Repackaged - Digital Guardian Data Loss Prevention

This commit is contained in:
v-rusraut 2024-07-25 15:57:03 +05:30
Родитель 4f976d7966
Коммит cf84d360e1
37 изменённых файлов: 1214 добавлений и 1059 удалений

Просмотреть файл

@ -1,35 +1,38 @@
id: b52cda18-c1af-40e5-91f3-1fcbf9fa267e
name: Digital Guardian - Sensitive data transfer over insecure channel
description: |
'Detects sensitive data transfer over insecure channel.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where isnotempty(MatchedPolicies)
| where isnotempty(inspected_document)
| where NetworkApplicationProtocol =~ 'HTTP'
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled
id: b52cda18-c1af-40e5-91f3-1fcbf9fa267e
name: Digital Guardian - Sensitive data transfer over insecure channel
description: |
'Detects sensitive data transfer over insecure channel.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where isnotempty(MatchedPolicies)
| where isnotempty(inspected_document)
| where NetworkApplicationProtocol =~ 'HTTP'
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -1,29 +1,32 @@
id: 39e25deb-49bb-4cdb-89c1-c466d596e2bd
name: Digital Guardian - Exfiltration using DNS protocol
description: |
'Detects exfiltration using DNS protocol.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where DstPortNumber == 53
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled
id: 39e25deb-49bb-4cdb-89c1-c466d596e2bd
name: Digital Guardian - Exfiltration using DNS protocol
description: |
'Detects exfiltration using DNS protocol.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where DstPortNumber == 53
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -1,33 +1,36 @@
id: f7b6ddef-c1e9-46f0-8539-dbba7fb8a5b8
name: Digital Guardian - Exfiltration to online fileshare
description: |
'Detects exfiltration to online fileshare.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
let threshold = 10;
DigitalGuardianDLPEvent
| where isnotempty(inspected_document)
| where http_url contains 'dropbox' or http_url contains 'mega.nz'
| summarize f = dcount(inspected_document) by SrcUserName, bin(TimeGenerated, 30m)
| where f >= threshold
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled
id: f7b6ddef-c1e9-46f0-8539-dbba7fb8a5b8
name: Digital Guardian - Exfiltration to online fileshare
description: |
'Detects exfiltration to online fileshare.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
let threshold = 10;
DigitalGuardianDLPEvent
| where isnotempty(inspected_document)
| where http_url contains 'dropbox' or http_url contains 'mega.nz'
| summarize f = dcount(inspected_document) by SrcUserName, bin(TimeGenerated, 30m)
| where f >= threshold
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -1,36 +1,39 @@
id: edead9b5-243a-466b-ae78-2dae32ab1117
name: Digital Guardian - Exfiltration to private email
description: |
'Detects exfiltration to private email.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where NetworkApplicationProtocol =~ 'SMTP'
| where isnotempty(inspected_document)
| extend s_user = substring(SrcUserName, 0, indexof(SrcUserName, '@'))
| extend d_user = substring(DstUserName, 0, indexof(DstUserName, '@'))
| extend s_domain = extract(@'@(.*)', 1, SrcUserName)
| extend d_domain = extract(@'@(.*)', 1, DstUserName)
| where s_domain != d_domain
| where s_user == d_user
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled
id: edead9b5-243a-466b-ae78-2dae32ab1117
name: Digital Guardian - Exfiltration to private email
description: |
'Detects exfiltration to private email.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where NetworkApplicationProtocol =~ 'SMTP'
| where isnotempty(inspected_document)
| extend s_user = substring(SrcUserName, 0, indexof(SrcUserName, '@'))
| extend d_user = substring(DstUserName, 0, indexof(DstUserName, '@'))
| extend s_domain = extract(@'@(.*)', 1, SrcUserName)
| extend d_domain = extract(@'@(.*)', 1, DstUserName)
| where s_domain != d_domain
| where s_user == d_user
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -1,35 +1,38 @@
id: a19885c8-1e44-47e3-81df-d1d109f5c92d
name: Digital Guardian - Exfiltration to external domain
description: |
'Detects exfiltration to external domain.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
let corp_domain = dynamic(['example.com']); //add all corporate domains to this list
DigitalGuardianDLPEvent
| where NetworkApplicationProtocol =~ 'SMTP'
| where isnotempty(inspected_document)
| extend s_domain = extract(@'@(.*)', 1, SrcUserName)
| extend d_domain = extract(@'@(.*)', 1, DstUserName)
| where s_domain in~ (corp_domain)
| where d_domain !in (corp_domain)
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled
id: a19885c8-1e44-47e3-81df-d1d109f5c92d
name: Digital Guardian - Exfiltration to external domain
description: |
'Detects exfiltration to external domain.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
let corp_domain = dynamic(['example.com']); //add all corporate domains to this list
DigitalGuardianDLPEvent
| where NetworkApplicationProtocol =~ 'SMTP'
| where isnotempty(inspected_document)
| extend s_domain = extract(@'@(.*)', 1, SrcUserName)
| extend d_domain = extract(@'@(.*)', 1, DstUserName)
| where s_domain in~ (corp_domain)
| where d_domain !in (corp_domain)
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -1,38 +1,41 @@
id: 5f75a873-b524-4ba5-a3b8-2c20db517148
name: Digital Guardian - Bulk exfiltration to external domain
description: |
'Detects bulk exfiltration to external domain.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
let threshold = 10;
let corp_domain = dynamic(['example.com']);
DigitalGuardianDLPEvent
| where NetworkApplicationProtocol =~ 'SMTP'
| where isnotempty(inspected_document)
| extend s_domain = extract(@'@(.*)', 1, SrcUserName)
| extend d_domain = extract(@'@(.*)', 1, DstUserName)
| where s_domain in~ (corp_domain)
| where d_domain !in (corp_domain)
| summarize f = dcount(inspected_document) by SrcUserName, DstUserName, bin(TimeGenerated, 30m)
| where f >= threshold
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled
id: 5f75a873-b524-4ba5-a3b8-2c20db517148
name: Digital Guardian - Bulk exfiltration to external domain
description: |
'Detects bulk exfiltration to external domain.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
let threshold = 10;
let corp_domain = dynamic(['example.com']);
DigitalGuardianDLPEvent
| where NetworkApplicationProtocol =~ 'SMTP'
| where isnotempty(inspected_document)
| extend s_domain = extract(@'@(.*)', 1, SrcUserName)
| extend d_domain = extract(@'@(.*)', 1, DstUserName)
| where s_domain in~ (corp_domain)
| where d_domain !in (corp_domain)
| summarize f = dcount(inspected_document) by SrcUserName, DstUserName, bin(TimeGenerated, 30m)
| where f >= threshold
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -1,32 +1,35 @@
id: e8901dac-2549-4948-b793-5197a5ed697a
name: Digital Guardian - Multiple incidents from user
description: |
'Detects multiple incidents from user.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
let threshold = 2;
DigitalGuardianDLPEvent
| where isnotempty(MatchedPolicies)
| summarize count() by SrcUserName, bin(TimeGenerated, 30m)
| where count_ >= threshold
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled
id: e8901dac-2549-4948-b793-5197a5ed697a
name: Digital Guardian - Multiple incidents from user
description: |
'Detects multiple incidents from user.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
let threshold = 2;
DigitalGuardianDLPEvent
| where isnotempty(MatchedPolicies)
| summarize count() by SrcUserName, bin(TimeGenerated, 30m)
| where count_ >= threshold
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -1,30 +1,33 @@
id: a374a933-f6c4-4200-8682-70402a9054dd
name: Digital Guardian - Possible SMTP protocol abuse
description: |
'Detects possible SMTP protocol abuse.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where NetworkApplicationProtocol =~ 'SMTP'
| where DstPortNumber != 25
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled
id: a374a933-f6c4-4200-8682-70402a9054dd
name: Digital Guardian - Possible SMTP protocol abuse
description: |
'Detects possible SMTP protocol abuse.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where NetworkApplicationProtocol =~ 'SMTP'
| where DstPortNumber != 25
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -1,29 +1,32 @@
id: a14f2f95-bbd2-4036-ad59-e3aff132b296
name: Digital Guardian - Unexpected protocol
description: |
'Detects RDP protocol usage for data transfer which is not common.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where DstPortNumber == 3389
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled
id: a14f2f95-bbd2-4036-ad59-e3aff132b296
name: Digital Guardian - Unexpected protocol
description: |
'Detects RDP protocol usage for data transfer which is not common.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where DstPortNumber == 3389
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -1,32 +1,35 @@
id: 07bca129-e7d6-4421-b489-32abade0b6a7
name: Digital Guardian - Incident with not blocked action
description: |
'Detects when incident has not block action.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where isnotempty(IncidentStatus)
| extend inc_act = split(IncidentStatus, ',')
| where inc_act has 'New'
| where inc_act !contains 'Block'
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled
id: 07bca129-e7d6-4421-b489-32abade0b6a7
name: Digital Guardian - Incident with not blocked action
description: |
'Detects when incident has not block action.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where isnotempty(IncidentStatus)
| extend inc_act = split(IncidentStatus, ',')
| where inc_act has 'New'
| where inc_act !contains 'Block'
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -1,6 +1,6 @@
{
"id": "DigitalGuardianDLP",
"title": "Digital Guardian Data Loss Prevention",
"title": "[Deprecated] Digital Guardian Data Loss Prevention",
"publisher": "Digital Guardian",
"descriptionMarkdown": "[Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.",
"additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution.",

Просмотреть файл

@ -2,7 +2,7 @@
"Name": "Digital Guardian Data Loss Prevention",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent-based log collection (Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-syslog)",
"Description": "The [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Workbooks": [
"Workbooks/DigitalGuardian.json"
],
@ -36,9 +36,12 @@
"Data Connectors": [
"Data Connectors/Connector_DigitalGuardian_Syslog.json"
],
"dependentDomainSolutionIds": [
"azuresentinel.azure-sentinel-solution-syslog"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\DigitalGuardianDLP",
"Version": "3.0.0",
"Version": "3.0.1",
"TemplateSpec": true,
"Is1PConnector": false
}

Просмотреть файл

@ -1,26 +1,29 @@
id: 444c91d4-e4b8-4adc-9b05-61fe908441b8
name: Digital Guardian - Incident domains
description: |
'Query searches for incident domains.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(http_url)
| extend u = parse_url(http_url)
| extend domain=u.Host
| summarize count() by tostring(domain), SrcUserName
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
id: 444c91d4-e4b8-4adc-9b05-61fe908441b8
name: Digital Guardian - Incident domains
description: |
'Query searches for incident domains.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(http_url)
| extend u = parse_url(http_url)
| extend domain=u.Host
| summarize count() by tostring(domain), SrcUserName
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

Просмотреть файл

@ -1,24 +1,27 @@
id: 66dd7ab7-bbc0-48b7-a3b9-4e71e610df48
name: Digital Guardian - Files sent by users
description: |
'Query searches for files sent by users.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(inspected_document)
| summarize Files = makeset(inspected_document) by SrcUserName
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
id: 66dd7ab7-bbc0-48b7-a3b9-4e71e610df48
name: Digital Guardian - Files sent by users
description: |
'Query searches for files sent by users.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(inspected_document)
| summarize Files = makeset(inspected_document) by SrcUserName
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

Просмотреть файл

@ -1,25 +1,28 @@
id: 83d5652c-025c-4cee-9f33-3bc114648859
name: Digital Guardian - Users' incidents
description: |
'Query searches for users' incidents.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(IncidentStatus)
| where IncidentStatus has 'New'
| summarize makeset(IncidentsUrl) by SrcUserName
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
id: 83d5652c-025c-4cee-9f33-3bc114648859
name: Digital Guardian - Users' incidents
description: |
'Query searches for users' incidents.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(IncidentStatus)
| where IncidentStatus has 'New'
| summarize makeset(IncidentsUrl) by SrcUserName
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

Просмотреть файл

@ -1,24 +1,27 @@
id: 196930a4-bd79-4800-b2bb-582a8f1c8dd4
name: Digital Guardian - Insecure file transfer sources
description: |
'Query searches for insecure file transfer sources.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where NetworkApplicationProtocol in~ ('HTTP', 'FTP')
| project SrcUserName, SrcIpAddr, DstIpAddr, DstPortNumber, File=inspected_document
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
id: 196930a4-bd79-4800-b2bb-582a8f1c8dd4
name: Digital Guardian - Insecure file transfer sources
description: |
'Query searches for insecure file transfer sources.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where NetworkApplicationProtocol in~ ('HTTP', 'FTP')
| project SrcUserName, SrcIpAddr, DstIpAddr, DstPortNumber, File=inspected_document
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

Просмотреть файл

@ -1,24 +1,27 @@
id: e459b709-55f7-48b6-8afc-0ae1062d3584
name: Digital Guardian - Inspected files
description: |
'Query searches for inspected files.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(inspected_document)
| project SrcUserName, DstUserName, File=inspected_document, MatchedPolicies
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
id: e459b709-55f7-48b6-8afc-0ae1062d3584
name: Digital Guardian - Inspected files
description: |
'Query searches for inspected files.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(inspected_document)
| project SrcUserName, DstUserName, File=inspected_document, MatchedPolicies
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

Просмотреть файл

@ -1,25 +1,28 @@
id: ae482a2c-b4e7-46fc-aeb7-744f7aad27ea
name: Digital Guardian - New incidents
description: |
'Query searches for new incidents.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(IncidentStatus)
| extend inc_act = split(IncidentStatus, ',')
| where inc_act has 'New'
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
id: ae482a2c-b4e7-46fc-aeb7-744f7aad27ea
name: Digital Guardian - New incidents
description: |
'Query searches for new incidents.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(IncidentStatus)
| extend inc_act = split(IncidentStatus, ',')
| where inc_act has 'New'
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

Просмотреть файл

@ -1,25 +1,28 @@
id: 82cba92e-fe2f-4bba-9b46-647040b24090
name: Digital Guardian - Rare destination ports
description: |
'Query searches for rare destination ports.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| summarize count() by DstIpAddr, DstPortNumber
| order by count_ asc
| top 10 by count_
| extend IPCustomEntity = DstIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
id: 82cba92e-fe2f-4bba-9b46-647040b24090
name: Digital Guardian - Rare destination ports
description: |
'Query searches for rare destination ports.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| summarize count() by DstIpAddr, DstPortNumber
| order by count_ asc
| top 10 by count_
| extend IPCustomEntity = DstIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

Просмотреть файл

@ -1,30 +1,33 @@
id: 8ab2f0db-baa1-495c-a8dd-718b81d0b8c7
name: Digital Guardian - Rare network protocols
description: |
'Query searches rare network protocols.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(NetworkApplicationProtocol)
| summarize count() by SrcIpAddr, SrcUserName
| order by count_ asc
| top 10 by count_
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
id: 8ab2f0db-baa1-495c-a8dd-718b81d0b8c7
name: Digital Guardian - Rare network protocols
description: |
'Query searches rare network protocols.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(NetworkApplicationProtocol)
| summarize count() by SrcIpAddr, SrcUserName
| order by count_ asc
| top 10 by count_
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

Просмотреть файл

@ -1,26 +1,29 @@
id: b9a69da9-1ca0-4e09-a24f-5d88d57e0402
name: Digital Guardian - Rare Urls
description: |
'Query searches for rare Urls.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(http_url)
| summarize count() by SrcUserName, http_url
| order by count_ asc
| top 10 by count_
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
id: b9a69da9-1ca0-4e09-a24f-5d88d57e0402
name: Digital Guardian - Rare Urls
description: |
'Query searches for rare Urls.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(http_url)
| summarize count() by SrcUserName, http_url
| order by count_ asc
| top 10 by count_
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

Просмотреть файл

@ -1,24 +1,27 @@
id: 310433ca-67aa-406d-bbdf-c167a474b0a0
name: Digital Guardian - Urls used
description: |
'Query searches for URLs used.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(http_url)
| project SrcUserName, DstUserName, URL=http_url, MatchedPolicies
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
id: 310433ca-67aa-406d-bbdf-c167a474b0a0
name: Digital Guardian - Urls used
description: |
'Query searches for URLs used.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(http_url)
| project SrcUserName, DstUserName, URL=http_url, MatchedPolicies
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

Двоичные данные
Solutions/Digital Guardian Data Loss Prevention/Package/3.0.1.zip Normal file

Двоичный файл не отображается.

Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/DigitalGuardianDLP/ReleaseNotes.md)\r \n There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent-based log collection (Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Digital%20Guardian%20Data%20Loss%20Prevention/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -60,14 +60,14 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the data connector for ingesting Digital Guardian Data Loss Prevention logs into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
"text": "This Solution installs the data connector for Digital Guardian Data Loss Prevention. You can get Digital Guardian Data Loss Prevention Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the DigitalGuardianDLPEvent Kusto Function alias."
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
}
},
{
@ -323,7 +323,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for incident domains. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
"text": "Query searches for incident domains. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
}
}
]
@ -337,7 +337,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for files sent by users. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
"text": "Query searches for files sent by users. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
}
}
]
@ -351,7 +351,7 @@
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for users' incidents. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
"text": "Query searches for users' incidents. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
}
}
]
@ -365,7 +365,7 @@
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for insecure file transfer sources. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
"text": "Query searches for insecure file transfer sources. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
}
}
]
@ -379,7 +379,7 @@
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for inspected files. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
"text": "Query searches for inspected files. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
}
}
]
@ -393,7 +393,7 @@
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for new incidents. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
"text": "Query searches for new incidents. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
}
}
]
@ -407,7 +407,7 @@
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for rare destination ports. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
"text": "Query searches for rare destination ports. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
}
}
]
@ -421,7 +421,7 @@
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches rare network protocols. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
"text": "Query searches rare network protocols. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
}
}
]
@ -435,7 +435,7 @@
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for rare Urls. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
"text": "Query searches for rare Urls. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
}
}
]
@ -449,7 +449,7 @@
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for URLs used. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
"text": "Query searches for URLs used. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
}
}
]

Просмотреть файл

@ -0,0 +1,32 @@
{
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
"workbook1-name": {
"type": "string",
"defaultValue": "DigitalGuardianDLP",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
}
}

Просмотреть файл

@ -1,5 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|-------------------------------------------------------------------------------------------|
| 3.0.0 | 09-10-2023 | Fixed KQL validation failure in **Hunting Query** (Digital Guardian - Users incidents) |
| 3.0.1 | 25-07-2024 | Deprecating data connectors |
| 3.0.0 | 09-10-2023 | Fixed KQL validation failure in **Hunting Query** (Digital Guardian - Users incidents) |

Просмотреть файл

До

Ширина:  |  Высота:  |  Размер: 194 KiB

После

Ширина:  |  Высота:  |  Размер: 194 KiB

Просмотреть файл

До

Ширина:  |  Высота:  |  Размер: 204 KiB

После

Ширина:  |  Высота:  |  Размер: 204 KiB