIV-ACCOUNTS-SPN\", \"C-NATIVE-ADM-GROUP-MEMBERS\", \"C-KRBTGT-PASSWORD\", \"C-PROTECTED-USERS-GROUP-UNUSED\", \"C-ADMINCOUNT-ACCOUNT-PROPS\", \"C-ADM-ACC-USAGE\", \"C-LAPS-UNSECURE-CONFIG\", \"C-DISABLED-ACCOUNTS-PRIV-GROUPS\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AlsidForADLog_CL" + ], + "connectorId": "AlsidForAD" + } + ], + "tactics": [ + "CredentialAccess" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId11'),'/'))))]", + "properties": { + "description": "Alsid For AD Analytics Rule 11", + "parentId": "[variables('analyticRuleId11')]", + "contentId": "[variables('_analyticRulecontentId11')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion11')]", + "source": { + "kind": "Solution", + "name": "Alsid For AD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('analyticRuleTemplateSpecName12')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "properties": { + "description": "Alsid For AD Analytics Rule 12 with template", + "displayName": "Alsid For AD Analytics Rule template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('analyticRuleTemplateSpecName12'),'/',variables('analyticRuleVersion12'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName12'))]" + ], + "properties": { + "description": "UserAccountIssues_AnalyticalRules Analytics Rule with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion12')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('AnalyticRulecontentId12')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Searches for triggered Indicators of Exposures related to user accounts issues", + "displayName": "Alsid user accounts issues", + "enabled": false, + "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-ACCOUNTS-DANG-SID-HISTORY\", \"C-PRE-WIN2000-ACCESS-MEMBERS\", \"C-PASSWORD-DONT-EXPIRE\", \"C-SLEEPING-ACCOUNTS\", \"C-DANG-PRIMGROUPID\", \"C-PASSWORD-NOT-REQUIRED\", \"C-USER-PASSWORD\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AlsidForADLog_CL" + ], + "connectorId": "AlsidForAD" + } + ], + "tactics": [ + "CredentialAccess" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId12'),'/'))))]", + "properties": { + "description": "Alsid For AD Analytics Rule 12", + "parentId": "[variables('analyticRuleId12')]", + "contentId": "[variables('_analyticRulecontentId12')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion12')]", + "source": { + "kind": "Solution", + "name": "Alsid For AD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "properties": { + "version": "2.0.0", + "kind": "Solution", + "contentSchemaVersion": "2.0.0", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "Alsid For AD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "Parser", + "contentId": "[variables('_parserContentId1')]", + "version": "[variables('parserVersion1')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId2')]", + "version": "[variables('workbookVersion2')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId1')]", + "version": "[variables('analyticRuleVersion1')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId2')]", + "version": "[variables('analyticRuleVersion2')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId3')]", + "version": "[variables('analyticRuleVersion3')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId4')]", + "version": "[variables('analyticRuleVersion4')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId5')]", + "version": "[variables('analyticRuleVersion5')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId6')]", + "version": "[variables('analyticRuleVersion6')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId7')]", + "version": "[variables('analyticRuleVersion7')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId8')]", + "version": "[variables('analyticRuleVersion8')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId9')]", + "version": "[variables('analyticRuleVersion9')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId10')]", + "version": "[variables('analyticRuleVersion10')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId11')]", + "version": "[variables('analyticRuleVersion11')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId12')]", + "version": "[variables('analyticRuleVersion12')]" + } + ] + }, + "firstPublishDate": "2022-05-02", + "providers": [ + "Alsid" + ], + "categories": { + "domains": [ + "Security - Threat Protection", + "Identity" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Parsers/Alsid/afad_parser.kql b/Solutions/Alsid For AD/Parsers/afad_parser.kql.txt similarity index 100% rename from Parsers/Alsid/afad_parser.kql rename to Solutions/Alsid For AD/Parsers/afad_parser.kql.txt diff --git a/Solutions/Alsid For AD/SolutionMetadata.json b/Solutions/Alsid For AD/SolutionMetadata.json new file mode 100644 index 0000000000..00a8a62c26 --- /dev/null +++ b/Solutions/Alsid For AD/SolutionMetadata.json @@ -0,0 +1,19 @@ +{ + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-isvtesting1", + "firstPublishDate": "2022-05-02", + "providers": ["Alsid"], + "categories": { + "domains" : ["Security - Threat Protection","Identity"], + "verticals": [] + }, + "support": { + "name": "Alsid", + "tier": "Partner", + "link": "https://www.alsid.com/contact-us/" + } +} + + + + diff --git a/Solutions/Alsid For AD/Solution_AlsidForADTemplateSpec.json b/Solutions/Alsid For AD/Solution_AlsidForADTemplateSpec.json new file mode 100644 index 0000000000..3f714c727d --- /dev/null +++ b/Solutions/Alsid For AD/Solution_AlsidForADTemplateSpec.json @@ -0,0 +1,36 @@ +{ + "Name": "Alsid For AD", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "Alsid for Active Directory connector allows to export Alsid Indicators of Exposures, trailflow and Indicators of Attacks logs to Microsoft Sentinel in real time.", + "Data Connectors": [ + "Data Connectors/AlsidForAD.json" + ], + "Parsers": [ + "Parsers/afad_parser.kql" + ], + "Workbooks": [ + "Workbooks/AlsidIoA.json", + "Workbooks/AlsidIoE.json" + ], + + "Analytic Rules": [ + "Analytic Rules/ADAttacksPathways.yaml", + "Analytic Rules/DCShadow.yaml", + "Analytic Rules/DCSync.yaml", + "Analytic Rules/GoldenTicket.yaml", + "Analytic Rules/IndicatorsOfAttack.yaml", + "Analytic Rules/IndicatorsOfExposures.yaml", + "Analytic Rules/LSASSMemory.yaml", + "Analytic Rules/PasswordGuessing.yaml", + "Analytic Rules/PasswordIssues.yaml", + "Analytic Rules/PasswordSpraying.yaml", + "Analytic Rules/PrivilegedAccountIssues.yaml", + "Analytic Rules/UserAccountIssues.yaml" + ], + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Alsid For AD", + "Version": "2.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false +} \ No newline at end of file diff --git a/Workbooks/AlsidIoA.json b/Solutions/Alsid For AD/Workbooks/AlsidIoA.json similarity index 100% rename from Workbooks/AlsidIoA.json rename to Solutions/Alsid For AD/Workbooks/AlsidIoA.json diff --git a/Workbooks/AlsidIoE.json b/Solutions/Alsid For AD/Workbooks/AlsidIoE.json similarity index 100% rename from Workbooks/AlsidIoE.json rename to Solutions/Alsid For AD/Workbooks/AlsidIoE.json